2e126c9b90a748297a4eff58c8357cc3b140d6efbf1f2e4e581c492121389856

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e126c9b90a748297a4eff58c8357cc3b140d6efbf1f2e4e581c492121389856.exe
Size

64KB
MD5

8f7a12792b345b6ef4386aec0a4575a7
SHA1

a836218bc26f1a8da9547938f5f3bdad1be0537d
SHA256

2e126c9b90a748297a4eff58c8357cc3b140d6efbf1f2e4e581c492121389856
SHA512

d27b595546379f9e18dc64a41947fbcc941a2d7d45cbbcbbb706eb4bb9c02352423935143f1f819529ff197f881061a15aa2a7520c155838bfa456b52fccf708
SSDEEP

768:RbZgdF17m+9jJjn9zmc6TBXNMlLLv/XTf36IF3wZZZdtz6bKJlqMqf/1H57XdnhI:ab9jhn956dOlnv/7qIFe9Jgvlnly5VP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckajehi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmabdibj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmjlcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgdlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdeqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iefioj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdjjckag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkalchij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfpcgpae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfngap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glebhjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glebhjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fljcmlfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdlnbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hioiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgdlq32.exe

Executes dropped EXE 64 IoCs

pid	Process
1876	Eepjpb32.exe
4948	Fljcmlfd.exe
4856	Fcckif32.exe
1036	Fdegandp.exe
1512	Fkopnh32.exe
2620	Ffddka32.exe
4028	Fdgdgnbm.exe
5068	Fkalchij.exe
3776	Fchddejl.exe
964	Fdialn32.exe
2736	Fkciihgg.exe
1788	Fckajehi.exe
1716	Fdlnbm32.exe
4036	Fkffog32.exe
3556	Ffkjlp32.exe
3116	Glebhjlg.exe
4816	Gododflk.exe
4160	Gfngap32.exe
1668	Ghlcnk32.exe
2576	Gcagkdba.exe
1304	Gfpcgpae.exe
2200	Gmjlcj32.exe
1360	Gbgdlq32.exe
3144	Gdeqhl32.exe
1660	Gkoiefmj.exe
4392	Gcfqfc32.exe
440	Gfembo32.exe
4944	Gicinj32.exe
692	Gdjjckag.exe
1864	Hmabdibj.exe
1228	Hopnqdan.exe
1348	Hckjacjg.exe
408	Helfik32.exe
1808	Hkfoeega.exe
4084	Hcmgfbhd.exe
2480	Hbpgbo32.exe
2672	Hijooifk.exe
4288	Hkikkeeo.exe
4632	Hcpclbfa.exe
4924	Hfnphn32.exe
4672	Himldi32.exe
4140	Hkkhqd32.exe
2948	Hcbpab32.exe
232	Hfqlnm32.exe
2600	Hioiji32.exe
3036	Hoiafcic.exe
3624	Hbgmcnhf.exe
4824	Iefioj32.exe
2840	Immapg32.exe
224	Ipknlb32.exe
1928	Ifefimom.exe
2156	Iicbehnq.exe
4480	Ikbnacmd.exe
3676	Icifbang.exe
1620	Ifgbnlmj.exe
4516	Imakkfdg.exe
2020	Ippggbck.exe
3528	Ickchq32.exe
1192	Ifjodl32.exe
3044	Ipbdmaah.exe
2016	Icnpmp32.exe
4484	Ieolehop.exe
740	Imfdff32.exe
3364	Ipdqba32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Gcagkdba.exe	Ghlcnk32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Bkblkg32.dll	Icnpmp32.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Hfnphn32.exe	Hcpclbfa.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Gododflk.exe	Glebhjlg.exe
File opened for modification	C:\Windows\SysWOW64\Hmabdibj.exe	Gdjjckag.exe
File opened for modification	C:\Windows\SysWOW64\Hoiafcic.exe	Hioiji32.exe
File created	C:\Windows\SysWOW64\Jimekgff.exe	Jeaikh32.exe
File opened for modification	C:\Windows\SysWOW64\Fdialn32.exe	Fchddejl.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Dlkhie32.dll	Ipdqba32.exe
File created	C:\Windows\SysWOW64\Kmncnb32.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Hcmgfbhd.exe	Hkfoeega.exe
File created	C:\Windows\SysWOW64\Ecnpbjmi.dll	Hbgmcnhf.exe
File created	C:\Windows\SysWOW64\Jpppnp32.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Glebhjlg.exe	Ffkjlp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Jpnchp32.exe	Jmpgldhg.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Jmpgldhg.exe	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdqba32.exe	Imfdff32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Fkopnh32.exe	Fdegandp.exe
File created	C:\Windows\SysWOW64\Ippggbck.exe	Imakkfdg.exe
File created	C:\Windows\SysWOW64\Hbgmcnhf.exe	Hoiafcic.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Icifbang.exe	Ikbnacmd.exe
File created	C:\Windows\SysWOW64\Ncbhll32.dll	Hkikkeeo.exe
File opened for modification	C:\Windows\SysWOW64\Ffkjlp32.exe	Fkffog32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Nhdlom32.dll	Ffkjlp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Hfnhlp32.dll	Jlpkba32.exe
File created	C:\Windows\SysWOW64\Ghlcnk32.exe	Gfngap32.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ickchq32.exe	Ippggbck.exe
File created	C:\Windows\SysWOW64\Jedeph32.exe	Jcbihpel.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Hmabdibj.exe	Gdjjckag.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9140	8996	WerFault.exe	364

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdphnlp.dll"	Hkkhqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmjlcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlqgg32.dll"	Hioiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hopnqdan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaqkn32.dll"	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll"	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgkmfoj.dll"	Ghlcnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkhie32.dll"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaijinl.dll"	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pldhcm32.dll"	Iefioj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadbk32.dll"	Fdialn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmann32.dll"	Gfngap32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 1876	5076	2e126c9b90a748297a4eff58c8357cc3b140d6efbf1f2e4e581c492121389856.exe	86
PID 5076 wrote to memory of 1876	5076	2e126c9b90a748297a4eff58c8357cc3b140d6efbf1f2e4e581c492121389856.exe	86
PID 5076 wrote to memory of 1876	5076	2e126c9b90a748297a4eff58c8357cc3b140d6efbf1f2e4e581c492121389856.exe	86
PID 1876 wrote to memory of 4948	1876	Eepjpb32.exe	87
PID 1876 wrote to memory of 4948	1876	Eepjpb32.exe	87
PID 1876 wrote to memory of 4948	1876	Eepjpb32.exe	87
PID 4948 wrote to memory of 4856	4948	Fljcmlfd.exe	88
PID 4948 wrote to memory of 4856	4948	Fljcmlfd.exe	88
PID 4948 wrote to memory of 4856	4948	Fljcmlfd.exe	88
PID 4856 wrote to memory of 1036	4856	Fcckif32.exe	89
PID 4856 wrote to memory of 1036	4856	Fcckif32.exe	89
PID 4856 wrote to memory of 1036	4856	Fcckif32.exe	89
PID 1036 wrote to memory of 1512	1036	Fdegandp.exe	90
PID 1036 wrote to memory of 1512	1036	Fdegandp.exe	90
PID 1036 wrote to memory of 1512	1036	Fdegandp.exe	90
PID 1512 wrote to memory of 2620	1512	Fkopnh32.exe	91
PID 1512 wrote to memory of 2620	1512	Fkopnh32.exe	91
PID 1512 wrote to memory of 2620	1512	Fkopnh32.exe	91
PID 2620 wrote to memory of 4028	2620	Ffddka32.exe	92
PID 2620 wrote to memory of 4028	2620	Ffddka32.exe	92
PID 2620 wrote to memory of 4028	2620	Ffddka32.exe	92
PID 4028 wrote to memory of 5068	4028	Fdgdgnbm.exe	93
PID 4028 wrote to memory of 5068	4028	Fdgdgnbm.exe	93
PID 4028 wrote to memory of 5068	4028	Fdgdgnbm.exe	93
PID 5068 wrote to memory of 3776	5068	Fkalchij.exe	94
PID 5068 wrote to memory of 3776	5068	Fkalchij.exe	94
PID 5068 wrote to memory of 3776	5068	Fkalchij.exe	94
PID 3776 wrote to memory of 964	3776	Fchddejl.exe	95
PID 3776 wrote to memory of 964	3776	Fchddejl.exe	95
PID 3776 wrote to memory of 964	3776	Fchddejl.exe	95
PID 964 wrote to memory of 2736	964	Fdialn32.exe	96
PID 964 wrote to memory of 2736	964	Fdialn32.exe	96
PID 964 wrote to memory of 2736	964	Fdialn32.exe	96
PID 2736 wrote to memory of 1788	2736	Fkciihgg.exe	97
PID 2736 wrote to memory of 1788	2736	Fkciihgg.exe	97
PID 2736 wrote to memory of 1788	2736	Fkciihgg.exe	97
PID 1788 wrote to memory of 1716	1788	Fckajehi.exe	98
PID 1788 wrote to memory of 1716	1788	Fckajehi.exe	98
PID 1788 wrote to memory of 1716	1788	Fckajehi.exe	98
PID 1716 wrote to memory of 4036	1716	Fdlnbm32.exe	99
PID 1716 wrote to memory of 4036	1716	Fdlnbm32.exe	99
PID 1716 wrote to memory of 4036	1716	Fdlnbm32.exe	99
PID 4036 wrote to memory of 3556	4036	Fkffog32.exe	100
PID 4036 wrote to memory of 3556	4036	Fkffog32.exe	100
PID 4036 wrote to memory of 3556	4036	Fkffog32.exe	100
PID 3556 wrote to memory of 3116	3556	Ffkjlp32.exe	101
PID 3556 wrote to memory of 3116	3556	Ffkjlp32.exe	101
PID 3556 wrote to memory of 3116	3556	Ffkjlp32.exe	101
PID 3116 wrote to memory of 4816	3116	Glebhjlg.exe	102
PID 3116 wrote to memory of 4816	3116	Glebhjlg.exe	102
PID 3116 wrote to memory of 4816	3116	Glebhjlg.exe	102
PID 4816 wrote to memory of 4160	4816	Gododflk.exe	103
PID 4816 wrote to memory of 4160	4816	Gododflk.exe	103
PID 4816 wrote to memory of 4160	4816	Gododflk.exe	103
PID 4160 wrote to memory of 1668	4160	Gfngap32.exe	105
PID 4160 wrote to memory of 1668	4160	Gfngap32.exe	105
PID 4160 wrote to memory of 1668	4160	Gfngap32.exe	105
PID 1668 wrote to memory of 2576	1668	Ghlcnk32.exe	106
PID 1668 wrote to memory of 2576	1668	Ghlcnk32.exe	106
PID 1668 wrote to memory of 2576	1668	Ghlcnk32.exe	106
PID 2576 wrote to memory of 1304	2576	Gcagkdba.exe	107
PID 2576 wrote to memory of 1304	2576	Gcagkdba.exe	107
PID 2576 wrote to memory of 1304	2576	Gcagkdba.exe	107
PID 1304 wrote to memory of 2200	1304	Gfpcgpae.exe	109

C:\Users\Admin\AppData\Local\Temp\2e126c9b90a748297a4eff58c8357cc3b140d6efbf1f2e4e581c492121389856.exe
"C:\Users\Admin\AppData\Local\Temp\2e126c9b90a748297a4eff58c8357cc3b140d6efbf1f2e4e581c492121389856.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\Eepjpb32.exe
  C:\Windows\system32\Eepjpb32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\Fljcmlfd.exe
    C:\Windows\system32\Fljcmlfd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\Fcckif32.exe
      C:\Windows\system32\Fcckif32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        26⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        28⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        29⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:692
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        36⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        37⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        38⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        41⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        42⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        44⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        45⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        51⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        52⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        53⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        55⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        56⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        59⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        60⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        61⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        63⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        66⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        68⤵
        
        PID:516
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        69⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        71⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        72⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        73⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        74⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        75⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        76⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        78⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        80⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        81⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        82⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        84⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        86⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        90⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        91⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        92⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        94⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        95⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        96⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        97⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        98⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        99⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        100⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        101⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        102⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        105⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        106⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        107⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        108⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        109⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        110⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        112⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        113⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        116⤵
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        117⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        118⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        120⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        121⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        122⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        123⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        124⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        125⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        126⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        129⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        130⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        131⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        132⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        133⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        135⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        136⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        137⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        138⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        139⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        141⤵
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        143⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        144⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        145⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        146⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        147⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        148⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        149⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        151⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        152⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        154⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        155⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6856
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        157⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        158⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        159⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        160⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        161⤵
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        162⤵
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7160
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        164⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6256
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        166⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        168⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        169⤵
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        170⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        171⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        173⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        174⤵
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        176⤵
        Drops file in System32 directory
        
        PID:7024
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        177⤵
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        178⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        179⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        180⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        182⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        183⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        184⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        185⤵
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        186⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        187⤵
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        189⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        190⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        191⤵
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        192⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7136
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        194⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6636
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        196⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        197⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        199⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        200⤵
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        201⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        202⤵
        Modifies registry class
        
        PID:7220
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7288
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        204⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        205⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7448
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        207⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7540
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        209⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        210⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        211⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        212⤵
        Modifies registry class
        
        PID:7772
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        213⤵
        Modifies registry class
        
        PID:7816
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        214⤵
        Drops file in System32 directory
        
        PID:7856
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        215⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        216⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        217⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        218⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        219⤵
        Drops file in System32 directory
        
        PID:8072
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        220⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        221⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        222⤵
        Modifies registry class
        
        PID:7180
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        223⤵
        Drops file in System32 directory
        
        PID:7276
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        224⤵
        Drops file in System32 directory
        
        PID:7352
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        225⤵
        Drops file in System32 directory
        
        PID:7460
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        226⤵
        Drops file in System32 directory
        
        PID:7548
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        227⤵
        Modifies registry class
        
        PID:7628
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        228⤵
        Modifies registry class
        
        PID:7780
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7908
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7948
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        231⤵
        Drops file in System32 directory
        
        PID:7484
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        232⤵
        Modifies registry class
        
        PID:7600
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        233⤵
        Drops file in System32 directory
        
        PID:7804
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        234⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8080
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        236⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        237⤵
        Modifies registry class
        
        PID:7280
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        238⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7380
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        240⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7928
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        242⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        243⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        244⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        245⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        246⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        247⤵
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7500
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        249⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        250⤵
        Modifies registry class
        
        PID:8144
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        251⤵
        Modifies registry class
        
        PID:7964
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        252⤵
        Drops file in System32 directory
        
        PID:7764
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        253⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        254⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8272
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        256⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        257⤵
        Modifies registry class
        
        PID:8360
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        258⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        259⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        260⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8492
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        261⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8576
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        263⤵
        Modifies registry class
        
        PID:8608
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        264⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8692
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        266⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        267⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        268⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        269⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        270⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        271⤵
        Modifies registry class
        
        PID:8948
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        272⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8996 -s 396
        273⤵
        Program crash
        
        PID:9140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 8996 -ip 8996
1⤵
PID:9076

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:7424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eepjpb32.exe

Filesize
64KB

MD5
b2fe252a6d782826a6a1ca7566e25405

SHA1
4454ee5703fc805555bff8f9c7a539d27693a499

SHA256
ec3920c32609ba34c0e0dbcea4648fe9c9289568f09e08f604f8216b45fe6df1

SHA512
d659dd9f18f260f17c3116d3d69980555b37e50812a439705f02db87d71e029bd16d21a7638f787f7f5dd0242d38a1215b7184ffd2d17ebebef95c34ea526c46

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
64KB

MD5
c3e98514f2f253919e26870cac487836

SHA1
2d04ab1181df00a24d35aca0669bbbaceef66b72

SHA256
e56a3e9cf8f031c6860cfc1698cdc754d01a078ffd56e114f1106d54b53544c6

SHA512
efea883739732f36d7effb810416b50a765725ba6ce9c373f0b7630c80cf0c7ab270e9fc2c82ca85d4d2c19b1bc7a9f81febe579fe79399d35c15feae3de44d1

Download Submit
C:\Windows\SysWOW64\Fchddejl.exe

Filesize
64KB

MD5
4ba1fd3ca7de236bb9ccff8720a735e9

SHA1
6a975d9c09a09c281408dc1390ab35ef13752c08

SHA256
c76f3e2d7d202e799d67bd500bf72fb698a29488e067c6e6cfa59271f0136402

SHA512
6f2b3f684a981de0c3701f82eee516522ba40be3c168f6e5f58906823293f65ff4925e63c9956b19b2f3d4d91391eba24bd04efcab6b84ad5d3c0e9c8ae6d928

Download Submit
C:\Windows\SysWOW64\Fckajehi.exe

Filesize
64KB

MD5
6406db32c52aa95a846d3284829ad2eb

SHA1
fdd7a83ec70d685b29559c8c02e055293d633403

SHA256
436e141b55d0d953aa927c47575ce4876f82cc7114f24955ef19580fc117fbf5

SHA512
f1a05b238d55d3982917f48fd459d8c82b664d6d9a3f9bea30abcf378f694659193f52210490b5d9ffa75ab6542b38baa70297959cfde6219ce2dcc8f48d8f73

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
64KB

MD5
47f678b900f37c081a41ecbeb500e010

SHA1
d1abb0a043f5a0dd0952603fb38c1de65c4ef0dc

SHA256
25992087465582fba6cc5b400f65e5f125e5870fd96cd9b2efdcfac9049c0c6e

SHA512
88b4917ff9d98c1d27bee185f9054d96f9df5562c2e638fe48035ce5e779f7bc5a7b47b759fd81f3d8fd1d9d06eff99d6e9e62f7fc1412a4f20541a68385d21e

Download Submit
C:\Windows\SysWOW64\Fdgdgnbm.exe

Filesize
64KB

MD5
18cf0e49ed4aeee42951c65a8df72ef3

SHA1
e65fa3eeee4271f0ad66fbf333493bfda1e20033

SHA256
fa58e29ef3af6642c60d45bbcb7ed208646e9d921e20a79173454a8282517210

SHA512
8686b6e76380dba0419dcf2db02e1beaab93d0e867967baa2bde5690d6cbfbb884c909dcf5809e98dad4f97cb7e504146b14b0dfaba938c2c080494d968b2e85

Download Submit
C:\Windows\SysWOW64\Fdialn32.exe

Filesize
64KB

MD5
5428635ccca6d2cd666850cd5f022124

SHA1
f9201fe66052eb518cc28f447d8780fd972acf2b

SHA256
f1a1d934defec05cc9f3399c6526358f3c939e84c8d76628b40f94c9460fece4

SHA512
490cb1734c07431122791e5e8cbbdcf4f7fc48a6be11a698465ba8c6a55ec92c9d3265636e7239e266b68178831f0e337ba25caef60dff4db69cbedc66be5216

Download Submit
C:\Windows\SysWOW64\Fdlnbm32.exe

Filesize
64KB

MD5
1257ff4fbbe1a7518225310d3253b3e8

SHA1
ff47d766752c0832acb5fa450876bc5844cdcd64

SHA256
4f1b07c3322ae13cf00875b9cf2a6d9174d504a04314a9bbf34e23ecbba1ce4b

SHA512
9defd6d87eb87d67cabffc11cafebd84a4768f5b9966e8486958dd7c18fbf594fb59815b1354160652a3b6d510e2879b1fddd7b35d5a463a62b9af895a632b47

Download Submit
C:\Windows\SysWOW64\Ffddka32.exe

Filesize
64KB

MD5
bcc9e639541c38cc70d21d14a3fc3d2d

SHA1
56ec71675d138c083fb096e83a4081fdb917f421

SHA256
a90f0c63e475b531776e15fc101df204927c06d0e8e6222b2d2103dcc900ad2d

SHA512
bee6a2721c1d4399650639c91ea01195d8ff746260388c6aabbeed760ffba4d795a436f8528abe5f45b5241c54999e1dbc4b7928d4bf990d04d735480973b87f

Download Submit
C:\Windows\SysWOW64\Ffkjlp32.exe

Filesize
64KB

MD5
2d05deedd455ceb6f686a10fa93e8e19

SHA1
dffe6ba3350765510092e7634e990c23e740607b

SHA256
bb29a67323bcb03ad56e82a30a113d73d620e90c2e682ef7f498034d7371ec6c

SHA512
463db9729d88dfdc820679f19b865ee65e9ea721a83e819d6818cf84e2aff199dc1420e5484e9919d9d09edecb14161174679be667581161552b538804a368e6

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
64KB

MD5
99ca8dea95ae5803d12ac55d6a734af2

SHA1
c29aa336c38d4d3d0de679241d9dd60e2fd98628

SHA256
c69d2924fcc60fa9c08783308845d902f781f24556f680544d155928196f101c

SHA512
01d5b2decb80d246b0652f8d1fe581ef250a04bbb3882ac7f7be1f3a1f71c50cc9d4d0937ffcd6d9dbbbd2289630dc574d072276bf7129346db26ebb2b7c9857

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
64KB

MD5
8b99a946a9ab6eb5ce9a6de9afed1bde

SHA1
e46fe9ef5ad46e1753e22a85a532328675e0a7f6

SHA256
6cf8783a52349d814da2325488c6745ceaf77752aadf79e244be88c71486119f

SHA512
ecc5cd6cf029b93929ce9086074d6210c3a037ce3288ee63ace1ee3284549fdebef36a3652436a886b6e53b7a05a9e35e27072a1e0f6c3cf600ba0fb7dc17e65

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
64KB

MD5
f4d3606ed3cae0ba6c9d6c0065f10dfc

SHA1
c8fc85b6ee1783ada9bca17d3255879ed353d673

SHA256
c9fba2c8f9dd7b53583a98bb2a9cd8c72cbfd3a01e81fa423d0ff301d766c6c1

SHA512
575fb6ae7874a4206952c9438b00ccde48c6320d9b5bb0e97f07dd61f8019e2db96521827f4c9c049dc7dd58760076e9385f6527aaa8b69984ca1c763d4f4746

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
64KB

MD5
cb6a10486723e0078300c22a93a7603c

SHA1
cfffcde48a6215acce5f6463c02d4406a1c6b5d5

SHA256
1ae46b46244c8f35ddc3162aeea4d98031d58d91a8d84d21b7bede928c96e139

SHA512
84092b5f85136f8d4f63700560e430539a0946e650f2d50809e1bef11c5bd6b250538f170f5d8877d3fe589c6a0a0ed20b16188707ff764c88f6e1eaca45af60

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
64KB

MD5
e37efc3b8a323c08ca09aa7076051472

SHA1
8556463368689b55b929d1e1738fc263e3ba5dc5

SHA256
66608550655486a772cd33ff9d013d79be294a8741cb49d72309f45e43e94daf

SHA512
3a71d6fd4e1377bcec26f54c5b4d6b281b7b704b1b341c5c7b8d62df3c98193c5664c84d2fb46327ad7e03c458b9e539367466199f99942263b9059b0c78b559

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
64KB

MD5
11ba13aa4df2b7f7041594e91fbb40cc

SHA1
ea66748f5a803385a7ac25fe8d907ed4c02aa987

SHA256
0b21c68e38bd356888eb4ffb243228604a55f257443f58b3548a277be4da07b7

SHA512
a86664a8c603e826e380640e1fd5711d18e79b8540de5178e04e7b24c98296b669118930c98de288aff7fe619335dedd76cd5a616d9507d6ca98f2408f44cd5b

Download Submit
C:\Windows\SysWOW64\Gcagkdba.exe

Filesize
64KB

MD5
5848d4221a9f6eb2bad0c18fb96abc45

SHA1
233426ae8824a504e0e7f37905d2fe53994fcb99

SHA256
62a6f1b0ab7e83d8aa32c88cbd2b396b4beef64b93a74c2c9efdb656407a4c0e

SHA512
eeb41318705479e2bccbf39f9a871c61b29e61bc9ce9c036e4ae5ba2cb56cf7667bf24435bd9bba1fc4533950d6afc2be344b5d5658fc290a06c1370f23b07ed

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
64KB

MD5
67607d4cbd7eb15b053a45860a0e305c

SHA1
ba1b628c471757692628a4239842770ff8381145

SHA256
c70af4d7e3944ef6c0779a48ea06ceb479dbb74c047833e6dcfe6d722d7247d4

SHA512
6c044ccf706e860af4f6ce1c86569e60dc3803243238dfbbab351c9e23a0abb2033cbd1f48bec4f62692db48df93e413ec72658e8dfd9e380904db25750fe4e0

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
64KB

MD5
d47a90794bb715338739959d36e7a150

SHA1
99e69b9cab8215eecda58f82fc8da50980997959

SHA256
b0a029b75515994fd40fbc76a1e834f75294951b87d1336e2181c6bf95333309

SHA512
95bdb4a0ac795eb5d515b85e87230f89683b3666b034a6cf2d851dc85a21477ed5893f249dd0e34a05041cc30c0a54d9125db61cfd2e9b6c18525ea5697e9231

Download Submit
C:\Windows\SysWOW64\Gdjjckag.exe

Filesize
64KB

MD5
204f061efc055db24c087506fa8bbd2a

SHA1
2ed525f0caeff92fe87dd79a73317206de853b46

SHA256
c19baeaba8b2a17fd37d2d5ed6dab4d86f55249dddad05db9b1e35027bdef502

SHA512
1e9bb5629dc0ba7f43b0c747925a15f640843b7d755b3f6e9bcc59d40254cd7c1de1527bb8d54acb54bbe67956543817544e40d174147e93214c922891289d76

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
64KB

MD5
decb78e0c3163a18b83a681f580e3515

SHA1
7ae70a5c0045f440ec0d4d1252c1b997e408cca7

SHA256
ddf4642a0ae1a3435b9b2a9091c75a9d8678757e4c83eff588d4bfc8e022cf36

SHA512
ee0c69e40b9a964747b8c55c225a7fb7f0200fc5d597fa85ee4362533591aa637923cd60a13df391fec6cf7c7386123c174d657356cffcc8bab20c286af27eb7

Download Submit
C:\Windows\SysWOW64\Gfngap32.exe

Filesize
64KB

MD5
58cb4e57211b5fe5616d1823a634edff

SHA1
613f0bb54986bea0ffa3db4623396630adbea1cd

SHA256
7785335c4f9a003e46d13bb6dda491a9cf144d08d48e4d3fcb0339125b59c644

SHA512
aa4585b5ab36c45abe5dda6e0e3172fa5b6495d42e9d18c5a7036bed0228e11fd36a6bf02ff845eb7145f9be241457e700fb34614231d6447dd9682c88dbd6e5

Download Submit
C:\Windows\SysWOW64\Gfpcgpae.exe

Filesize
64KB

MD5
bc669f3f15febebcc8af9535d0b69d82

SHA1
541d13cd52f285ae26f65fc368e408eef5e60fc1

SHA256
bcbb76a1273797b7ad448552a32f02395e9327ad53e2a56773b85bbf403f7a79

SHA512
6338f38c2d3cc26e7ddc34fbba021125ce69afe47ea89464d0de34a9e93c98a4808704daf2a941069a23af2ee1fb61d479a0ee9a61a0ef83c11df510f4efa4fe

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
64KB

MD5
15d0343c610ba20d643f619610c99cd6

SHA1
7f325d67b274747f0582accd60af1943e85961a4

SHA256
cd10ee34010438c0785b747da2f207366032228aaa3e643f5e057a2274df7f67

SHA512
e3da08149e9f0fa473fc5fc17200e60ed35301ab4e1bde83acca5a87f0e33be572021e0d1ffe5ac58a05dcf02e5139fa4ba557be8cba0fcc8671d046be2d8bd3

Download Submit
C:\Windows\SysWOW64\Gicinj32.exe

Filesize
64KB

MD5
5a24615daba97d22b3fc6a0f3039e8ac

SHA1
c57334af70589e894844de55cc2cff42a481dbd6

SHA256
bf60e83b0ed7c58a688784323c99e1a68d2e3e22a9921df2bb2a3cab1e06dc56

SHA512
ccaceef2a1d4b6212581b4f794354a25e591247cdd555963625b2c82a95e16a5baf7ed45e7db747d5dddef99372a673761493cf7afa164f9ddbb03fc58e04dd1

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
64KB

MD5
bcf1a00ab350b4fb077ea06a728e8b0d

SHA1
e630dd445cf4273a916d2eb2e52b5b292256f4d9

SHA256
212701b1bdc489c29ef49afb46d7404b08caf8855ef9340830aa0f777b1a9bae

SHA512
a51190e5815f0b19413122147b682af794b5e451ca8a05afc2924e6595be73e60f1438ba095f7cfe5038a5af10cd6d4a2d427ebc3f6321325c41c901f4c74f50

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
64KB

MD5
a51720d1ec10d9c1a86d87b2f54ee99e

SHA1
2d4d92b04b13e6e3cdf324d0880b99cb15a49e7f

SHA256
772c4d30232091bb6c6c82ba8d74aa1ce68eac92b1a5ae89be3cec9da7fb08ef

SHA512
ca1919b1769f426cc9da676a168795878e90b8297585291cc67b13fc335632c78e7f5ce59610589a7ab22990617f2df13e152c2e0ca18188cfc2e6ae6da61c61

Download Submit
C:\Windows\SysWOW64\Gmjlcj32.exe

Filesize
64KB

MD5
4389904702a6310c2f1bb3cccd8840a4

SHA1
70fb3efcb8cb65ebfbc399fd28a47277928fc113

SHA256
dcb718b61f8d15e5cf5c09c830503cbdaeb23f8bf53e3048653251ee75160268

SHA512
be26ad38a84d3a550694e669bea4c4fa38c6052c4e7f27b6de300936b596a1b14b7a54a93dea8cb3003ce5b758503acf49f54df63a113a9c735cf7cc1539e38d

Download Submit
C:\Windows\SysWOW64\Gododflk.exe

Filesize
64KB

MD5
857374e718bc8711c482c3ba967c60c0

SHA1
0f904a392c366b6228fa5623d5fcc5fa3ed651d6

SHA256
a72fbfef13caae14f08936bba3122f4b1d0de0b76e13599af126e551c4eb3d94

SHA512
9be16e0a79d27152116df0af2f53fe6efe3cca673820998d8bcdd05c3a672fd22003e815331a26ea3c75ed6a541e15f7719f1109c9e01dbae908d9d6f36b682e

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
64KB

MD5
3b9dd5f32fe2306c5d4df1d58e39a50b

SHA1
b9c3e76e3d3bf10df7bb5b73974bdd445921d030

SHA256
45dcb820bb61c4cff712727726e8ebb63c26140f1711d942e76e0dc9a2889229

SHA512
ca5e0693c16b8723b5b4f0f107558ef4d9dad442e2394f4a514ca0217b1a0ef364a9676027c2801be954f54b0d40cb1a43db6c27f892a0389d263a4cb89bd30d

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
64KB

MD5
83dbdb89e85ffe308ee47d6d785fe041

SHA1
5cee3f2e09ad4b58d1746802e21adfd46be83006

SHA256
e53f5d6430d35c7c5400c8e3282d2bd1d573bfc6c093cb50d9d9dd8e20483e27

SHA512
e695ba91dbb8fb7ba16edffe5a18aae92e44e25e42eb8ee0e3d7b296b2a2ee492b73d7a1f2af4d7029998e61513c51ba4ef0e28bc133cccdd2d98c751233257f

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
64KB

MD5
22f8c9c4c9f6b45c68e8ca63ddcdafb3

SHA1
d906c6c81a85b6c96c7aadbfa76e58950494189a

SHA256
fc04eb156de07904bb04698b3de393d5e92a6e38e54a859b0f08640280a98220

SHA512
63c376ff9ccd8f450f8d9956cc4b1c2adb0e5c72d48dd24677e974b995b10cbcf160e61e549b0fdd0c19d250d28287754c98eb189576812bc5149fa96b903de8

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
64KB

MD5
4b669bf2394473bd2b339022163bc9ae

SHA1
03fa2c55c98766fea8df4de3303bf7350c130220

SHA256
b33f5082317ba712fddbc1195911d7dcf6d7241d0c378b117e9ac755eea3e8cf

SHA512
8274284a518fbf0ee9204b3ce56b18a14d5ba0af4f3814746a365cf51665ce48b62e37983f69b9ebea13a4193f0b43c256fe2f150d4baaea02c845107075268f

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
64KB

MD5
106efd4f2d186eb77656a66832bb6907

SHA1
6bc515a75ab0b8608a75010f57f652bd35c1e7b9

SHA256
09df4d616e28c41156a3974de56ee908e3dc846540609ca103921f5972e40da9

SHA512
cc16788c9e673f0ab2b47d52d363aff575ca6113abbf39c170c88f8b3def885294536e5f2e031507b4a0bd352b553910b10377df8a8816e21fa56fff4994aefd

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
64KB

MD5
99303ae817fb1ecd6824aa0ffeef08c1

SHA1
9170336f9af918a3e95b368f2e7a761c92dd8414

SHA256
1900278f7f2321e6ebb3b65be71006bf4ddb6c3451411464cf2989cb5c5b6549

SHA512
f83d78d26da9fc2e7bc5669d9c377da8cb3570d7c5a65a524fb1e46e86ec4a0d78b1439705b310d876ab1c082a5e19ccf44b95e593b24f61e0193085e07f20d1

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
64KB

MD5
b23d73efb669def3087dbeaed97a8743

SHA1
598e07fdf1fd43a75a9ca7b43d0077ac9961338f

SHA256
bd36639411b42b707b49302b048e20d06154a6399606af7cdbd61d69b8d08435

SHA512
26d5082ef163474b3aac337b03ae50183a57d956ab24b7b609a0a2b1547fd553c404ac8bb18d542f222b32c13dae88a339ba4ed7c185e4f91142db3275ce6991

Download Submit
memory/224-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7180-1840-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7352-1838-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7384-1815-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7460-1837-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7500-1814-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7512-1822-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7548-1836-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7604-1853-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7772-1850-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7780-1834-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7804-1829-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7816-1849-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7880-1817-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7908-1833-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7928-1821-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7948-1832-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7964-1811-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8008-1818-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8144-1812-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8148-1841-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8156-1820-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8320-1806-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8532-1801-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8832-1794-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads