b849cb31ea1c391fdfa203bccc8689b0eeca21fb773e781509e7cc530118da88

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 03:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b849cb31ea1c391fdfa203bccc8689b0eeca21fb773e781509e7cc530118da88.exe
Size

94KB
MD5

7cdfd6b9187d7118f98623b4e0a0df30
SHA1

1d7227cd6b7adfc11487a6c1ad082cea6f384099
SHA256

b849cb31ea1c391fdfa203bccc8689b0eeca21fb773e781509e7cc530118da88
SHA512

0dddadbc6cf8c72027f4763b6917f301ca64e18fbb57dcd5f8a22b3c80b98287446f48f74870320b938fe1ed69313cb518d0c6d2d54ac7c456c2268228295842
SSDEEP

1536:dtB3OiaNNMd3E0DnyFHbJvM4vLqnt5nGk2LyXaIZTJ+7LhkiB0MPiKeEAgv:31OiavMdZAbdJjqneyXaMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhgehi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coojfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogkoedl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debeijoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clihig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcalgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnepfpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnadfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dabpnlkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljkdig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b849cb31ea1c391fdfa203bccc8689b0eeca21fb773e781509e7cc530118da88.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeacko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aliobieh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cedihl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahppgjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakqfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe

Executes dropped EXE 64 IoCs

pid	Process
2112	Aeoffo32.exe
1248	Aliobieh.exe
1032	Aogkoedl.exe
1580	Aeacko32.exe
4760	Ahppgjjl.exe
3408	Alkkhi32.exe
2756	Apggihko.exe
556	Abedecjb.exe
2884	Aahdqp32.exe
4224	Aedpaoif.exe
216	Ahblmjhj.exe
2360	Blnhni32.exe
2560	Boldjd32.exe
4272	Bakqfp32.exe
1164	Bibigmpl.exe
3392	Blpechop.exe
4392	Booaodnd.exe
1608	Bammlomg.exe
4600	Bhgehi32.exe
3248	Blbaihmn.exe
2224	Boanecla.exe
5044	Bekfan32.exe
3664	Bhibni32.exe
1920	Blennh32.exe
3900	Bockjc32.exe
3024	Bbofkbbh.exe
3952	Bemcgmak.exe
4168	Biiohl32.exe
2740	Blgkdg32.exe
892	Boegpc32.exe
1992	Bbacqape.exe
4000	Beppmmoi.exe
1668	Bikkml32.exe
4452	Clihig32.exe
1892	Cohdebfi.exe
4576	Cccpfa32.exe
2088	Ceblbm32.exe
1824	Chphoh32.exe
3468	Clldogdc.exe
1672	Cojqkbdf.exe
3136	Cedihl32.exe
4656	Cipehkcl.exe
3448	Clnadfbp.exe
1860	Cpjmee32.exe
1532	Cchiaqjm.exe
2916	Cakjmm32.exe
368	Cefemliq.exe
4772	Clqnjf32.exe
3776	Cpljkdig.exe
3692	Coojfa32.exe
3324	Camfbm32.exe
2280	Cidncj32.exe
2044	Chgoogfa.exe
4864	Cpofpdgd.exe
1816	Ccmclp32.exe
4252	Cekohk32.exe
4400	Digkijmd.exe
668	Dhjkdg32.exe
3648	Dpacfd32.exe
3356	Dcopbp32.exe
2900	Dabpnlkp.exe
3576	Diihojkb.exe
4560	Dlgdkeje.exe
4948	Dofpgqji.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Fkokhc32.dll	Dcfebonm.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Jeakme32.dll	Booaodnd.exe
File created	C:\Windows\SysWOW64\Qonnknli.dll	Ccmclp32.exe
File created	C:\Windows\SysWOW64\Icnmgkke.dll	Digkijmd.exe
File opened for modification	C:\Windows\SysWOW64\Dagiil32.exe	Dohmlp32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Bbofkbbh.exe	Bockjc32.exe
File opened for modification	C:\Windows\SysWOW64\Ejegjh32.exe	Eckonn32.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Ejegjh32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Aodldljj.dll	Cpjmee32.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Ecbenm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Jknmmijf.dll	Biiohl32.exe
File opened for modification	C:\Windows\SysWOW64\Dcopbp32.exe	Dpacfd32.exe
File created	C:\Windows\SysWOW64\Dlgdkeje.exe	Diihojkb.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Bbacqape.exe	Boegpc32.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Oddojp32.dll	Aogkoedl.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Genjanmh.dll	Dephckaf.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Aahdqp32.exe	Abedecjb.exe
File opened for modification	C:\Windows\SysWOW64\Blnhni32.exe	Ahblmjhj.exe
File created	C:\Windows\SysWOW64\Eqciba32.exe	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Pfnnkfbe.dll	Aliobieh.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Diblfl32.dll	Blnhni32.exe
File opened for modification	C:\Windows\SysWOW64\Clnadfbp.exe	Cipehkcl.exe
File opened for modification	C:\Windows\SysWOW64\Dhjkdg32.exe	Digkijmd.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nceonl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8228	8060	WerFault.exe	356

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgegko32.dll"	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dljqpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efpajh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bemcgmak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhjob32.dll"	Cpofpdgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpacfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cekohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpjmee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhibni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbacqape.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojigmkeg.dll"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Camfbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2112	4476	b849cb31ea1c391fdfa203bccc8689b0eeca21fb773e781509e7cc530118da88.exe	83
PID 4476 wrote to memory of 2112	4476	b849cb31ea1c391fdfa203bccc8689b0eeca21fb773e781509e7cc530118da88.exe	83
PID 4476 wrote to memory of 2112	4476	b849cb31ea1c391fdfa203bccc8689b0eeca21fb773e781509e7cc530118da88.exe	83
PID 2112 wrote to memory of 1248	2112	Aeoffo32.exe	84
PID 2112 wrote to memory of 1248	2112	Aeoffo32.exe	84
PID 2112 wrote to memory of 1248	2112	Aeoffo32.exe	84
PID 1248 wrote to memory of 1032	1248	Aliobieh.exe	85
PID 1248 wrote to memory of 1032	1248	Aliobieh.exe	85
PID 1248 wrote to memory of 1032	1248	Aliobieh.exe	85
PID 1032 wrote to memory of 1580	1032	Aogkoedl.exe	86
PID 1032 wrote to memory of 1580	1032	Aogkoedl.exe	86
PID 1032 wrote to memory of 1580	1032	Aogkoedl.exe	86
PID 1580 wrote to memory of 4760	1580	Aeacko32.exe	87
PID 1580 wrote to memory of 4760	1580	Aeacko32.exe	87
PID 1580 wrote to memory of 4760	1580	Aeacko32.exe	87
PID 4760 wrote to memory of 3408	4760	Ahppgjjl.exe	88
PID 4760 wrote to memory of 3408	4760	Ahppgjjl.exe	88
PID 4760 wrote to memory of 3408	4760	Ahppgjjl.exe	88
PID 3408 wrote to memory of 2756	3408	Alkkhi32.exe	89
PID 3408 wrote to memory of 2756	3408	Alkkhi32.exe	89
PID 3408 wrote to memory of 2756	3408	Alkkhi32.exe	89
PID 2756 wrote to memory of 556	2756	Apggihko.exe	90
PID 2756 wrote to memory of 556	2756	Apggihko.exe	90
PID 2756 wrote to memory of 556	2756	Apggihko.exe	90
PID 556 wrote to memory of 2884	556	Abedecjb.exe	91
PID 556 wrote to memory of 2884	556	Abedecjb.exe	91
PID 556 wrote to memory of 2884	556	Abedecjb.exe	91
PID 2884 wrote to memory of 4224	2884	Aahdqp32.exe	92
PID 2884 wrote to memory of 4224	2884	Aahdqp32.exe	92
PID 2884 wrote to memory of 4224	2884	Aahdqp32.exe	92
PID 4224 wrote to memory of 216	4224	Aedpaoif.exe	93
PID 4224 wrote to memory of 216	4224	Aedpaoif.exe	93
PID 4224 wrote to memory of 216	4224	Aedpaoif.exe	93
PID 216 wrote to memory of 2360	216	Ahblmjhj.exe	94
PID 216 wrote to memory of 2360	216	Ahblmjhj.exe	94
PID 216 wrote to memory of 2360	216	Ahblmjhj.exe	94
PID 2360 wrote to memory of 2560	2360	Blnhni32.exe	96
PID 2360 wrote to memory of 2560	2360	Blnhni32.exe	96
PID 2360 wrote to memory of 2560	2360	Blnhni32.exe	96
PID 2560 wrote to memory of 4272	2560	Boldjd32.exe	97
PID 2560 wrote to memory of 4272	2560	Boldjd32.exe	97
PID 2560 wrote to memory of 4272	2560	Boldjd32.exe	97
PID 4272 wrote to memory of 1164	4272	Bakqfp32.exe	98
PID 4272 wrote to memory of 1164	4272	Bakqfp32.exe	98
PID 4272 wrote to memory of 1164	4272	Bakqfp32.exe	98
PID 1164 wrote to memory of 3392	1164	Bibigmpl.exe	99
PID 1164 wrote to memory of 3392	1164	Bibigmpl.exe	99
PID 1164 wrote to memory of 3392	1164	Bibigmpl.exe	99
PID 3392 wrote to memory of 4392	3392	Blpechop.exe	101
PID 3392 wrote to memory of 4392	3392	Blpechop.exe	101
PID 3392 wrote to memory of 4392	3392	Blpechop.exe	101
PID 4392 wrote to memory of 1608	4392	Booaodnd.exe	102
PID 4392 wrote to memory of 1608	4392	Booaodnd.exe	102
PID 4392 wrote to memory of 1608	4392	Booaodnd.exe	102
PID 1608 wrote to memory of 4600	1608	Bammlomg.exe	103
PID 1608 wrote to memory of 4600	1608	Bammlomg.exe	103
PID 1608 wrote to memory of 4600	1608	Bammlomg.exe	103
PID 4600 wrote to memory of 3248	4600	Bhgehi32.exe	105
PID 4600 wrote to memory of 3248	4600	Bhgehi32.exe	105
PID 4600 wrote to memory of 3248	4600	Bhgehi32.exe	105
PID 3248 wrote to memory of 2224	3248	Blbaihmn.exe	106
PID 3248 wrote to memory of 2224	3248	Blbaihmn.exe	106
PID 3248 wrote to memory of 2224	3248	Blbaihmn.exe	106
PID 2224 wrote to memory of 5044	2224	Boanecla.exe	107

C:\Users\Admin\AppData\Local\Temp\b849cb31ea1c391fdfa203bccc8689b0eeca21fb773e781509e7cc530118da88.exe
"C:\Users\Admin\AppData\Local\Temp\b849cb31ea1c391fdfa203bccc8689b0eeca21fb773e781509e7cc530118da88.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\Aeoffo32.exe
  C:\Windows\system32\Aeoffo32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\Aliobieh.exe
    C:\Windows\system32\Aliobieh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\Aogkoedl.exe
      C:\Windows\system32\Aogkoedl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\SysWOW64\Aeacko32.exe
        
        C:\Windows\system32\Aeacko32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\Ahppgjjl.exe
        
        C:\Windows\system32\Ahppgjjl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Alkkhi32.exe
        
        C:\Windows\system32\Alkkhi32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Apggihko.exe
        
        C:\Windows\system32\Apggihko.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Abedecjb.exe
        
        C:\Windows\system32\Abedecjb.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Aahdqp32.exe
        
        C:\Windows\system32\Aahdqp32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Aedpaoif.exe
        
        C:\Windows\system32\Aedpaoif.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ahblmjhj.exe
        
        C:\Windows\system32\Ahblmjhj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Blnhni32.exe
        
        C:\Windows\system32\Blnhni32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Boldjd32.exe
        
        C:\Windows\system32\Boldjd32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Bakqfp32.exe
        
        C:\Windows\system32\Bakqfp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Bibigmpl.exe
        
        C:\Windows\system32\Bibigmpl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Blpechop.exe
        
        C:\Windows\system32\Blpechop.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Bammlomg.exe
        
        C:\Windows\system32\Bammlomg.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Bhgehi32.exe
        
        C:\Windows\system32\Bhgehi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Blbaihmn.exe
        
        C:\Windows\system32\Blbaihmn.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Boanecla.exe
        
        C:\Windows\system32\Boanecla.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Bekfan32.exe
        
        C:\Windows\system32\Bekfan32.exe
        23⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Blennh32.exe
        
        C:\Windows\system32\Blennh32.exe
        25⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        27⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Blgkdg32.exe
        
        C:\Windows\system32\Blgkdg32.exe
        30⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        33⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        34⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        36⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        37⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        38⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        39⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        40⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        41⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        46⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        47⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        48⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        49⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        54⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        61⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        64⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        65⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2744
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        67⤵
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3048
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        69⤵
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        71⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2440
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        73⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        74⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        75⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        76⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4448
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        78⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        79⤵
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        80⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        82⤵
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        83⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2220
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        85⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4848
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        89⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        91⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        92⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        95⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        96⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        97⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        98⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        99⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        100⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        101⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        102⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        103⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        104⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        105⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        107⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        108⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        109⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        110⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        112⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        113⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        114⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        115⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        116⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        117⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        118⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        119⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        120⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        121⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        122⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        123⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        125⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        126⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        128⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        129⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        130⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        131⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        133⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        134⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        135⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        136⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        137⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        138⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        139⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        140⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        142⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        143⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        148⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        149⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        150⤵
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        152⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        153⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6804
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        155⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        156⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        157⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        158⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        159⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        160⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        161⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        162⤵
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        163⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        164⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        166⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        167⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6656
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        169⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        170⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        171⤵
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        172⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        173⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        174⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        178⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        179⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        180⤵
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        182⤵
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        183⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        184⤵
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6700
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        186⤵
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        187⤵
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        188⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        190⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        192⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        193⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        194⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        195⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        196⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        197⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        198⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        199⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7260
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7308
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        202⤵
        Modifies registry class
        
        PID:7360
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7416
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        204⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        205⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7552
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        207⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        208⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7680
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        210⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7768
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        212⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        213⤵
        Drops file in System32 directory
        
        PID:7856
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        214⤵
        Drops file in System32 directory
        
        PID:7900
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7944
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7988
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        217⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        218⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        219⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8116
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        220⤵
        Modifies registry class
        
        PID:8160
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        222⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        223⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        224⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        225⤵
        Drops file in System32 directory
        
        PID:7484
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        226⤵
        Modifies registry class
        
        PID:7280
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7560
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        228⤵
        Modifies registry class
        
        PID:7628
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        229⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        230⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7760
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        231⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        232⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        233⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7400
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7276
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        236⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        237⤵
        Drops file in System32 directory
        
        PID:7704
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7224
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        239⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7996
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8052
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        242⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        243⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        244⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        245⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7544
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        247⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        248⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        249⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8024
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8124
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        252⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7448
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        254⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        255⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        256⤵
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        257⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7612
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        260⤵
        Modifies registry class
        
        PID:8056
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8008
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        263⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        264⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8060 -s 400
        265⤵
        Program crash
        
        PID:8228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8060 -ip 8060
1⤵
PID:8200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aahdqp32.exe

Filesize
94KB

MD5
3f0759d6fe193180c01a3b575b182f41

SHA1
5a101ec6f63bd7f38aaac2cb753b2e56b5658136

SHA256
f6b6fde48b56118b0457d0b59a27088acfcdf6b43ad3ed421c86845f943e89eb

SHA512
f6cf6e11fb6269b14f73086c7ee231fb76859ec17e14e82f97aa77e5a0ffefed0b62fd8bc6cede637a0123dc53d3f772d7cf69de120d545d8c6a09ffbe55df85

Download Submit
C:\Windows\SysWOW64\Abedecjb.exe

Filesize
94KB

MD5
7ca9b7fb148b57aa1618a4840933985f

SHA1
52b25fe6d4d0b7c9a6b9d89561d5d04f82dab581

SHA256
a51878027b55ab2c20276e249a2ff4b9f48b8bd96433d7e5fa45d4455b0b5f19

SHA512
ca059677e9a5aeaffc319902735218a522089abc2401a2990d338d7f8a62eb20454b81c4eb7f3955be62cfac4b0553ba6aefe655b3c27523294a7e6669afa088

Download Submit
C:\Windows\SysWOW64\Aeacko32.exe

Filesize
94KB

MD5
9f0636ac2aaadecdc48e4b8fad6b1a59

SHA1
96f49e2dcbd4b8f9852774974e866dd0bf3b2278

SHA256
e54275c911429cd7040c55000bf22c3633455902ce3c68f4d516a1590ef9338d

SHA512
9eb96e585b61e9960a6902f82f6acb8f547fa84b5237d61ca69c8532295f81bb866f3f9e451520e5c82e23aed84192bfbc33346f3945b583081917ee4b7adab4

Download Submit
C:\Windows\SysWOW64\Aedpaoif.exe

Filesize
94KB

MD5
87d0e5fdafc75f60a8abff89ee1ca6a3

SHA1
79063748a10f9e8b8a5a9d86c27e741fc511a158

SHA256
4a9a63786ea540855901eeb021982a70a2c1f737cf8fde6b3e99fe1809efeed1

SHA512
945f80f854b0dd552697ffe97aec4b72158eb0c5a045013b21af2a0729bbaf5eed1caed99144c53a8773669d127c3b154379b624bfb0660f16d67455be2290df

Download Submit
C:\Windows\SysWOW64\Aeoffo32.exe

Filesize
94KB

MD5
d00e96cd6c7f539131ade0dcef614d74

SHA1
db4d10dfaa1f909e1d018123ebe228fd31016492

SHA256
f3bff0c27ef87a76d24e39f1c75d690180cdb5ca131946632d8cd61a1ccfc9f6

SHA512
92b423badee78d0d81f79c80932a4d917feff1002d073931900ab04e00ebcb2c01fc1150ae9e3c272f4df88b5aeef24bde07f052b81299da85a40ac9c5dd8089

Download Submit
C:\Windows\SysWOW64\Ahblmjhj.exe

Filesize
94KB

MD5
3834b546bbd63ec025b1e6534331815d

SHA1
6968ca65bb706a014dad84be2c0e5ed2fe1d6061

SHA256
56f629707fb641da370ab603ea07b1874330b0c9c41cd5bd326647bc5484b1bc

SHA512
d21f5e7a5524002c8ff0760839fb0221e701aa4c556ceb6c7e68f50fbb44df49fd59ac7689de7c2959f23d24eec1bed57f330d1097bea73b6322d11e062f8fd6

Download Submit
C:\Windows\SysWOW64\Ahppgjjl.exe

Filesize
94KB

MD5
ed7c99f449b620f8e791676290975885

SHA1
1871a766b1918166792d69310fbe835352ab08c1

SHA256
3532904689bbceb9e2afacdcd1430d1a6c9110c7607c6dbb37355463a5a84698

SHA512
702479e867086641580f700b66d3b641a252a468fe2b5f8883d6b4c9787811e4a56953b6ab93695f9a6c7c8e9d54a475628e9457f021ce1f2f976c2d42fea598

Download Submit
C:\Windows\SysWOW64\Aliobieh.exe

Filesize
94KB

MD5
7cd991d077ba73445f352751b600af42

SHA1
4b2239e7e4baa05ca2fe8b884dbb59a790618abf

SHA256
4222d319c91293560e85a5646c5d3f7c33aa98b4d259bd39cdc924929f5cda67

SHA512
9fb84f4d8b14f71f6797291f32d0db251ec477ab7f0e16e2ef475e523f161b5b283018c92ff366c58e1c4166b665be7d87d9232fbfd950f5709c24915ee14944

Download Submit
C:\Windows\SysWOW64\Alkkhi32.exe

Filesize
94KB

MD5
945572887c8414c3aeaf424f6b252119

SHA1
526b79cd58e9a8e76394c10800bfeffe97777adc

SHA256
a092f1c8e0ed70cfe0c48885f824ee93dba335d2abfa12b036d072833aaf1420

SHA512
d7ed07a55038ee52283d4994a197eb52face212b39a274e41536f65fd5d9e069f62e9fe2de8689b5fc944e8cb0aa35498b2dbdd9439e11eea4e57f9222766e9f

Download Submit
C:\Windows\SysWOW64\Aogkoedl.exe

Filesize
94KB

MD5
4edcc4f96deda0b0e32cbd01c5a1965b

SHA1
2595233a5f3a2d33121ddc378348780f08c65970

SHA256
d011f6586809a0d8421c0247a80639c1ff01c7dafb7061aa1047e4f85438d9dc

SHA512
3e45e65b515057b166fa95787280f592e356056b87ed479d873eed5746baca6fd1ed452752da3a5e88c2cf83d00e43d4164e7cab0d66cce1d242a1dc7d92b8ed

Download Submit
C:\Windows\SysWOW64\Apggihko.exe

Filesize
94KB

MD5
9102736d04433dd612827b9413a1819c

SHA1
6b2d8904f6e798f989eeebf0a7b6eef815def509

SHA256
c1be55ab2bf98c9cfc39e28508d740568986db4e629d7d075ac23eb0769bf8c4

SHA512
bc6e1e61357cfa5db8ef552c7f685307e87db521fa75725f87e0db192d371d99b71e4c7337286c12c4c3035d9b5701bb3e88e094272727757ac999a6e6d9f177

Download Submit
C:\Windows\SysWOW64\Bakqfp32.exe

Filesize
94KB

MD5
0cd67237bcea08df4b942a275d8267bd

SHA1
bfb390e99e55baa166a32bf348fc2790901d0c2f

SHA256
4b13e6508b859052653461aae676cccffbc18242091a05dc7129f2e4fa3e8892

SHA512
b6241d325efc86d944ba0606586dafb42e6fb6dece68b1e5a2c3be4650f352fdaf1a9543a3680f9c5bffbb856ad2416cc1d25411c0c09a54ba2e5590fe76c1e1

Download Submit
C:\Windows\SysWOW64\Bbacqape.exe

Filesize
94KB

MD5
d4ec24328b3818179c61746f4bb6dbaf

SHA1
17c011247985bb8be3684bd56b22f1b5890eeab1

SHA256
738fd3fa9165890914b44904eb108aeaa0cf89590ff3b4db0fe1cd9f6e5c8527

SHA512
0fe7e1e318d55d66fe21837203fc45b5affd9215fe9b37d824afeafde857f76b6d477844d7917dd60b06395a366701cbe76165000ed6846b36d49d4b01c3b6ee

Download Submit
C:\Windows\SysWOW64\Bbofkbbh.exe

Filesize
94KB

MD5
95eeb06b20079adc52ab7caf60d217ae

SHA1
eff361fdac10bad074ca408f9688dd00c1c25ee5

SHA256
cf165f5ec290f478b82b83365bb33b24104e5a62c3abee6475b3adb20882aceb

SHA512
c1522c0349d835e1ccce182f85e5a245237aa8a7fcd417c8da8de33507caa275e4bcf9f052d55f2dbcd05086d256bab30207207b5b3d51d422b95d889a6b962b

Download Submit
C:\Windows\SysWOW64\Bekfan32.exe

Filesize
94KB

MD5
691a4fc5395e3601c2dd0434b5a7c132

SHA1
037d7ab0c5b805eda188a7d4c40de633e45a1d7c

SHA256
78c8732372813f5310eca2d45d8c4a661d7b5510d055ab4b76c5083cc48c3607

SHA512
5ba9556984b0ca1666de40af5509cfbd801554dbd3d572d7e86615a64c90e3ddbd1132ff5680775d4e0eab4e2a417c300dfd0a51411e60620916147d6e72e1a9

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
94KB

MD5
a6b5e13bc8ea105b0db7c981d05b645f

SHA1
b8f8eccfb1d1a70990de46f4c5d1e7868c6cb090

SHA256
f3d534dadfc3b4a552c626f278e615c7f2bf2241188bb774a339049ff3dff6d4

SHA512
58604429d927fa556c5fdd1ec853a5d4ee9a85e7192a221ce53b51f86698a2d5a364404cc29e3690bf1624a8af3e251140378d349b1d29aac58896ae3d26f6a3

Download Submit
C:\Windows\SysWOW64\Beppmmoi.exe

Filesize
94KB

MD5
d7fff55ad3d385260c1555465cf51407

SHA1
d3aa87230f16d629f3be8c5a39bf35bc07bfa4ff

SHA256
0c7592c38288c98a84af860150dc187c7cda34bf97ecb2b2169173ddb888d8f5

SHA512
6fcce431bb305fcc3aca1eecbcf7c6f5d49a4d271e3edfa807fbf2968bfc6d13ee5de76597cfef857108ea5f9b6beb150f4235ddda6d6a3f378a9e6c6c2b5edc

Download Submit
C:\Windows\SysWOW64\Bhgehi32.exe

Filesize
94KB

MD5
14cd7b38dadd839040036521c96dac42

SHA1
754a4cc425c2433bf1c67ae9fa14c690411b522f

SHA256
347a412403d3e7c95996b87dd048c1371435d8f3816841b135db172c9b441e83

SHA512
263331d8218dfd203a70703dd3cd02c9b58f3208e879f3eb943c312bd06875bb07fcbb37a762ab2caba8aa2c4ff66d28c85935c02b66eacbe067804824cfe23e

Download Submit
C:\Windows\SysWOW64\Bhgehi32.exe

Filesize
94KB

MD5
65900799fdd2607b29d389c94fdd43f2

SHA1
78c2c34fab264a6911e7fe1402ea00a2df0c7f6f

SHA256
fc0a0afb67529eed0c5b76f0ebd3647cbe5099991ebedc76db6b01ddf133417d

SHA512
94046169951c9ee7c3efc8770a0148a05c4689c958813d38b21aa0a212c01c9ea95534ad825e8aa9e89640ca873bdae7a61befe5a28ad61fed0d9a8cdb780925

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
94KB

MD5
088f2cc090d38d6f81723dd2235f43e6

SHA1
8d6034d2c6bf5da11f9344396e0bc645dbb0a436

SHA256
12d929759a6d9c30ecaaed81795c8f8616dfa1615164b99f015061f85a2e85e6

SHA512
2d954d459de000abdd6508254428dd6b9cf4916208a812ee8a8cded6ceddbe7c65e688b81bbc869439ee21e46c75dfc658cd71cf77b60b8cbad413d56419bd35

Download Submit
C:\Windows\SysWOW64\Bibigmpl.exe

Filesize
94KB

MD5
b6441ff5aa7c46580ef945997f6054b1

SHA1
367c00640e7bc8f55d43f10bd606372a0b816e63

SHA256
034bd84fb08cb18d4c92c1a3766ffba987bb6047423bab0950fe2565786e960b

SHA512
7d1d4e1a7774ee85fc23dce099099786b01832e52d7dd40455d6602f2000be35241fb51d435d0540cb578f7ac1249b68460d6bfe64f4f86cfee734e6b112d583

Download Submit
C:\Windows\SysWOW64\Biiohl32.exe

Filesize
94KB

MD5
8d4775f6f58f7ed8733c3a88daedd1f8

SHA1
43da6fc94b9937a9881eb7332f1249ac008e220e

SHA256
e7ae32df6aace4690d51bd60535e0aeb0821cb0c5f9e51e058ca56e72188b96d

SHA512
e1256cdd3043a6b042f90ce0da866d10f17a88e9fcc07d126ef2f23e13cf9c32394a9937dbc9e7f029a267b66c3f516a4ad7e47e502d994f07e947e1ce62f965

Download Submit
C:\Windows\SysWOW64\Blbaihmn.exe

Filesize
94KB

MD5
caa14caaf2150385471b03fef5cc09a2

SHA1
726c78a38de292ef35385d494192f9b36cf83274

SHA256
0ae62dcc0f1feca98e74bee5b20e789c9a9e3826621cf50be20374b475290501

SHA512
dd92dc12770635877e639a029030857a13b600428c8bfe3b26c171f8d97b774de324f4e09fece899de3653d949748fbc27a1e520a6ebda3f92cdf594824c474c

Download Submit
C:\Windows\SysWOW64\Blennh32.exe

Filesize
94KB

MD5
9cd7972d0131c2d446b1b468b0a8be30

SHA1
abf546130061679ada63a5606c3e7ccf536c78f6

SHA256
ff80101d4772a4cca24ab13c0750910282fcc9059db7da604ac3f2bace6f39d8

SHA512
09b7554dafab4b10ba82bffd06aed20d66706ab9c75dd30d434d8a189f507ae627aad217d3cfab6778abec89951d0550e52845a19907a07a545c0721ef43f3b1

Download Submit
C:\Windows\SysWOW64\Blgkdg32.exe

Filesize
94KB

MD5
fde867ce0c9dc92fc2d7d7d7a9b12a88

SHA1
73a62da5b71d37a3bfde449b8232739b11959c56

SHA256
22fb1a7e7f54c95d4c282e14dd58290470428876884a378b78b4b3f953e0a416

SHA512
3ea129ad0f158b14dd07205b416cbd6e853feb01c67a7dd66b8c2c81e68bd2e9eecd546027201c7463107d2cdf9e61255208dba96ae99f92726196843505ec6f

Download Submit
C:\Windows\SysWOW64\Blnhni32.exe

Filesize
94KB

MD5
aa22d67a2d2a7053843de0abd8fce5ff

SHA1
0e7220190b1b10f2b4768c58bcd7916c3b9d27d5

SHA256
7107031f554c3188726042ab30c8ae6eacd267f7d39c36b09e529811191638e8

SHA512
9c7df45d76697714e98290a785649b9e4038422664cae227fb950009ad313d97fea0c95f0fe3121c25dd800f6d74527117f0b17042c8f2877c16588c5c3949dc

Download Submit
C:\Windows\SysWOW64\Blpechop.exe

Filesize
94KB

MD5
30c297d9e373696878d9ec27916f0831

SHA1
b81836c93526c59af5fa94f5d7ed82498038f397

SHA256
107bd101416e9878983c9727724dca7e2b9d99c66d4f646972d49138d2faceef

SHA512
7b73ebc2949835bb5d4d6c3bca9b2a2a68d7ca9740924773fa27f9517fd23707e2dba86bb385ba2e720ba56cdf2c92bfb820f7f4e5742485a9960fd7e843d221

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
94KB

MD5
1a63ba0e7c5cc743b0bbdcf3421c2016

SHA1
d86b292183e88f334c3d9325a9fdf965aeb406b2

SHA256
e19f0df6f874beef3bbe0de5e7df2202aaa17c9fc1d51c7dafe81a2dfebb7cad

SHA512
ba6b61c33f698017ebe4571553f6aff5344a487afdde64da0aab9271f8c77a19e324668cdde3019c43679768c13c8be98b63a6920da28668da1d7f4c8a5e1f06

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
94KB

MD5
9c7d636ce06366067c5a6d5b5fab2110

SHA1
bc796a91ab477a6166a59f76902b1aae9590285c

SHA256
4e5056db4f4bbdc8adf1bc57b90ade00c22f12a26f2efae66a17fefea3e6a201

SHA512
a5f4a7812862126a4483851630331aa3738f152808ccfef73bfc6284acad6e8a7f32219a4a9ebcadb123759c9167fcff5d65d9af28f4edf3b0690a99121c5df5

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
94KB

MD5
36b581e90d1d419a6ed2e94b037ac24a

SHA1
c4c88ad17e179661d3ab884a97c75917975d4d15

SHA256
4bed6b380b3ae8b97910bdb3de8942d96f3d75c18c6d69c62cc1d8282c3dfb2a

SHA512
cb41cfb54b88acb2287133a944319c0a0446ec2df776a535c48c5eb91f65e2f5d4c3a6e54024410b530b0a3c47af5841b6feb5c4773885cf22108a3a05ab5f02

Download Submit
C:\Windows\SysWOW64\Boldjd32.exe

Filesize
94KB

MD5
71cb48ae396cddcfdff190036dce85b0

SHA1
f80336caca1c728a5be329fea1b24e10c54c2a7c

SHA256
a71ad7068156199798d64bcc7c7e689e1a3b9abf84906c372ee6272bfa0acdf8

SHA512
0f927cce23bbd2327093ae5ebf0709a198e4779df7362abe1cb85a4b3b59674d91484643b339c25b193857e6f75be8d4594ff990bd46a6663b23d30ea9eab5a4

Download Submit
C:\Windows\SysWOW64\Booaodnd.exe

Filesize
94KB

MD5
90264f767e7ed4948269c44853068d20

SHA1
9536ad47bae62f30428d481693a4de85cdcbbcd7

SHA256
569416c36e913695c84aa6b2a4e7dc8803c8827457aea2489deb5e674f295e69

SHA512
519f19347ea039f57867f21fa6e772e952649023f1799dcfea42b3a0302095019efc0935c7a72eeffa495fd03e9a0f00b9762876132a669a2122e07c84ccb60b

Download Submit
C:\Windows\SysWOW64\Cojqkbdf.exe

Filesize
94KB

MD5
c4180fd7c965809291c42aa3e4b9f400

SHA1
27c2ae01b906336e5ad00740c877f96c7e6f71f5

SHA256
6532dd241b405a82efb112a2a645d16356f17da7c575d20a9407f17a985c7800

SHA512
1627bae4a59b361c5b469f0aaf5f2b6f04dd19b8b47a7a25a916258a6a455a12cfb3359a2046c45ae6b702a41ad0aa8bddb76fcbb4162608d2e9ac2d707be76c

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
94KB

MD5
fdff6990edda37cb835d5e874d0ab15a

SHA1
2df0f58ce353d266d057ef49d193a34f3ca16aa2

SHA256
088656803bbe2ae54f2937d8a2198e8f9886ac2e51cdd252b4c3afe8c7626b6f

SHA512
9d89a5c28992325f2ed8b1cd045268dcc9e929554971f518eab7b3d81fab029bf9fa3f1ff153d588faa101d8253da1ef207b55250e4b8733ccb6cafeb64f80c3

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
94KB

MD5
a4d7b8562e5312f37f966ae720013895

SHA1
5e584436577927d90e9d6c53cef00d3eab0afe04

SHA256
57484b9705c6594416e1da53a782fd440d3f07da8f621424c479260f05e9e914

SHA512
9cbab22c39a853fb3e99e9c218522c65996a667ed0e7f7789251482dd1e19630e1aaa725e381ceda1b68e65b83e906b9361def6c4e8519b186c957c1cfbf5c33

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
94KB

MD5
628dbe62d841e43a5edf34ca31391d35

SHA1
5a4eb5b4745d702729dfeac21a75426043293f2b

SHA256
dff58ae04fd6bfb0a55c5031d00d2e6db107082143a22879265003059cc3cf77

SHA512
acb68213e63f77c227540e79f73ad5ebe2ccbf645320fef1e01e9b7cb1d5f79f7ffc0a938c215b70f4e6b88356c618ea44ada4193b7ff9b14eccb8491c53db80

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
94KB

MD5
6c03b035d7a989320293d62e37672b49

SHA1
2db3e9a44e181bfe46e6d2e067704993f05e7cb1

SHA256
b13ddcb9b93f8208c76a4938b10051db1f9716b73b6c051daf915e1642f4c20d

SHA512
6d73267e6adca198e60e83b63deb346411a0261caa72bd724516036f80740dff1e0351708925885a602568c4f4af341111f7eeefc6895ab51cd4d1379c7846f0

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
94KB

MD5
ecfd56d8e9fe8d67aa9b66130527692d

SHA1
b611ca5fa097d87b329984653c8f2afda6432f92

SHA256
affb236746ca0a7186adfe75164184e606ce9a7df492c9260a27134c1fb7bd62

SHA512
02ce09e63b18186f5a7d69d3a8669374b374d0dee04fe13e16394b739c9be5ae007447c85d9c64417316ad9753430dbd9ee597d2699e57e97ca526cf3a15ebf8

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
94KB

MD5
67161528832c17c1203b26492b954b35

SHA1
3bfba5f7b50e01b97a9218a55bf736eef864a07b

SHA256
040d178e20c61ec2985fb1f455319bf7ee0f95c604cc02f07de1759df7cfeac0

SHA512
9afffa3ddcc82cad8aeefd43ced0eb5066b1b06ad463f549f43721695a9e548afde6af5aec656afcedefea82df428ed31272dd11fd67533c64ee10da853839ed

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
94KB

MD5
104e4ff3815f3567210bf36e1fa04dcc

SHA1
f007b70f903b625602ed07d6c16bb69ff97b50a1

SHA256
f0c7e80a8c2f113a8b4812788f3c8f55b6029d5d2a340f6c90896a0c20894dbc

SHA512
d8d275f4eba9ee8121dfa92427f50e8c8781b42022f8870ab6c9e8b01c12de1c54ddabfd8071fec19235d09c9acc75b3ade276cdc37c98aff0bd718708a659ff

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
94KB

MD5
db96b6302b55b8f910419b298b269ff3

SHA1
7e0c2a5d7a8b484170d8d2f7f724d79fa64de32e

SHA256
ec9d81d3bdaef49402033e7ade5b8c5257a48ac338fa3a222da8f1c814f96102

SHA512
0c0e473f6885a4b612cbf183d966a1798374f0cd0b4b747a8f197930aa3cf261dfff80b580a5aadea44e4cd09b732333d7763d123bab0e375f888a2d223801cb

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
94KB

MD5
06619474d5ccb1b0ea24b8094f60d658

SHA1
4493a3cc615289df9a24209dabb5cb8e60bcaeb8

SHA256
b32c810f54acd1cdc05e564f4d77eaa161e50e6bf41c29c10bbb12204a419ff6

SHA512
42ef96dc13ef8910eaaa32d26c6bb03b0ef74db410a41c82146a647863d8f063b4835adbae34d737070942634c238d4ebe23fd6970b34ddd859ec132a120648c

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
94KB

MD5
0f400c9d99cb6b74d9d6048b880fbf47

SHA1
1fdbef3cc04e9af6a5e89c6b984af9f15f9245e6

SHA256
7ac2c906a7d69c6ebda9fabc59f03024c340f771bedcda7c72647822cc2d0f6b

SHA512
c032746e36d6139c217bb4476cff131ee3a7ab1933d859456a0ecaa2d9483d7416dacd74930a1b0dba08534863aea62ec40878014acb612ec6399d2172f70962

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
94KB

MD5
407bfbd9f174976001602f241141076b

SHA1
78bc2c771ccb2ef997ea80cd08c9ab7956f55691

SHA256
f81f5540a6b1642f57b239c3fa0284976460daf42320ea50a80e519b41a3d783

SHA512
2c369ee212e1a8546a4a6cc0f2677296538ea5a4fd123b18c59fcbceee42515a50b57188a68d84f8554413fa075577c1c302cd65e123368f14967743d1d4d482

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
94KB

MD5
6876e4bf80c92679430e16a64ac879bf

SHA1
9b7df22dfa9ee80de3af1670f9afcc21e22aa5f3

SHA256
aad360505f00d624ae8da9c9d5b1f49600299d06d922748c499bf172fde3660e

SHA512
66866d8d2672df25b95c83b2b69a7f37a92e91443d3453bd5b790b281170c81c54047eacad4cbada74841723089685e7406f6992c5857dbaf61e3e6ae28a789a

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
94KB

MD5
4ee3166cc904d20c45460294ca5df947

SHA1
2d8924c149f476672798bc8e4b825d339d9b1fad

SHA256
f382032af351d19022c487626b867ac9d3277f067b3983f639a1879669189b44

SHA512
7bfc128f27ff874b52a8d0f23c27b0ce93df2c70cc0ffe4307db6049ff4b1dbeacec5ecbafc9f87ef645de307a679d052d480165f151552e6cee53e5d48d113e

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
94KB

MD5
8e17228ef65c402fec72b2f3f5bf5923

SHA1
537f658145c404eb6b3988aaad0fe713f618dc0e

SHA256
e995f5374270c795441f5dbc5bfae023dfd5a99c9fd0b73f322cb850ceaa750d

SHA512
5411963fd119cbcb6aac255a52b0110231252bacc5ebfb973357e28f5c17c8ff81df93369242738ab95978c07bcc7d46b13e1454233457a3a091f2e01811299b

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
94KB

MD5
f3ecae82934d12f7e6d2b19678c318f9

SHA1
472a824485617a9c6711450fb833c8dd49cf50f2

SHA256
c7597563530e3df61d414ad0cfec70cd61f32195410d972f68d8890f8f298ea0

SHA512
659d082178b36947fcd0f4937c81ae014e4cfd6e02745aa89b112b4e6531928443903adc736cc2f77a6f1c34251ea474095331c1038eb148244016b74f6e54f7

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
94KB

MD5
a18af8a76e046cb9ab894dc75abad6d5

SHA1
3bfd4132eb7f3c59b603f8b281ce0dc2e7a31f67

SHA256
7c836bcdfb5c07a4ba55bddc3c81a48657cfc7cc8f137d97229cfa59553cc688

SHA512
46d2c3d3af3c28522302b6fcab056c89d1894ab06be25b92436e7dfcf721e71fd8716235b9c97db8c664726955b039b624bb7086a4a12cb9e5a127899e04c202

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
94KB

MD5
988535b45f7581fc0b01755faa24f173

SHA1
9e6ded25557832f16a8ee58bad57f2a738aadbce

SHA256
6077cbe285cbcf6c91b4d1b00141a5c713f806850b57304fbc3dab1c51d8e91e

SHA512
7cecb7c5cdc306020baa39d7909094835082e523ca9d3d34ed9c862cdf5f90af8b337660d7f0a23875fab2dbde1cbe0b43dfce2775068d67c7ce12d228a779b8

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
94KB

MD5
02c97a2fdb518ec8c3f57452282102d9

SHA1
d0f2bfc8220ba9e75a40a04f9b7333d998e85a13

SHA256
3985b81739d5d34440b5dde4a6a52ce5fa67a91ea7037e7dca0980993459e5a7

SHA512
4ec17cead48be2d7fcc44f0562b06ed0768cc39e820f04944d9a8649e86780b92d57a38457e109408e77c629380872284b1963d87b19338a80245edba0daefde

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
94KB

MD5
04844769695facff8733d790d7acca09

SHA1
c3143e87be16a8d25273de54a7b69346201ff320

SHA256
d5a7b98101fd759a6dbed396aa52f1045d11266ac359519e21fed2fed66dc438

SHA512
9152ab0121f95670fecadbcd9f0aeccb9d287dfdb9b6d69509802221ecb0e8407c0f5860bb9a86752bce49cbb748bf7c8d873ce14d63c598a0695d82f3c4f3b3

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
94KB

MD5
5dc9c4dc089cabf6258e1b7657a1c2c8

SHA1
8c70d23b30fd69c54f218f86ab70dc07d8a085a5

SHA256
d04b323ceb34ff017503beaa385ccd71b907a2e257804bc8aa0365a947ffbf37

SHA512
162b7a9f98cafd37ef00b66d5e349a3a88f18a2064397a082d14ca62e7047981f225c1900bd08e2c0a8bfa5b36354a433d2db31a3d50a922429a0ebfd7032b9f

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
94KB

MD5
6514866a02150d217c0cfb7534ad6c76

SHA1
97c2d6f0bfbc96d316826c8bc4b7d5261a23733d

SHA256
c8278b916fae93bd50ab0eff040bbb18abf1d6c5d1652aa9c5f7291cf14d3025

SHA512
ff551a334faaff12b882e007ebcb7b64770b2f95a005ccaf079897e9a77fb31871edc1d358310f091fe7dcef77ec9863bb7c0e22d703ab44093ce2c1b376de02

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
94KB

MD5
6d24656e2f794e5632e2e49a2d67a04f

SHA1
87acfef7a153a729e20c75e920cd6847c66592c3

SHA256
4c5866eb47662af05f8c080aa32a77d75ee849934789dac20b86529b5c6d7e39

SHA512
092b59d82be87957b5b71f1402b474fda686fadac6d81a0a0be745adea2568f78d757db48981b762e89b1822a533321e90a6fcc35aa2e6934c1731bcb84464fb

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
94KB

MD5
aa7a8a2db3017dfe4a0c18bbc4bcdf8c

SHA1
b783156b36babc26dba44ad05f2ac4e538fded4d

SHA256
2b64a26cf88b827fa9809ded861a9a91951c85e48c0312508301351119f98554

SHA512
4313b5d41df44f6672d0efc5353a2816362a60b02f6093ac44e824d8920b2f11f346a7ed5e791b5cba1f81b27718bb985a99c5f143bec19d75db8777eece069c

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
94KB

MD5
7b9884dc7720bc84bf94bd4a392ceda8

SHA1
7b7436898ccfe14092bd15b73f4622483e3506d3

SHA256
9a95909313e84755c4d3c8f811c3d7d1e8f7b71550b75425a7ebe1a3100b1487

SHA512
3e86e4ad00ec87893f8468ce4f475a026dbec110d96c5075f1c41da741450efaa2ed3e1d6e3b33c67017bc499ecd429934e486c100205f3144d17dcd44d697aa

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
94KB

MD5
fa6a407f3f2f30cbbda08d4faf5600b0

SHA1
df7c7ddbbcaaf0f4dcbd7cb18f6ba377529f646a

SHA256
ae22204c1df237bbdfc1ea74104e4445946aa1d39292404471a041f82a84a0b2

SHA512
095bdf046ad27bac35e2246da74a36bbf56d5eeb1bdc130a44dbf573b17173178974e5f41fa3e9cc3aadb9c654c38fe814d55ec67aafd28e014fb659a8b64931

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
94KB

MD5
e31f4f5e4d09027228705b2f064609a6

SHA1
364cc8a40e29c210a736e0304718f60ad369000a

SHA256
9e22f006c2ce3209f38dbfbfc42eca99036d98b8297a79ea3f9da8fded516eef

SHA512
2c8339a10c98c2d56e230593bbcfa79f4d552c5770636b964a17d2dc26203cb53d32274809bf2b4ea3264ba738979b59b8f0ba45f052fda29fab625865c66140

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
94KB

MD5
05c6ba211ae2f893fcd5da4a463b305c

SHA1
0afaee203da329a4f3745c92a7134574c2cece7e

SHA256
552505d4667aef6f4fa0f1ffcc20a9459b4a8db8f96e736b0f5d9123098180df

SHA512
1efcb7a8168a24080d7627a29f9b57756df9ab81315bad2ec6ff20ecbbc704578654251a79764a1cd47ecaf2ff4660107565a0ac124fa13088b6c644bad84b40

Download Submit
memory/216-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/368-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/556-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/556-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/668-445-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/892-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/892-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1164-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1164-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1532-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1532-423-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1608-158-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1816-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1860-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1892-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1920-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2044-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2088-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2280-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2360-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2756-156-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2756-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2884-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2900-460-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3248-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-459-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3356-458-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3392-137-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3408-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3408-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3648-447-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3664-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3692-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3776-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4000-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4000-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4168-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4168-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4252-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4400-438-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4476-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4560-473-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4600-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4600-244-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4656-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4760-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4772-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4772-444-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4864-472-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4864-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-483-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5044-185-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5044-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads