ef4a8006b395b71c81f48b62e403007cefe4e71efcd95d25d8b485066412c9ea

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef4a8006b395b71c81f48b62e403007cefe4e71efcd95d25d8b485066412c9ea.exe
Size

43KB
MD5

73cb1fe83ef1db409a7eb16b87bd81fa
SHA1

1f8c16c109b245da9c551ba8b524ba24d1e57648
SHA256

ef4a8006b395b71c81f48b62e403007cefe4e71efcd95d25d8b485066412c9ea
SHA512

fc45d94c0c536dd9968ca27d74385bf8372c64f81dcf51b78196519d77c5a00228c379eafcdd5f5b527e8375e571626879c4ba6905497717ca0b00b3c3609d3a
SSDEEP

768:3PJadenAqtYQnaXH96rV2kllriFqR7Atmqfvfj7sMC72ZWzFwKF/KpplA:3PnAClrVLTrEqNAxvXsf7rzV/KpXA

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe

pid	process
3036	123nguoidu.exe
4704	123nguoidu.exe
5024	123nguoidu.exe
1380	123nguoidu.exe
3416	123nguoidu.exe
2352	123nguoidu.exe
4352	123nguoidu.exe
1608	123nguoidu.exe
1004	123nguoidu.exe
5112	123nguoidu.exe
4628	123nguoidu.exe
4348	123nguoidu.exe
5100	123nguoidu.exe
5008	123nguoidu.exe
5036	123nguoidu.exe
2176	123nguoidu.exe
4644	123nguoidu.exe
2160	123nguoidu.exe
964	123nguoidu.exe
1396	123nguoidu.exe
4712	123nguoidu.exe
3164	123nguoidu.exe
424	123nguoidu.exe
1800	123nguoidu.exe
3316	123nguoidu.exe
2092	123nguoidu.exe
1308	123nguoidu.exe
3076	123nguoidu.exe
2808	123nguoidu.exe
3520	123nguoidu.exe
2136	123nguoidu.exe
208	123nguoidu.exe
340	123nguoidu.exe
2600	123nguoidu.exe
4812	123nguoidu.exe
1548	123nguoidu.exe
3756	123nguoidu.exe
3860	123nguoidu.exe
3620	123nguoidu.exe
3488	123nguoidu.exe
4340	123nguoidu.exe
5016	123nguoidu.exe
4364	123nguoidu.exe
1928	123nguoidu.exe
1224	123nguoidu.exe
1792	123nguoidu.exe
708	123nguoidu.exe
2184	123nguoidu.exe
3732	123nguoidu.exe
3688	123nguoidu.exe
4924	123nguoidu.exe
372	123nguoidu.exe
836	123nguoidu.exe
4552	123nguoidu.exe
1776	123nguoidu.exe
3736	123nguoidu.exe
4788	123nguoidu.exe
4000	123nguoidu.exe
4284	123nguoidu.exe
5104	123nguoidu.exe
4556	123nguoidu.exe
4596	123nguoidu.exe
3772	123nguoidu.exe
4464	123nguoidu.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\123nguoidu = "C:\\Windows\\system32\\123nguoidu.exe"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Modifies WinLogon 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logoff = "WLELogoff"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\StopScreenSaver = "WLEStopScreenSaver"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Shutdown = "WLEShutdown"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	123nguoidu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Impersonate = "0"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Lock = "WLELock"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Startup = "WLEStartup"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logoff = "WLELogoff"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logon = "WLELogon"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\DllName = "123nguoidu.dll"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logoff = "WLELogoff"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Unlock = "WLEUnlock"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Lock = "WLELock"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Shutdown = "WLEShutdown"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\StopScreenSaver = "WLEStopScreenSaver"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu	123nguoidu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Asynchronous = "0"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logoff = "WLELogoff"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Shutdown = "WLEShutdown"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Startup = "WLEStartup"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\StartScreenSaver = "WLEStartScreenSaver"	123nguoidu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Impersonate = "0"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\DllName = "123nguoidu.dll"	123nguoidu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Impersonate = "0"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\StopScreenSaver = "WLEStopScreenSaver"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu	123nguoidu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Impersonate = "0"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logoff = "WLELogoff"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logon = "WLELogon"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logon = "WLELogon"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logon = "WLELogon"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\DllName = "123nguoidu.dll"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\DllName = "123nguoidu.dll"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logoff = "WLELogoff"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Unlock = "WLEUnlock"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logon = "WLELogon"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Asynchronous = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Asynchronous = "0"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\StopScreenSaver = "WLEStopScreenSaver"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Shutdown = "WLEShutdown"
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Shutdown = "WLEShutdown"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Startup = "WLEStartup"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\StartScreenSaver = "WLEStartScreenSaver"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Impersonate = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Asynchronous = "0"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Unlock = "WLEUnlock"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logon = "WLELogon"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logon = "WLELogon"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\DllName = "123nguoidu.dll"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Lock = "WLELock"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Lock = "WLELock"	123nguoidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Lock = "WLELock"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Asynchronous = "0"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Logoff = "WLELogoff"	123nguoidu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu	123nguoidu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\123nguoidu\Asynchronous = "0"	123nguoidu.exe

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe	123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe
File created	C:\Windows\SysWOW64\123nguoidu.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ef4a8006b395b71c81f48b62e403007cefe4e71efcd95d25d8b485066412c9ea.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe123nguoidu.exe

description	pid	process	target process
PID 2096 wrote to memory of 3036	2096	ef4a8006b395b71c81f48b62e403007cefe4e71efcd95d25d8b485066412c9ea.exe	123nguoidu.exe
PID 2096 wrote to memory of 3036	2096	ef4a8006b395b71c81f48b62e403007cefe4e71efcd95d25d8b485066412c9ea.exe	123nguoidu.exe
PID 2096 wrote to memory of 3036	2096	ef4a8006b395b71c81f48b62e403007cefe4e71efcd95d25d8b485066412c9ea.exe	123nguoidu.exe
PID 3036 wrote to memory of 4704	3036	123nguoidu.exe	123nguoidu.exe
PID 3036 wrote to memory of 4704	3036	123nguoidu.exe	123nguoidu.exe
PID 3036 wrote to memory of 4704	3036	123nguoidu.exe	123nguoidu.exe
PID 4704 wrote to memory of 5024	4704	123nguoidu.exe	123nguoidu.exe
PID 4704 wrote to memory of 5024	4704	123nguoidu.exe	123nguoidu.exe
PID 4704 wrote to memory of 5024	4704	123nguoidu.exe	123nguoidu.exe
PID 5024 wrote to memory of 1380	5024	123nguoidu.exe	123nguoidu.exe
PID 5024 wrote to memory of 1380	5024	123nguoidu.exe	123nguoidu.exe
PID 5024 wrote to memory of 1380	5024	123nguoidu.exe	123nguoidu.exe
PID 1380 wrote to memory of 3416	1380	123nguoidu.exe	123nguoidu.exe
PID 1380 wrote to memory of 3416	1380	123nguoidu.exe	123nguoidu.exe
PID 1380 wrote to memory of 3416	1380	123nguoidu.exe	123nguoidu.exe
PID 3416 wrote to memory of 2352	3416	123nguoidu.exe	123nguoidu.exe
PID 3416 wrote to memory of 2352	3416	123nguoidu.exe	123nguoidu.exe
PID 3416 wrote to memory of 2352	3416	123nguoidu.exe	123nguoidu.exe
PID 2352 wrote to memory of 4352	2352	123nguoidu.exe	123nguoidu.exe
PID 2352 wrote to memory of 4352	2352	123nguoidu.exe	123nguoidu.exe
PID 2352 wrote to memory of 4352	2352	123nguoidu.exe	123nguoidu.exe
PID 4352 wrote to memory of 1608	4352	123nguoidu.exe	123nguoidu.exe
PID 4352 wrote to memory of 1608	4352	123nguoidu.exe	123nguoidu.exe
PID 4352 wrote to memory of 1608	4352	123nguoidu.exe	123nguoidu.exe
PID 1608 wrote to memory of 1004	1608	123nguoidu.exe	123nguoidu.exe
PID 1608 wrote to memory of 1004	1608	123nguoidu.exe	123nguoidu.exe
PID 1608 wrote to memory of 1004	1608	123nguoidu.exe	123nguoidu.exe
PID 1004 wrote to memory of 5112	1004	123nguoidu.exe	123nguoidu.exe
PID 1004 wrote to memory of 5112	1004	123nguoidu.exe	123nguoidu.exe
PID 1004 wrote to memory of 5112	1004	123nguoidu.exe	123nguoidu.exe
PID 5112 wrote to memory of 4628	5112	123nguoidu.exe	123nguoidu.exe
PID 5112 wrote to memory of 4628	5112	123nguoidu.exe	123nguoidu.exe
PID 5112 wrote to memory of 4628	5112	123nguoidu.exe	123nguoidu.exe
PID 4628 wrote to memory of 4348	4628	123nguoidu.exe	123nguoidu.exe
PID 4628 wrote to memory of 4348	4628	123nguoidu.exe	123nguoidu.exe
PID 4628 wrote to memory of 4348	4628	123nguoidu.exe	123nguoidu.exe
PID 4348 wrote to memory of 5100	4348	123nguoidu.exe	123nguoidu.exe
PID 4348 wrote to memory of 5100	4348	123nguoidu.exe	123nguoidu.exe
PID 4348 wrote to memory of 5100	4348	123nguoidu.exe	123nguoidu.exe
PID 5100 wrote to memory of 5008	5100	123nguoidu.exe	123nguoidu.exe
PID 5100 wrote to memory of 5008	5100	123nguoidu.exe	123nguoidu.exe
PID 5100 wrote to memory of 5008	5100	123nguoidu.exe	123nguoidu.exe
PID 5008 wrote to memory of 5036	5008	123nguoidu.exe	123nguoidu.exe
PID 5008 wrote to memory of 5036	5008	123nguoidu.exe	123nguoidu.exe
PID 5008 wrote to memory of 5036	5008	123nguoidu.exe	123nguoidu.exe
PID 5036 wrote to memory of 2176	5036	123nguoidu.exe	123nguoidu.exe
PID 5036 wrote to memory of 2176	5036	123nguoidu.exe	123nguoidu.exe
PID 5036 wrote to memory of 2176	5036	123nguoidu.exe	123nguoidu.exe
PID 2176 wrote to memory of 4644	2176	123nguoidu.exe	123nguoidu.exe
PID 2176 wrote to memory of 4644	2176	123nguoidu.exe	123nguoidu.exe
PID 2176 wrote to memory of 4644	2176	123nguoidu.exe	123nguoidu.exe
PID 4644 wrote to memory of 2160	4644	123nguoidu.exe	123nguoidu.exe
PID 4644 wrote to memory of 2160	4644	123nguoidu.exe	123nguoidu.exe
PID 4644 wrote to memory of 2160	4644	123nguoidu.exe	123nguoidu.exe
PID 2160 wrote to memory of 964	2160	123nguoidu.exe	123nguoidu.exe
PID 2160 wrote to memory of 964	2160	123nguoidu.exe	123nguoidu.exe
PID 2160 wrote to memory of 964	2160	123nguoidu.exe	123nguoidu.exe
PID 964 wrote to memory of 1396	964	123nguoidu.exe	123nguoidu.exe
PID 964 wrote to memory of 1396	964	123nguoidu.exe	123nguoidu.exe
PID 964 wrote to memory of 1396	964	123nguoidu.exe	123nguoidu.exe
PID 1396 wrote to memory of 4712	1396	123nguoidu.exe	123nguoidu.exe
PID 1396 wrote to memory of 4712	1396	123nguoidu.exe	123nguoidu.exe
PID 1396 wrote to memory of 4712	1396	123nguoidu.exe	123nguoidu.exe
PID 4712 wrote to memory of 3164	4712	123nguoidu.exe	123nguoidu.exe

C:\Users\Admin\AppData\Local\Temp\ef4a8006b395b71c81f48b62e403007cefe4e71efcd95d25d8b485066412c9ea.exe
"C:\Users\Admin\AppData\Local\Temp\ef4a8006b395b71c81f48b62e403007cefe4e71efcd95d25d8b485066412c9ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
23⤵
- Executes dropped EXE
PID:3164

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
24⤵
- Executes dropped EXE
PID:424

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
25⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
26⤵
- Executes dropped EXE
PID:3316

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
27⤵
- Executes dropped EXE
PID:2092

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
28⤵
- Executes dropped EXE
- Modifies WinLogon
PID:1308

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
29⤵
- Executes dropped EXE
PID:3076

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
30⤵
- Executes dropped EXE
PID:2808

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
31⤵
- Executes dropped EXE
PID:3520

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
32⤵
- Executes dropped EXE
PID:2136

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
33⤵
- Executes dropped EXE
PID:208

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
34⤵
- Executes dropped EXE
PID:340

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
35⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
36⤵
- Executes dropped EXE
PID:4812

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
37⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
38⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3756

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
39⤵
- Executes dropped EXE
PID:3860

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
40⤵
- Executes dropped EXE
PID:3620

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
41⤵
- Executes dropped EXE
PID:3488

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
42⤵
- Executes dropped EXE
- Modifies WinLogon
PID:4340

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
43⤵
- Executes dropped EXE
PID:5016

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
44⤵
- Executes dropped EXE
PID:4364

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
45⤵
- Executes dropped EXE
- Modifies WinLogon
PID:1928

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
46⤵
- Executes dropped EXE
PID:1224

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
47⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
48⤵
- Executes dropped EXE
PID:708

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
49⤵
- Executes dropped EXE
PID:2184

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
50⤵
- Executes dropped EXE
PID:3732

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
51⤵
- Executes dropped EXE
- Modifies WinLogon
PID:3688

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
52⤵
- Executes dropped EXE
PID:4924

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
53⤵
- Executes dropped EXE
PID:372

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
54⤵
- Executes dropped EXE
- Adds Run key to start application
PID:836

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
55⤵
- Executes dropped EXE
PID:4552

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
56⤵
- Executes dropped EXE
PID:1776

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
57⤵
- Executes dropped EXE
PID:3736

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
58⤵
- Executes dropped EXE
PID:4788

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
59⤵
- Executes dropped EXE
PID:4000

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
60⤵
- Executes dropped EXE
PID:4284

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
61⤵
- Executes dropped EXE
PID:5104

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
62⤵
- Executes dropped EXE
PID:4556

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
63⤵
- Executes dropped EXE
PID:4596

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
64⤵
- Executes dropped EXE
- Modifies WinLogon
PID:3772

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
65⤵
- Executes dropped EXE
PID:4464

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
66⤵
- Drops file in System32 directory
PID:4112

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
67⤵
PID:1988

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
68⤵
PID:3160

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
69⤵
PID:2732

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
1⤵
PID:2256

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
2⤵
PID:4428

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
3⤵
PID:3764

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
4⤵
PID:1552

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
5⤵
PID:3484

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
6⤵
PID:1452

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
7⤵
PID:3308

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
8⤵
PID:4908

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
9⤵
PID:3956

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
10⤵
PID:4024

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
11⤵
- Modifies WinLogon
PID:2852

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
12⤵
PID:884

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
13⤵
PID:5116

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
14⤵
PID:2468

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
15⤵
PID:4504

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
16⤵
PID:3388

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
17⤵
PID:1168

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
18⤵
PID:2336

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
19⤵
PID:5028

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
20⤵
PID:4944

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
21⤵
PID:1028

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
22⤵
- Drops file in System32 directory
PID:4408

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
23⤵
PID:1980

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
24⤵
- Drops file in System32 directory
PID:1744

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
25⤵
PID:1088

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
26⤵
PID:1220

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
27⤵
PID:2372

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
28⤵
PID:4036

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
29⤵
- Modifies WinLogon
- Drops file in System32 directory
PID:2316

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
30⤵
PID:4848

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
31⤵
PID:3888

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
32⤵
- Adds Run key to start application
PID:4080

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
33⤵
PID:1992

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
34⤵
PID:4536

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
35⤵
PID:4308

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
36⤵
PID:3212

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
37⤵
PID:2792

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
38⤵
PID:3116

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
39⤵
PID:828

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
40⤵
PID:2032

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
41⤵
PID:3700

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
42⤵
PID:1096

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
43⤵
PID:5108

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
44⤵
PID:4672

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
45⤵
PID:1216

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
46⤵
PID:4332

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
47⤵
PID:1328

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
48⤵
PID:4216

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
49⤵
PID:444

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
50⤵
PID:1272

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
51⤵
- Adds Run key to start application
PID:992

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
52⤵
PID:1912

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
53⤵
PID:1440

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
54⤵
PID:3360

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
55⤵
- Modifies WinLogon
PID:1492

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
56⤵
- Drops file in System32 directory
PID:3632

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
57⤵
PID:5136

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
58⤵
PID:5152

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
59⤵
PID:5168

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
60⤵
PID:5184

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
61⤵
PID:5200

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
62⤵
PID:5216

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
63⤵
PID:5232

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
64⤵
PID:5244

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
65⤵
PID:5264

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
66⤵
PID:5284

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
67⤵
PID:5296

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
68⤵
PID:5316

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
69⤵
PID:5332

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
70⤵
PID:5348

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
71⤵
PID:5364

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
72⤵
PID:5380

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
73⤵
PID:5396

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
74⤵
PID:5416

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
75⤵
PID:5428

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
76⤵
- Drops file in System32 directory
PID:5448

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
77⤵
PID:5460

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
78⤵
PID:5480

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
79⤵
PID:5492

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
80⤵
PID:5508

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
81⤵
PID:5524

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
82⤵
PID:5540

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
83⤵
PID:5556

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
84⤵
PID:5572

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
85⤵
PID:5592

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
86⤵
PID:5608

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
87⤵
PID:5624

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
88⤵
PID:5640

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
89⤵
PID:5656

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
90⤵
PID:5668

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
91⤵
PID:5684

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
92⤵
PID:5700

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
93⤵
PID:5720

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
94⤵
PID:5736

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
95⤵
PID:5748

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
96⤵
PID:5764

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
97⤵
PID:5784

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
98⤵
PID:5796

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
99⤵
PID:5816

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
100⤵
PID:5828

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
101⤵
PID:5848

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
102⤵
- Modifies WinLogon
PID:5860

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
103⤵
- Drops file in System32 directory
PID:5876

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
104⤵
- Drops file in System32 directory
PID:5896

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
105⤵
PID:5908

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
106⤵
PID:5924

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
107⤵
PID:5940

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
108⤵
PID:5956

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
109⤵
PID:5976

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
110⤵
PID:5992

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
111⤵
PID:6008

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
112⤵
PID:6020

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
113⤵
PID:6040

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
114⤵
PID:6056

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
115⤵
PID:6072

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
116⤵
PID:6084

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
117⤵
PID:6100

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
118⤵
PID:6116

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
119⤵
PID:6136

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
120⤵
PID:2924

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
121⤵
PID:4204

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
122⤵
PID:6164

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
123⤵
PID:6180

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
124⤵
PID:6196

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
125⤵
PID:6212

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
126⤵
PID:6228

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
127⤵
PID:6240

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
128⤵
PID:6260

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
129⤵
PID:6272

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
130⤵
PID:6288

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
131⤵
PID:6308

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
132⤵
PID:6320

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
133⤵
PID:6336

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
134⤵
PID:6352

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
135⤵
PID:6372

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
136⤵
PID:6388

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
137⤵
- Adds Run key to start application
PID:6404

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
138⤵
PID:6420

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
139⤵
PID:6436

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
140⤵
PID:6452

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
141⤵
PID:6468

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
142⤵
PID:6484

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
143⤵
PID:6496

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
144⤵
PID:6516

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
145⤵
- Modifies WinLogon
PID:6532

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
146⤵
PID:6548

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
147⤵
PID:6564

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
148⤵
PID:6580

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
149⤵
PID:6596

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
150⤵
PID:6612

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
151⤵
PID:6624

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
152⤵
PID:6644

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
153⤵
PID:6660

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
154⤵
PID:6672

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
155⤵
PID:6692

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
156⤵
PID:6712

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
157⤵
PID:6724

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
158⤵
PID:6744

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
159⤵
PID:6760

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
160⤵
PID:6776

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
161⤵
PID:6788

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
162⤵
PID:6808

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
163⤵
PID:6824

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
164⤵
PID:6840

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
165⤵
PID:6856

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
166⤵
PID:6872

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
167⤵
PID:6888

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
168⤵
PID:6900

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
169⤵
PID:6920

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
170⤵
PID:6936

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
171⤵
PID:6952

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
172⤵
PID:6968

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
173⤵
PID:6984

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
174⤵
- Drops file in System32 directory
PID:7000

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
175⤵
PID:7016

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
176⤵
- Adds Run key to start application
PID:7032

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
177⤵
PID:7048

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
178⤵
PID:7060

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
179⤵
PID:7080

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
180⤵
- Modifies WinLogon
PID:7096

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
181⤵
PID:7112

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
182⤵
PID:7124

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
183⤵
PID:7144

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
184⤵
PID:7160

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
185⤵
PID:2340

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
186⤵
PID:7184

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
187⤵
PID:7200

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
188⤵
PID:7212

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
189⤵
PID:7232

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
190⤵
PID:7248

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
191⤵
PID:7264

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
192⤵
PID:7276

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
193⤵
PID:7296

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
194⤵
PID:7312

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
195⤵
PID:7328

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
196⤵
PID:7340

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
197⤵
PID:7356

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
198⤵
PID:7376

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
199⤵
PID:7388

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
200⤵
PID:7408

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
201⤵
PID:7424

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
202⤵
PID:7448

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
203⤵
PID:7468

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
204⤵
PID:7488

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
205⤵
PID:7500

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
206⤵
PID:7520

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
207⤵
PID:7536

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
208⤵
PID:7548

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
209⤵
PID:7564

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
210⤵
PID:7584

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
211⤵
PID:7600

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
212⤵
PID:7616

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
213⤵
PID:7632

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
214⤵
PID:7648

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
215⤵
PID:7660

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
216⤵
PID:7680

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
217⤵
PID:7692

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
218⤵
- Modifies WinLogon
PID:7712

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
219⤵
PID:7732

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
220⤵
PID:7748

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
221⤵
PID:7764

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
222⤵
PID:7788

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
223⤵
PID:7812

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
224⤵
PID:7828

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
225⤵
PID:7844

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
226⤵
PID:7864

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
227⤵
PID:7876

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
228⤵
PID:7904

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
229⤵
PID:7920

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
230⤵
PID:7936

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
231⤵
PID:7956

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
232⤵
PID:7972

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
233⤵
PID:7992

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
234⤵
PID:8008

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
235⤵
PID:8024

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
236⤵
PID:8036

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
237⤵
PID:8052

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
238⤵
PID:8072

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
239⤵
PID:8088

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
240⤵
PID:8104

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
241⤵
PID:8120

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
242⤵
PID:8140

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
243⤵
PID:8156

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
244⤵
PID:8176

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
245⤵
PID:7932

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
246⤵
PID:8212

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
247⤵
PID:8228

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
248⤵
PID:8240

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
249⤵
PID:8260

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
250⤵
PID:8276

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
251⤵
PID:8292

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
252⤵
PID:8308

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
253⤵
- Adds Run key to start application
PID:8324

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
254⤵
PID:8340

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
255⤵
- Drops file in System32 directory
PID:8356

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
256⤵
PID:8372

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
257⤵
PID:8388

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
258⤵
PID:8404

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
259⤵
PID:8420

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
260⤵
- Adds Run key to start application
PID:8436

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
261⤵
PID:8452

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
262⤵
PID:8468

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
263⤵
PID:8484

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
264⤵
- Adds Run key to start application
PID:8496

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
265⤵
PID:8512

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
266⤵
PID:8528

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
267⤵
PID:8544

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
268⤵
PID:8564

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
269⤵
PID:8580

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
270⤵
PID:8596

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
271⤵
PID:8612

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
272⤵
PID:8628

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
273⤵
PID:8648

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
274⤵
PID:8664

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
275⤵
PID:8680

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
276⤵
PID:8696

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
277⤵
PID:8708

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
278⤵
PID:8728

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
279⤵
PID:8740

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
280⤵
PID:8760

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
281⤵
PID:8772

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
282⤵
PID:8792

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
283⤵
PID:8808

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
284⤵
PID:8820

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
285⤵
PID:8836

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
286⤵
PID:8856

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
287⤵
PID:8872

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
288⤵
PID:8888

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
289⤵
PID:8900

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
290⤵
- Modifies WinLogon
PID:8916

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
291⤵
PID:8936

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
292⤵
PID:8952

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
293⤵
PID:8968

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
294⤵
PID:8984

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
295⤵
PID:8996

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
296⤵
PID:9016

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
297⤵
PID:9028

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
298⤵
PID:9048

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
299⤵
- Drops file in System32 directory
PID:9064

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
300⤵
- Modifies WinLogon
PID:9084

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
301⤵
PID:9108

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
302⤵
PID:9132

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
303⤵
PID:9160

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
304⤵
PID:9176

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
305⤵
PID:9192

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
306⤵
PID:9204

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
307⤵
PID:9100

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
308⤵
PID:9228

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
309⤵
PID:9244

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
310⤵
PID:9260

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
311⤵
PID:9276

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
312⤵
PID:9292

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
313⤵
PID:9308

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
314⤵
PID:9324

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
315⤵
PID:9340

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
316⤵
PID:9356

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
317⤵
- Adds Run key to start application
PID:9372

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
318⤵
PID:9388

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
319⤵
PID:9400

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
320⤵
PID:9420

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
321⤵
PID:9436

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
322⤵
- Adds Run key to start application
PID:9452

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
323⤵
PID:9468

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
324⤵
PID:9484

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
325⤵
PID:9500

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
326⤵
PID:9516

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
327⤵
PID:9528

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
328⤵
PID:9548

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
329⤵
PID:9564

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
330⤵
PID:9576

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
331⤵
PID:9592

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
332⤵
PID:9608

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
333⤵
- Modifies WinLogon
PID:9628

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
334⤵
PID:9640

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
335⤵
PID:9660

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
336⤵
PID:9672

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
337⤵
PID:9688

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
338⤵
- Drops file in System32 directory
PID:9708

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
339⤵
PID:9724

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
340⤵
PID:9740

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
341⤵
PID:9756

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
342⤵
PID:9768

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
343⤵
PID:9788

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
344⤵
PID:9804

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
345⤵
PID:9820

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
346⤵
PID:9836

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
347⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:9852

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
348⤵
PID:9864

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
349⤵
PID:9884

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
350⤵
PID:9900

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
351⤵
PID:9912

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
352⤵
PID:9928

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
353⤵
PID:9944

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
354⤵
PID:9968

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
355⤵
PID:9984

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
356⤵
PID:9996

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
357⤵
PID:10012

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
358⤵
PID:10028

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
359⤵
PID:10044

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
360⤵
PID:10064

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
361⤵
PID:10080

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
362⤵
PID:10096

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
363⤵
PID:10108

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
364⤵
PID:10124

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
365⤵
PID:10144

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
366⤵
PID:10160

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
367⤵
PID:10176

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
368⤵
PID:10192

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
369⤵
PID:10212

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
370⤵
PID:10228

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
371⤵
PID:3468

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
372⤵
PID:10268

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
373⤵
PID:10296

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
374⤵
PID:10328

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
375⤵
PID:10340

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
376⤵
PID:10356

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
377⤵
PID:10376

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
378⤵
PID:10392

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
379⤵
PID:10408

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
380⤵
PID:10428

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
381⤵
PID:10444

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
382⤵
PID:10460

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
383⤵
- Modifies WinLogon
- Drops file in System32 directory
PID:10472

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
384⤵
PID:10488

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
385⤵
PID:10504

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
386⤵
- Modifies WinLogon
PID:10520

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
387⤵
PID:10536

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
388⤵
PID:10556

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
389⤵
PID:10572

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
390⤵
PID:10588

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
391⤵
PID:10604

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
392⤵
PID:10620

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
393⤵
PID:10636

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
394⤵
PID:10648

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
395⤵
PID:10668

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
396⤵
PID:10684

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
397⤵
PID:10700

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
398⤵
PID:10716

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
399⤵
PID:10732

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
400⤵
PID:10748

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
401⤵
PID:10760

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
402⤵
- Drops file in System32 directory
PID:10780

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
403⤵
PID:10792

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
404⤵
PID:10812

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
405⤵
- Adds Run key to start application
PID:10828

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
406⤵
PID:10844

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
407⤵
PID:10860

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
408⤵
PID:10876

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
409⤵
PID:10892

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
410⤵
PID:10908

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
411⤵
PID:10920

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
412⤵
PID:10940

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
413⤵
- Adds Run key to start application
PID:10964

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
414⤵
PID:10988

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
415⤵
PID:11000

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
416⤵
PID:11016

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
417⤵
- Drops file in System32 directory
PID:11036

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
418⤵
PID:11056

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
419⤵
PID:11084

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
420⤵
PID:11116

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
421⤵
PID:11144

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
422⤵
PID:11160

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
423⤵
PID:11176

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
424⤵
PID:11196

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
425⤵
PID:11208

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
426⤵
- Modifies WinLogon
PID:11236

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
427⤵
PID:10260

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
428⤵
PID:11272

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
429⤵
PID:11292

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
430⤵
PID:11308

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
431⤵
- Adds Run key to start application
PID:11324

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
432⤵
PID:11336

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
433⤵
PID:11364

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
434⤵
PID:11384

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
435⤵
PID:11412

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
436⤵
PID:11428

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
437⤵
PID:11448

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
438⤵
PID:11472

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
439⤵
PID:11488

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
440⤵
PID:11508

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
441⤵
PID:11520

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
442⤵
- Adds Run key to start application
PID:11536

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
443⤵
PID:11560

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
444⤵
PID:11580

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
445⤵
PID:11596

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
446⤵
PID:11612

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
447⤵
PID:11632

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
448⤵
PID:11644

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
449⤵
PID:11664

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
450⤵
PID:11676

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
451⤵
PID:11696

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
452⤵
PID:11712

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
453⤵
PID:11740

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
454⤵
PID:11756

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
455⤵
PID:11768

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
456⤵
PID:11784

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
457⤵
PID:11800

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
458⤵
PID:11820

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
459⤵
- Adds Run key to start application
PID:11836

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
460⤵
- Modifies WinLogon
PID:11852

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
461⤵
- Drops file in System32 directory
PID:11872

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
462⤵
PID:11900

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
463⤵
PID:11916

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
464⤵
PID:11932

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
465⤵
PID:11952

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
466⤵
PID:11968

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
467⤵
PID:11984

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
468⤵
PID:12012

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
469⤵
PID:12032

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
470⤵
PID:12044

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
471⤵
PID:12060

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
472⤵
PID:12088

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
473⤵
PID:12104

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
474⤵
PID:12120

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
475⤵
PID:12136

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
476⤵
PID:12152

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
477⤵
PID:12168

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
478⤵
PID:12184

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
479⤵
PID:12200

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
480⤵
PID:12212

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
481⤵
PID:12228

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
482⤵
PID:12248

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
483⤵
PID:12264

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
484⤵
PID:12280

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
485⤵
PID:11884

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
486⤵
PID:12084

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
487⤵
PID:12300

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
488⤵
PID:12320

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
489⤵
PID:12336

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
490⤵
PID:12352

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
491⤵
PID:12368

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
492⤵
PID:12388

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
493⤵
- Drops file in System32 directory
PID:12404

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
494⤵
- Adds Run key to start application
PID:12424

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
495⤵
PID:12440

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
496⤵
PID:12456

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
497⤵
PID:12472

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
498⤵
PID:12484

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
499⤵
PID:12504

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
500⤵
PID:12520

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
501⤵
PID:12536

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
502⤵
- Modifies WinLogon
PID:12560

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
503⤵
PID:12580

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
504⤵
PID:12592

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
505⤵
- Adds Run key to start application
PID:12608

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
506⤵
PID:12624

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
507⤵
PID:12640

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
508⤵
PID:12656

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
509⤵
- Modifies WinLogon
PID:12676

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
510⤵
PID:12692

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
511⤵
PID:12708

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
512⤵
PID:12724

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
513⤵
PID:12736

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
514⤵
PID:12756

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
515⤵
PID:12780

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
516⤵
PID:12796

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
517⤵
PID:12808

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
518⤵
PID:12824

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
519⤵
PID:12844

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
520⤵
PID:12856

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
521⤵
PID:12872

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
522⤵
- Drops file in System32 directory
PID:12892

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
523⤵
PID:12908

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
524⤵
PID:12920

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
525⤵
PID:12940

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
526⤵
PID:12956

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
527⤵
PID:12976

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
528⤵
PID:12996

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
529⤵
PID:13020

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
530⤵
PID:13036

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
531⤵
PID:13048

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
532⤵
PID:13068

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
533⤵
PID:13084

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
534⤵
PID:13100

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
535⤵
PID:13124

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
536⤵
PID:13136

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
537⤵
PID:13164

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
538⤵
PID:13184

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
539⤵
PID:13212

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
540⤵
PID:13232

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
541⤵
PID:13256

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
542⤵
PID:13268

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
543⤵
PID:13284

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
544⤵
PID:13304

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
545⤵
PID:12396

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
546⤵
PID:12776

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
547⤵
- Adds Run key to start application
PID:13240

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
548⤵
PID:13324

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
549⤵
PID:13340

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
550⤵
- Drops file in System32 directory
PID:13364

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
551⤵
PID:13380

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
552⤵
PID:13392

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
553⤵
PID:13412

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
554⤵
PID:13424

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
555⤵
PID:13440

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
556⤵
PID:13460

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
557⤵
PID:13476

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
558⤵
PID:13488

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
559⤵
PID:13508

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
560⤵
PID:13524

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
561⤵
PID:13548

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
562⤵
PID:13560

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
563⤵
PID:13580

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
564⤵
PID:13596

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
565⤵
PID:13612

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
566⤵
PID:13628

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
567⤵
PID:13648

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
568⤵
PID:13664

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
569⤵
PID:13684

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
570⤵
PID:13700

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
571⤵
PID:13716

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
572⤵
PID:13732

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
573⤵
PID:13744

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
574⤵
PID:13764

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
575⤵
PID:13780

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
576⤵
PID:13796

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
577⤵
PID:13808

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
578⤵
PID:13828

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
579⤵
PID:13844

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
580⤵
PID:13860

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
581⤵
- Drops file in System32 directory
PID:13880

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
582⤵
PID:13900

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
583⤵
- Adds Run key to start application
PID:13916

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
584⤵
PID:13928

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
585⤵
PID:13944

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
586⤵
PID:13964

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
587⤵
PID:13980

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
588⤵
PID:13996

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
589⤵
PID:14008

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
590⤵
PID:14028

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
591⤵
PID:14044

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
592⤵
- Modifies WinLogon
PID:14060

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
593⤵
PID:14076

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
594⤵
PID:14092

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
595⤵
PID:14116

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
596⤵
PID:14132

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
597⤵
PID:14148

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
598⤵
PID:14164

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
599⤵
PID:14180

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
600⤵
PID:14196

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
601⤵
PID:14212

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
602⤵
- Modifies WinLogon
PID:14228

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
603⤵
PID:14244

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
604⤵
PID:14256

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
605⤵
PID:14272

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
606⤵
PID:14288

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
607⤵
PID:14308

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
608⤵
PID:14324

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
609⤵
PID:13544

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
610⤵
PID:13872

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
611⤵
PID:4688

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
612⤵
PID:14344

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
613⤵
PID:14360

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
614⤵
PID:14376

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
615⤵
PID:14392

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
616⤵
PID:14408

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
617⤵
PID:14424

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
618⤵
PID:14444

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
619⤵
PID:14464

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
620⤵
- Drops file in System32 directory
PID:14480

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
621⤵
PID:14492

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
622⤵
PID:14512

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
623⤵
PID:14528

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
624⤵
PID:14540

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
625⤵
PID:14556

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
626⤵
PID:14572

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
627⤵
PID:14600

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
628⤵
PID:14616

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
629⤵
PID:14628

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
630⤵
- Drops file in System32 directory
PID:14648

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
631⤵
PID:14660

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
632⤵
PID:14684

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
633⤵
PID:14704

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
634⤵
PID:14728

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
635⤵
PID:14744

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
636⤵
PID:14756

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
637⤵
PID:14776

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
638⤵
PID:14800

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
639⤵
PID:14824

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
640⤵
PID:14848

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
641⤵
PID:14860

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
642⤵
PID:14880

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
643⤵
PID:14896

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
644⤵
PID:14928

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
645⤵
PID:14948

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
646⤵
PID:14960

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
647⤵
PID:14988

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
648⤵
PID:15020

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
649⤵
PID:15060

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
650⤵
PID:15092

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
651⤵
PID:15108

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
652⤵
- Adds Run key to start application
PID:15128

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
653⤵
PID:15148

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
654⤵
PID:15172

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
655⤵
PID:15188

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
656⤵
- Modifies WinLogon
PID:15204

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
1⤵
PID:15216

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
2⤵
PID:15236

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
3⤵
PID:15252

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
4⤵
PID:15268

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
5⤵
PID:15284

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
6⤵
PID:15300

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
7⤵
PID:15316

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
8⤵
PID:15340

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
9⤵
PID:15356

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
10⤵
PID:14588

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
11⤵
PID:14968

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
12⤵
PID:15364

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
13⤵
PID:15376

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
14⤵
PID:15392

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
15⤵
PID:15408

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
16⤵
PID:15428

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
17⤵
PID:15444

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
18⤵
PID:15460

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
19⤵
PID:15476

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
20⤵
PID:15488

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
21⤵
PID:15504

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
22⤵
PID:15524

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
23⤵
PID:15548

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
24⤵
PID:15564

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
25⤵
PID:15584

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
26⤵
PID:15600

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
27⤵
PID:15620

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
28⤵
PID:15640

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
29⤵
PID:15656

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
30⤵
PID:15672

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
31⤵
PID:15684

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
32⤵
PID:15700

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
33⤵
PID:15716

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
34⤵
PID:15736

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
35⤵
PID:15752

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
36⤵
PID:15764

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
37⤵
PID:15780

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
38⤵
PID:15800

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
39⤵
PID:15812

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
40⤵
PID:15832

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
41⤵
PID:15856

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
42⤵
PID:15868

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
43⤵
PID:15884

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
44⤵
PID:15904

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
45⤵
PID:15920

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
46⤵
PID:15936

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
47⤵
PID:15952

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
48⤵
PID:15968

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
49⤵
PID:15984

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
50⤵
PID:16004

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
51⤵
- Drops file in System32 directory
PID:16020

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
52⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:16036

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
53⤵
PID:16052

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
54⤵
PID:16068

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
55⤵
PID:16088

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
56⤵
- Adds Run key to start application
PID:16104

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
57⤵
PID:16116

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
58⤵
PID:16132

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
59⤵
PID:16152

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
60⤵
- Modifies WinLogon
PID:16168

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
61⤵
PID:16184

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
1⤵
- Modifies WinLogon
PID:16200

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
2⤵
PID:16212

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
3⤵
PID:16232

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
4⤵
PID:16248

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
5⤵
PID:16264

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
6⤵
PID:16276

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
7⤵
PID:16304

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
8⤵
PID:16320

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
9⤵
PID:16332

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
10⤵
- Adds Run key to start application
PID:16352

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
11⤵
PID:16364

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
12⤵
PID:15532

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
13⤵
PID:15844

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
14⤵
PID:16396

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
15⤵
PID:16412

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
16⤵
- Adds Run key to start application
PID:16432

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
17⤵
PID:16448

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
18⤵
PID:16464

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
19⤵
PID:16480

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
1⤵
- Adds Run key to start application
PID:16496

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
2⤵
PID:16512

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
3⤵
- Modifies WinLogon
PID:16528

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
4⤵
PID:16540

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
5⤵
PID:16560

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
6⤵
- Drops file in System32 directory
PID:16576

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
7⤵
PID:16592

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
8⤵
- Adds Run key to start application
PID:16608

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
9⤵
PID:16624

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
10⤵
PID:16636

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
11⤵
PID:16656

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
12⤵
PID:16672

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
13⤵
PID:16688

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
14⤵
PID:16704

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
15⤵
PID:16720

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
16⤵
- Modifies WinLogon
PID:16732

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
17⤵
PID:16748

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
18⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:16764

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
19⤵
PID:16784

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
20⤵
PID:16796

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
21⤵
PID:16812

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
22⤵
PID:16832

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
23⤵
PID:16848

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
24⤵
PID:16864

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
25⤵
PID:16876

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
26⤵
PID:16896

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
27⤵
PID:16912

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
28⤵
PID:16928

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
29⤵
PID:16940

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
30⤵
PID:16956

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
31⤵
PID:16972

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
32⤵
PID:16992

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
33⤵
PID:17004

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
34⤵
PID:17024

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
35⤵
PID:17040

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
36⤵
PID:17056

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
37⤵
PID:17072

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
38⤵
PID:17088

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
39⤵
PID:17100

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
40⤵
PID:17116

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
41⤵
PID:17132

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
42⤵
PID:17152

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
43⤵
PID:17168

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
44⤵
PID:17184

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
45⤵
PID:17204

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
46⤵
PID:17220

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
47⤵
PID:17232

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
48⤵
PID:17252

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
49⤵
PID:17264

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
50⤵
PID:17284

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
51⤵
PID:17300

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
52⤵
PID:17316

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
53⤵
PID:17332

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
54⤵
PID:17344

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
55⤵
PID:17364

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
56⤵
PID:17380

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
57⤵
PID:17392

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
58⤵
PID:17416

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
59⤵
PID:17432

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
60⤵
- Modifies WinLogon
PID:17448

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
61⤵
PID:17464

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
62⤵
PID:17476

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
63⤵
PID:17496

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
64⤵
PID:17508

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
65⤵
PID:17524

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
66⤵
PID:17544

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
67⤵
- Modifies WinLogon
PID:17556

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
68⤵
PID:17576

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
69⤵
PID:17592

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
70⤵
PID:17608

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
71⤵
PID:17624

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
72⤵
PID:17640

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
73⤵
PID:17656

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
74⤵
- Modifies WinLogon
PID:17672

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
75⤵
PID:17688

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
76⤵
PID:17704

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
77⤵
PID:17720

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
78⤵
PID:17736

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
79⤵
- Modifies WinLogon
PID:17752

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
80⤵
PID:17768

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
81⤵
PID:17784

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
82⤵
PID:17796

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
83⤵
- Drops file in System32 directory
PID:17816

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
84⤵
PID:17832

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
85⤵
PID:17848

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
86⤵
PID:17864

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
87⤵
PID:17880

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
88⤵
PID:17896

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
89⤵
PID:17908

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
90⤵
PID:17924

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
91⤵
PID:17944

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
92⤵
PID:17968

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
93⤵
PID:17984

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
94⤵
PID:17996

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
95⤵
PID:18016

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
96⤵
PID:18032

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
97⤵
PID:18044

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
98⤵
PID:18060

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
99⤵
PID:18080

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
100⤵
PID:18092

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
101⤵
PID:18112

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
102⤵
- Modifies WinLogon
PID:18128

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
103⤵
PID:18144

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
104⤵
PID:18160

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
105⤵
- Modifies WinLogon
PID:18176

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
106⤵
PID:18192

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
107⤵
PID:18208

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
108⤵
PID:18224

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
109⤵
PID:18240

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
110⤵
PID:18256

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
111⤵
PID:18272

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
112⤵
PID:18296

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
113⤵
PID:18320

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
114⤵
- Modifies WinLogon
PID:18336

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
115⤵
PID:18352

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
116⤵
PID:18372

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
117⤵
PID:18388

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
118⤵
PID:18420

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
119⤵
PID:11372

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
120⤵
PID:18444

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
121⤵
PID:18468

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
122⤵
PID:18496

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
123⤵
PID:18536

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
124⤵
PID:18552

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
125⤵
PID:18568

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
126⤵
PID:18588

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
127⤵
- Modifies WinLogon
PID:18604

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
128⤵
PID:18620

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
129⤵
PID:18660

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
130⤵
PID:18676

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
131⤵
PID:18692

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
132⤵
- Modifies WinLogon
PID:18708

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
133⤵
PID:18740

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
134⤵
PID:18752

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
135⤵
- Adds Run key to start application
PID:18772

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
136⤵
PID:18788

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
137⤵
PID:18804

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
138⤵
PID:18828

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
139⤵
PID:18844

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
140⤵
PID:18860

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
141⤵
PID:18880

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
142⤵
PID:18896

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
143⤵
PID:18924

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
144⤵
PID:18940

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
145⤵
PID:18956

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
146⤵
PID:18976

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
147⤵
PID:18996

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
148⤵
PID:19012

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
149⤵
PID:19024

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
150⤵
PID:19040

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
151⤵
PID:19060

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
152⤵
PID:19076

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
153⤵
PID:19092

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
154⤵
PID:19108

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
155⤵
PID:19124

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
156⤵
PID:19140

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
157⤵
PID:19156

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
158⤵
PID:19172

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
159⤵
PID:19216

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
160⤵
PID:19232

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
161⤵
PID:19248

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
162⤵
PID:19272

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
163⤵
PID:19288

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
164⤵
- Adds Run key to start application
PID:19304

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
165⤵
PID:19316

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
166⤵
PID:19332

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
167⤵
PID:19348

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
168⤵
PID:19368

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
169⤵
PID:19380

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
170⤵
PID:19400

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
171⤵
PID:19412

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
172⤵
PID:19432

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
173⤵
PID:19444

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
174⤵
- Modifies WinLogon
PID:4100

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
175⤵
PID:1356

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
176⤵
PID:19468

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
177⤵
PID:19492

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
178⤵
PID:19508

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
179⤵
PID:19544

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
180⤵
PID:19576

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
181⤵
PID:19608

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
182⤵
PID:19624

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
183⤵
PID:19636

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
184⤵
- Adds Run key to start application
PID:19672

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
185⤵
PID:19704

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
186⤵
PID:19720

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
187⤵
PID:19732

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
188⤵
PID:19752

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
189⤵
PID:19776

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
190⤵
- Modifies WinLogon
PID:19796

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
191⤵
PID:19816

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
192⤵
PID:19852

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
193⤵
PID:19868

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
194⤵
- Drops file in System32 directory
PID:19888

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
195⤵
PID:19908

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
196⤵
PID:19932

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
197⤵
PID:19956

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
198⤵
PID:19988

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
199⤵
PID:20004

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
200⤵
PID:20028

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
201⤵
PID:20060

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
202⤵
PID:20080

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
203⤵
PID:20096

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
204⤵
PID:20132

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
205⤵
PID:20152

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
206⤵
PID:20184

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
207⤵
PID:20196

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
208⤵
PID:20216

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
209⤵
PID:20232

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
210⤵
PID:20252

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
211⤵
PID:20268

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
212⤵
PID:20284

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
213⤵
PID:20300

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
214⤵
PID:20316

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
215⤵
PID:20336

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
216⤵
PID:20356

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
217⤵
PID:20392

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
218⤵
PID:20416

C:\Windows\SysWOW64\123nguoidu.exe
C:\Windows\system32\123nguoidu.exe
219⤵
PID:20432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
C:\Windows\SysWOW64\123nguoidu.exe

Filesize
28KB

MD5
8c8000b6757676beddf216e779129c71

SHA1
6dec82dc034df3cb5ff794e7d7443bf2fc563a02

SHA256
9ed6115bbe6c79d886b0cab966414598326cf52c88e1730ef6706b86345b1263

SHA512
72b5320ad969d4b85f9f1467004ffa931efcd93aa60e42e4c976c8cba3bf84926a72a241369fc868411988049f497676c11914577ed13ba8fdb271d3b5d2f177

Download Submit
memory/208-195-0x0000000000000000-mapping.dmp

Download
memory/340-197-0x0000000000000000-mapping.dmp

Download
memory/372-235-0x0000000000000000-mapping.dmp

Download
memory/424-177-0x0000000000000000-mapping.dmp

Download
memory/708-225-0x0000000000000000-mapping.dmp

Download
memory/836-237-0x0000000000000000-mapping.dmp

Download
memory/964-169-0x0000000000000000-mapping.dmp

Download
memory/1004-149-0x0000000000000000-mapping.dmp

Download
memory/1224-221-0x0000000000000000-mapping.dmp

Download
memory/1308-185-0x0000000000000000-mapping.dmp

Download
memory/1380-139-0x0000000000000000-mapping.dmp

Download
memory/1396-171-0x0000000000000000-mapping.dmp

Download
memory/1548-203-0x0000000000000000-mapping.dmp

Download
memory/1608-147-0x0000000000000000-mapping.dmp

Download
memory/1776-241-0x0000000000000000-mapping.dmp

Download
memory/1792-223-0x0000000000000000-mapping.dmp

Download
memory/1800-179-0x0000000000000000-mapping.dmp

Download
memory/1928-219-0x0000000000000000-mapping.dmp

Download
memory/2092-183-0x0000000000000000-mapping.dmp

Download
memory/2136-193-0x0000000000000000-mapping.dmp

Download
memory/2160-167-0x0000000000000000-mapping.dmp

Download
memory/2176-163-0x0000000000000000-mapping.dmp

Download
memory/2184-227-0x0000000000000000-mapping.dmp

Download
memory/2352-143-0x0000000000000000-mapping.dmp

Download
memory/2600-199-0x0000000000000000-mapping.dmp

Download
memory/2808-189-0x0000000000000000-mapping.dmp

Download
memory/3036-132-0x0000000000000000-mapping.dmp

Download
memory/3076-187-0x0000000000000000-mapping.dmp

Download
memory/3164-175-0x0000000000000000-mapping.dmp

Download
memory/3316-181-0x0000000000000000-mapping.dmp

Download
memory/3416-141-0x0000000000000000-mapping.dmp

Download
memory/3488-211-0x0000000000000000-mapping.dmp

Download
memory/3520-191-0x0000000000000000-mapping.dmp

Download
memory/3620-209-0x0000000000000000-mapping.dmp

Download
memory/3688-231-0x0000000000000000-mapping.dmp

Download
memory/3732-229-0x0000000000000000-mapping.dmp

Download
memory/3736-243-0x0000000000000000-mapping.dmp

Download
memory/3756-205-0x0000000000000000-mapping.dmp

Download
memory/3772-257-0x0000000000000000-mapping.dmp

Download
memory/3860-207-0x0000000000000000-mapping.dmp

Download
memory/4000-247-0x0000000000000000-mapping.dmp

Download
memory/4284-249-0x0000000000000000-mapping.dmp

Download
memory/4340-213-0x0000000000000000-mapping.dmp

Download
memory/4348-155-0x0000000000000000-mapping.dmp

Download
memory/4352-145-0x0000000000000000-mapping.dmp

Download
memory/4364-217-0x0000000000000000-mapping.dmp

Download
memory/4464-259-0x0000000000000000-mapping.dmp

Download
memory/4552-239-0x0000000000000000-mapping.dmp

Download
memory/4556-253-0x0000000000000000-mapping.dmp

Download
memory/4596-255-0x0000000000000000-mapping.dmp

Download
memory/4628-153-0x0000000000000000-mapping.dmp

Download
memory/4644-165-0x0000000000000000-mapping.dmp

Download
memory/4704-135-0x0000000000000000-mapping.dmp

Download
memory/4712-173-0x0000000000000000-mapping.dmp

Download
memory/4788-245-0x0000000000000000-mapping.dmp

Download
memory/4812-201-0x0000000000000000-mapping.dmp

Download
memory/4924-233-0x0000000000000000-mapping.dmp

Download
memory/5008-159-0x0000000000000000-mapping.dmp

Download
memory/5016-215-0x0000000000000000-mapping.dmp

Download
memory/5024-137-0x0000000000000000-mapping.dmp

Download
memory/5036-161-0x0000000000000000-mapping.dmp

Download
memory/5100-157-0x0000000000000000-mapping.dmp

Download
memory/5104-251-0x0000000000000000-mapping.dmp

Download
memory/5112-151-0x0000000000000000-mapping.dmp

Download