6cd786392b8638f5b1fba03e9d741493464e288f620488c822661ac6b7489607

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.af8aca9285614dc33218467a9ea823f0.exe
Size

181KB
MD5

af8aca9285614dc33218467a9ea823f0
SHA1

c83f789ab76096d02a3a5d74b065911ecf8e48d8
SHA256

6cd786392b8638f5b1fba03e9d741493464e288f620488c822661ac6b7489607
SHA512

b9cf0d83a7cdd9573f6c8b7b59e768e1f9e6d542f81b528662d460c876ef38dfa37b62de0ac54000f9559131bbe296a491835a3d72c49055c95cd6a7472d1335
SSDEEP

3072:W9xboymfDrFDHZtOg6r4BrOMvMha4FADrFDHZtOg:22ymt5tT6rkOM0hbFY5tT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lelchgne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklbmllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiejmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhbolp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjepjkhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhoipb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bokehc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdppiif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhijqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knkekn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnpofnhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhdckaeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojcjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoekia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qljjjqlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agiamhdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inomhbeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoipb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noeahkfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fonnop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhlpfgbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lelchgne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iqklon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjnmpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlkngo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nipekiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljbfpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhlpfgbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebmekoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohgoaehe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okchnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pllgnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fojedapj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbnkonbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhmofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Licfngjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpcdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kndojobi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhkikq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbalopbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkllnbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neppokal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe

Executes dropped EXE 64 IoCs

pid	Process
4108	Ldleel32.exe
3400	Llgjjnlj.exe
3736	Lgmngglp.exe
4772	Lpebpm32.exe
2604	Lphoelqn.exe
4876	Mmlpoqpg.exe
4944	Mgddhf32.exe
3068	Mlcifmbl.exe
2884	Migjoaaf.exe
4352	Menjdbgj.exe
1136	Ncbknfed.exe
1916	Ncdgcf32.exe
2560	Nphhmj32.exe
2184	Njqmepik.exe
1236	Nfgmjqop.exe
1452	Ndhmhh32.exe
4928	Oponmilc.exe
1488	Oflgep32.exe
1960	Odmgcgbi.exe
1404	Oneklm32.exe
3640	Ojllan32.exe
2720	Ogpmjb32.exe
1752	Onjegled.exe
4664	Pnlaml32.exe
744	Pdfjifjo.exe
4148	Cegdnopg.exe
5016	Djdmffnn.exe
4408	Djgjlelk.exe
4840	Delnin32.exe
4652	Dkifae32.exe
2372	Daconoae.exe
4800	Dkkcge32.exe
3340	Dhocqigp.exe
3704	Eecdjmfi.exe
2816	Egdqae32.exe
5068	Eajeon32.exe
1448	Ekbihd32.exe
816	Edknqiho.exe
5064	Eopbnbhd.exe
932	Eglgbdep.exe
4596	Eemgplno.exe
3840	Eoekia32.exe
1268	Fkllnbjc.exe
4752	Fojedapj.exe
3828	Fdfmlhna.exe
4048	Fonnop32.exe
540	Fdkggg32.exe
2552	Fkeodaai.exe
4880	Ghipne32.exe
3088	Gnfhfl32.exe
992	Ghklce32.exe
3956	Goedpofl.exe
984	Gdbmhf32.exe
3720	Mbognp32.exe
560	Nhlpfgbb.exe
2152	Neppokal.exe
2040	Nohehq32.exe
4288	Nebmekoi.exe
2140	Nojanpej.exe
1896	Nipekiep.exe
2848	Nomncpcg.exe
1648	Nplkmckj.exe
3700	Ohgoaehe.exe
1904	Ocmconhk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Omdppiif.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Lhdbgapf.dll	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Efhaoapj.dll	NEAS.af8aca9285614dc33218467a9ea823f0.exe
File created	C:\Windows\SysWOW64\Kamojc32.dll	Iqklon32.exe
File opened for modification	C:\Windows\SysWOW64\Okchnk32.exe	Nefped32.exe
File created	C:\Windows\SysWOW64\Fclbolkk.dll	Jjjghcfp.exe
File created	C:\Windows\SysWOW64\Nijeec32.exe	Noeahkfc.exe
File created	C:\Windows\SysWOW64\Fopjdidn.dll	Mmpmnl32.exe
File opened for modification	C:\Windows\SysWOW64\Fojedapj.exe	Fkllnbjc.exe
File created	C:\Windows\SysWOW64\Ndqojdee.dll	Nclbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Kndojobi.exe	Kgjgne32.exe
File created	C:\Windows\SysWOW64\Aknbkjfh.exe	Ahofoogd.exe
File created	C:\Windows\SysWOW64\Mnphmkji.exe	Mhfppabl.exe
File opened for modification	C:\Windows\SysWOW64\Meepdp32.exe	Lenicahg.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ojnblg32.exe	Oohnonij.exe
File created	C:\Windows\SysWOW64\Kbjpeo32.dll	Mgeakekd.exe
File opened for modification	C:\Windows\SysWOW64\Omgmeigd.exe	Omdppiif.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	NEAS.af8aca9285614dc33218467a9ea823f0.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Jlkidpke.dll	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Jbiejoaj.exe	Jjamia32.exe
File created	C:\Windows\SysWOW64\Nefped32.exe	Nbgcih32.exe
File created	C:\Windows\SysWOW64\Diinlj32.dll	Coohhlpe.exe
File opened for modification	C:\Windows\SysWOW64\Oohnonij.exe	Ogmijllo.exe
File created	C:\Windows\SysWOW64\Naaqofgj.exe	Mifljdjo.exe
File created	C:\Windows\SysWOW64\Cmakeiil.dll	Nlkngo32.exe
File created	C:\Windows\SysWOW64\Jnpfop32.exe	Jgenbfoa.exe
File created	C:\Windows\SysWOW64\Lgkpdcmi.exe	Lelchgne.exe
File opened for modification	C:\Windows\SysWOW64\Objpoh32.exe	Okchnk32.exe
File created	C:\Windows\SysWOW64\Jkccmkel.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Fnknamej.dll	Jhijqj32.exe
File created	C:\Windows\SysWOW64\Majjng32.exe	Mnlnbl32.exe
File created	C:\Windows\SysWOW64\Pipeabep.dll	Caageq32.exe
File created	C:\Windows\SysWOW64\Ibdlakbf.dll	Gbalopbn.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Onocomdo.exe	Ogcnmc32.exe
File created	C:\Windows\SysWOW64\Qmeigg32.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Jajoep32.dll	Agdhbi32.exe
File created	C:\Windows\SysWOW64\Fgibng32.dll	Leopnglc.exe
File opened for modification	C:\Windows\SysWOW64\Ogmijllo.exe	Olgemcli.exe
File opened for modification	C:\Windows\SysWOW64\Ahchda32.exe	Agbkmijg.exe
File created	C:\Windows\SysWOW64\Akqfkp32.exe	Pldcjeia.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Glojhi32.dll	Eemgplno.exe
File opened for modification	C:\Windows\SysWOW64\Idkkpf32.exe	Iphioh32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Knhcpa32.dll	Oldamm32.exe
File created	C:\Windows\SysWOW64\Ojjhjm32.dll	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	NEAS.af8aca9285614dc33218467a9ea823f0.exe
File opened for modification	C:\Windows\SysWOW64\Idkbkl32.exe	Inainbcn.exe
File created	C:\Windows\SysWOW64\Mbbiec32.dll	Aajohjon.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lpebpm32.exe
File opened for modification	C:\Windows\SysWOW64\Qhjmdp32.exe	Qmeigg32.exe
File opened for modification	C:\Windows\SysWOW64\Boihcf32.exe	Bphgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Nhkikq32.exe	Naaqofgj.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Ejiofjji.dll	Edknqiho.exe
File created	C:\Windows\SysWOW64\Ghipne32.exe	Fkeodaai.exe
File created	C:\Windows\SysWOW64\Dajkgl32.dll	Jbfheo32.exe
File opened for modification	C:\Windows\SysWOW64\Jnpfop32.exe	Jgenbfoa.exe
File created	C:\Windows\SysWOW64\Pnbddbhk.dll	Aokkahlo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3692	5388	WerFault.exe	363

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdpfkn32.dll"	Eecdjmfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmdfppj.dll"	Fonnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhmofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icinkkcp.dll"	Cfipef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppajlp32.dll"	Mhafeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naaqofgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjffdalb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhcgin.dll"	Mniallpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akhkncql.dll"	Dkahilkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlkngo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eecdjmfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nojanpej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekodjiol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibffdoal.dll"	Ookjdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjamia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhijqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Naaqofgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbognp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oblmdhdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmpjoao.dll"	Mbognp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agbkmijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iqklon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjamia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkccmkel.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeleklf.dll"	Lgkpdcmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfbobf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldqfd32.dll"	Ojbacd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjjpbg32.dll"	Eglgbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfillg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbehoafp.dll"	Qgnbaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplbgk32.dll"	Ljbfpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nndjndbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkganhnq.dll"	Kgopidgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnfjkma.dll"	Iphioh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdhkcb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4108	4388	NEAS.af8aca9285614dc33218467a9ea823f0.exe	85
PID 4388 wrote to memory of 4108	4388	NEAS.af8aca9285614dc33218467a9ea823f0.exe	85
PID 4388 wrote to memory of 4108	4388	NEAS.af8aca9285614dc33218467a9ea823f0.exe	85
PID 4108 wrote to memory of 3400	4108	Ldleel32.exe	86
PID 4108 wrote to memory of 3400	4108	Ldleel32.exe	86
PID 4108 wrote to memory of 3400	4108	Ldleel32.exe	86
PID 3400 wrote to memory of 3736	3400	Llgjjnlj.exe	87
PID 3400 wrote to memory of 3736	3400	Llgjjnlj.exe	87
PID 3400 wrote to memory of 3736	3400	Llgjjnlj.exe	87
PID 3736 wrote to memory of 4772	3736	Lgmngglp.exe	88
PID 3736 wrote to memory of 4772	3736	Lgmngglp.exe	88
PID 3736 wrote to memory of 4772	3736	Lgmngglp.exe	88
PID 4772 wrote to memory of 2604	4772	Lpebpm32.exe	89
PID 4772 wrote to memory of 2604	4772	Lpebpm32.exe	89
PID 4772 wrote to memory of 2604	4772	Lpebpm32.exe	89
PID 2604 wrote to memory of 4876	2604	Lphoelqn.exe	90
PID 2604 wrote to memory of 4876	2604	Lphoelqn.exe	90
PID 2604 wrote to memory of 4876	2604	Lphoelqn.exe	90
PID 4876 wrote to memory of 4944	4876	Mmlpoqpg.exe	92
PID 4876 wrote to memory of 4944	4876	Mmlpoqpg.exe	92
PID 4876 wrote to memory of 4944	4876	Mmlpoqpg.exe	92
PID 4944 wrote to memory of 3068	4944	Mgddhf32.exe	93
PID 4944 wrote to memory of 3068	4944	Mgddhf32.exe	93
PID 4944 wrote to memory of 3068	4944	Mgddhf32.exe	93
PID 3068 wrote to memory of 2884	3068	Mlcifmbl.exe	94
PID 3068 wrote to memory of 2884	3068	Mlcifmbl.exe	94
PID 3068 wrote to memory of 2884	3068	Mlcifmbl.exe	94
PID 2884 wrote to memory of 4352	2884	Migjoaaf.exe	95
PID 2884 wrote to memory of 4352	2884	Migjoaaf.exe	95
PID 2884 wrote to memory of 4352	2884	Migjoaaf.exe	95
PID 4352 wrote to memory of 1136	4352	Menjdbgj.exe	96
PID 4352 wrote to memory of 1136	4352	Menjdbgj.exe	96
PID 4352 wrote to memory of 1136	4352	Menjdbgj.exe	96
PID 1136 wrote to memory of 1916	1136	Ncbknfed.exe	97
PID 1136 wrote to memory of 1916	1136	Ncbknfed.exe	97
PID 1136 wrote to memory of 1916	1136	Ncbknfed.exe	97
PID 1916 wrote to memory of 2560	1916	Ncdgcf32.exe	98
PID 1916 wrote to memory of 2560	1916	Ncdgcf32.exe	98
PID 1916 wrote to memory of 2560	1916	Ncdgcf32.exe	98
PID 2560 wrote to memory of 2184	2560	Nphhmj32.exe	99
PID 2560 wrote to memory of 2184	2560	Nphhmj32.exe	99
PID 2560 wrote to memory of 2184	2560	Nphhmj32.exe	99
PID 2184 wrote to memory of 1236	2184	Njqmepik.exe	100
PID 2184 wrote to memory of 1236	2184	Njqmepik.exe	100
PID 2184 wrote to memory of 1236	2184	Njqmepik.exe	100
PID 1236 wrote to memory of 1452	1236	Nfgmjqop.exe	101
PID 1236 wrote to memory of 1452	1236	Nfgmjqop.exe	101
PID 1236 wrote to memory of 1452	1236	Nfgmjqop.exe	101
PID 1452 wrote to memory of 4928	1452	Ndhmhh32.exe	102
PID 1452 wrote to memory of 4928	1452	Ndhmhh32.exe	102
PID 1452 wrote to memory of 4928	1452	Ndhmhh32.exe	102
PID 4928 wrote to memory of 1488	4928	Oponmilc.exe	103
PID 4928 wrote to memory of 1488	4928	Oponmilc.exe	103
PID 4928 wrote to memory of 1488	4928	Oponmilc.exe	103
PID 1488 wrote to memory of 1960	1488	Oflgep32.exe	104
PID 1488 wrote to memory of 1960	1488	Oflgep32.exe	104
PID 1488 wrote to memory of 1960	1488	Oflgep32.exe	104
PID 1960 wrote to memory of 1404	1960	Odmgcgbi.exe	105
PID 1960 wrote to memory of 1404	1960	Odmgcgbi.exe	105
PID 1960 wrote to memory of 1404	1960	Odmgcgbi.exe	105
PID 1404 wrote to memory of 3640	1404	Oneklm32.exe	106
PID 1404 wrote to memory of 3640	1404	Oneklm32.exe	106
PID 1404 wrote to memory of 3640	1404	Oneklm32.exe	106
PID 3640 wrote to memory of 2720	3640	Ojllan32.exe	107

C:\Users\Admin\AppData\Local\Temp\NEAS.af8aca9285614dc33218467a9ea823f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.af8aca9285614dc33218467a9ea823f0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\Ldleel32.exe
  C:\Windows\system32\Ldleel32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\Llgjjnlj.exe
    C:\Windows\system32\Llgjjnlj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\SysWOW64\Lgmngglp.exe
      C:\Windows\system32\Lgmngglp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
      - C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        23⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        26⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        27⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        29⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        30⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        32⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Eecdjmfi.exe
        
        C:\Windows\system32\Eecdjmfi.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Egdqae32.exe
        
        C:\Windows\system32\Egdqae32.exe
        36⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Eajeon32.exe
        
        C:\Windows\system32\Eajeon32.exe
        37⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Ekbihd32.exe
        
        C:\Windows\system32\Ekbihd32.exe
        38⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\Edknqiho.exe
        
        C:\Windows\system32\Edknqiho.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\Eopbnbhd.exe
        
        C:\Windows\system32\Eopbnbhd.exe
        40⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Eglgbdep.exe
        
        C:\Windows\system32\Eglgbdep.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Eemgplno.exe
        
        C:\Windows\system32\Eemgplno.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Eoekia32.exe
        
        C:\Windows\system32\Eoekia32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Fkllnbjc.exe
        
        C:\Windows\system32\Fkllnbjc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Fojedapj.exe
        
        C:\Windows\system32\Fojedapj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Fdfmlhna.exe
        
        C:\Windows\system32\Fdfmlhna.exe
        46⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Fonnop32.exe
        
        C:\Windows\system32\Fonnop32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Fdkggg32.exe
        
        C:\Windows\system32\Fdkggg32.exe
        48⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Fkeodaai.exe
        
        C:\Windows\system32\Fkeodaai.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Ghipne32.exe
        
        C:\Windows\system32\Ghipne32.exe
        50⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Gnfhfl32.exe
        
        C:\Windows\system32\Gnfhfl32.exe
        51⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Ghklce32.exe
        
        C:\Windows\system32\Ghklce32.exe
        52⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Windows\SysWOW64\Goedpofl.exe
        
        C:\Windows\system32\Goedpofl.exe
        53⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Gdbmhf32.exe
        
        C:\Windows\system32\Gdbmhf32.exe
        54⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\SysWOW64\Mbognp32.exe
        
        C:\Windows\system32\Mbognp32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Nhlpfgbb.exe
        
        C:\Windows\system32\Nhlpfgbb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\Neppokal.exe
        
        C:\Windows\system32\Neppokal.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Nohehq32.exe
        
        C:\Windows\system32\Nohehq32.exe
        58⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Nebmekoi.exe
        
        C:\Windows\system32\Nebmekoi.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Nojanpej.exe
        
        C:\Windows\system32\Nojanpej.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Nipekiep.exe
        
        C:\Windows\system32\Nipekiep.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Nomncpcg.exe
        
        C:\Windows\system32\Nomncpcg.exe
        62⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\Nplkmckj.exe
        
        C:\Windows\system32\Nplkmckj.exe
        63⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Ohgoaehe.exe
        
        C:\Windows\system32\Ohgoaehe.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Ocmconhk.exe
        
        C:\Windows\system32\Ocmconhk.exe
        65⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Oocddono.exe
        
        C:\Windows\system32\Oocddono.exe
        66⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\Olgemcli.exe
        
        C:\Windows\system32\Olgemcli.exe
        67⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Ogmijllo.exe
        
        C:\Windows\system32\Ogmijllo.exe
        68⤵
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Oohnonij.exe
        
        C:\Windows\system32\Oohnonij.exe
        69⤵
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Ojnblg32.exe
        
        C:\Windows\system32\Ojnblg32.exe
        70⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Ookjdn32.exe
        
        C:\Windows\system32\Ookjdn32.exe
        71⤵
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Pgbbek32.exe
        
        C:\Windows\system32\Pgbbek32.exe
        72⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Ploknb32.exe
        
        C:\Windows\system32\Ploknb32.exe
        73⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Pgdokkfg.exe
        
        C:\Windows\system32\Pgdokkfg.exe
        74⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Phelcc32.exe
        
        C:\Windows\system32\Phelcc32.exe
        75⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\Poodpmca.exe
        
        C:\Windows\system32\Poodpmca.exe
        76⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Pfillg32.exe
        
        C:\Windows\system32\Pfillg32.exe
        77⤵
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Ppopjp32.exe
        
        C:\Windows\system32\Ppopjp32.exe
        78⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Pjgebf32.exe
        
        C:\Windows\system32\Pjgebf32.exe
        79⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Ppamophb.exe
        
        C:\Windows\system32\Ppamophb.exe
        80⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Pfnegggi.exe
        
        C:\Windows\system32\Pfnegggi.exe
        81⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Qgnbaj32.exe
        
        C:\Windows\system32\Qgnbaj32.exe
        82⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Qljjjqlc.exe
        
        C:\Windows\system32\Qljjjqlc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Qfbobf32.exe
        
        C:\Windows\system32\Qfbobf32.exe
        84⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Qlmgopjq.exe
        
        C:\Windows\system32\Qlmgopjq.exe
        85⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Agbkmijg.exe
        
        C:\Windows\system32\Agbkmijg.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ahchda32.exe
        
        C:\Windows\system32\Ahchda32.exe
        87⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Agdhbi32.exe
        
        C:\Windows\system32\Agdhbi32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Aggegh32.exe
        
        C:\Windows\system32\Aggegh32.exe
        89⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Aqoiqn32.exe
        
        C:\Windows\system32\Aqoiqn32.exe
        90⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Agiamhdo.exe
        
        C:\Windows\system32\Agiamhdo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Aodfajaj.exe
        
        C:\Windows\system32\Aodfajaj.exe
        92⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Bcbohigp.exe
        
        C:\Windows\system32\Bcbohigp.exe
        93⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Bmkcqn32.exe
        
        C:\Windows\system32\Bmkcqn32.exe
        94⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Iqklon32.exe
        
        C:\Windows\system32\Iqklon32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Inomhbeq.exe
        
        C:\Windows\system32\Inomhbeq.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Iggaah32.exe
        
        C:\Windows\system32\Iggaah32.exe
        97⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Inainbcn.exe
        
        C:\Windows\system32\Inainbcn.exe
        98⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Idkbkl32.exe
        
        C:\Windows\system32\Idkbkl32.exe
        99⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Ikejgf32.exe
        
        C:\Windows\system32\Ikejgf32.exe
        100⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ibobdqid.exe
        
        C:\Windows\system32\Ibobdqid.exe
        101⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Jhijqj32.exe
        
        C:\Windows\system32\Jhijqj32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Jjjghcfp.exe
        
        C:\Windows\system32\Jjjghcfp.exe
        103⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Jjmcnbdm.exe
        
        C:\Windows\system32\Jjmcnbdm.exe
        104⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Jqglkmlj.exe
        
        C:\Windows\system32\Jqglkmlj.exe
        105⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Jhndljll.exe
        
        C:\Windows\system32\Jhndljll.exe
        106⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Jbfheo32.exe
        
        C:\Windows\system32\Jbfheo32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Jhpqaiji.exe
        
        C:\Windows\system32\Jhpqaiji.exe
        108⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Jjamia32.exe
        
        C:\Windows\system32\Jjamia32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Jbiejoaj.exe
        
        C:\Windows\system32\Jbiejoaj.exe
        110⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Jgenbfoa.exe
        
        C:\Windows\system32\Jgenbfoa.exe
        111⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Jnpfop32.exe
        
        C:\Windows\system32\Jnpfop32.exe
        112⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Kiejmi32.exe
        
        C:\Windows\system32\Kiejmi32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Kjffdalb.exe
        
        C:\Windows\system32\Kjffdalb.exe
        114⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Kqpoakco.exe
        
        C:\Windows\system32\Kqpoakco.exe
        115⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Kgjgne32.exe
        
        C:\Windows\system32\Kgjgne32.exe
        116⤵
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Kndojobi.exe
        
        C:\Windows\system32\Kndojobi.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Kijchhbo.exe
        
        C:\Windows\system32\Kijchhbo.exe
        118⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Kjkpoq32.exe
        
        C:\Windows\system32\Kjkpoq32.exe
        119⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Kbbhqn32.exe
        
        C:\Windows\system32\Kbbhqn32.exe
        120⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Kgopidgf.exe
        
        C:\Windows\system32\Kgopidgf.exe
        121⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Kniieo32.exe
        
        C:\Windows\system32\Kniieo32.exe
        122⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Kinmcg32.exe
        
        C:\Windows\system32\Kinmcg32.exe
        123⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Knkekn32.exe
        
        C:\Windows\system32\Knkekn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Liqihglg.exe
        
        C:\Windows\system32\Liqihglg.exe
        125⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Ljbfpo32.exe
        
        C:\Windows\system32\Ljbfpo32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Licfngjd.exe
        
        C:\Windows\system32\Licfngjd.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Lnpofnhk.exe
        
        C:\Windows\system32\Lnpofnhk.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Lieccf32.exe
        
        C:\Windows\system32\Lieccf32.exe
        129⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Ljgpkonp.exe
        
        C:\Windows\system32\Ljgpkonp.exe
        130⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Lelchgne.exe
        
        C:\Windows\system32\Lelchgne.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Lgkpdcmi.exe
        
        C:\Windows\system32\Lgkpdcmi.exe
        132⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Lbpdblmo.exe
        
        C:\Windows\system32\Lbpdblmo.exe
        133⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Leopnglc.exe
        
        C:\Windows\system32\Leopnglc.exe
        134⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Ljkifn32.exe
        
        C:\Windows\system32\Ljkifn32.exe
        135⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Maeachag.exe
        
        C:\Windows\system32\Maeachag.exe
        136⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Mhoipb32.exe
        
        C:\Windows\system32\Mhoipb32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Mniallpq.exe
        
        C:\Windows\system32\Mniallpq.exe
        138⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Mahnhhod.exe
        
        C:\Windows\system32\Mahnhhod.exe
        139⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Mhafeb32.exe
        
        C:\Windows\system32\Mhafeb32.exe
        140⤵
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Mnlnbl32.exe
        
        C:\Windows\system32\Mnlnbl32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Majjng32.exe
        
        C:\Windows\system32\Majjng32.exe
        142⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Mhdckaeo.exe
        
        C:\Windows\system32\Mhdckaeo.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Mhfppabl.exe
        
        C:\Windows\system32\Mhfppabl.exe
        144⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Mnphmkji.exe
        
        C:\Windows\system32\Mnphmkji.exe
        145⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Mifljdjo.exe
        
        C:\Windows\system32\Mifljdjo.exe
        146⤵
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Naaqofgj.exe
        
        C:\Windows\system32\Naaqofgj.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Nhkikq32.exe
        
        C:\Windows\system32\Nhkikq32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Noeahkfc.exe
        
        C:\Windows\system32\Noeahkfc.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6668
        
        C:\Windows\SysWOW64\Nijeec32.exe
        
        C:\Windows\system32\Nijeec32.exe
        150⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Nklbmllg.exe
        
        C:\Windows\system32\Nklbmllg.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Neafjdkn.exe
        
        C:\Windows\system32\Neafjdkn.exe
        152⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Nlkngo32.exe
        
        C:\Windows\system32\Nlkngo32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Nojjcj32.exe
        
        C:\Windows\system32\Nojjcj32.exe
        154⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Nhbolp32.exe
        
        C:\Windows\system32\Nhbolp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Nbgcih32.exe
        
        C:\Windows\system32\Nbgcih32.exe
        156⤵
        Drops file in System32 directory
        
        PID:7056
        
        C:\Windows\SysWOW64\Nefped32.exe
        
        C:\Windows\system32\Nefped32.exe
        157⤵
        Drops file in System32 directory
        
        PID:7124
        
        C:\Windows\SysWOW64\Okchnk32.exe
        
        C:\Windows\system32\Okchnk32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Objpoh32.exe
        
        C:\Windows\system32\Objpoh32.exe
        159⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Ohghgodi.exe
        
        C:\Windows\system32\Ohghgodi.exe
        160⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Oblmdhdo.exe
        
        C:\Windows\system32\Oblmdhdo.exe
        161⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Oifeab32.exe
        
        C:\Windows\system32\Oifeab32.exe
        162⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Oldamm32.exe
        
        C:\Windows\system32\Oldamm32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\Oboijgbl.exe
        
        C:\Windows\system32\Oboijgbl.exe
        164⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Ohkbbn32.exe
        
        C:\Windows\system32\Ohkbbn32.exe
        165⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        166⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Oeoblb32.exe
        
        C:\Windows\system32\Oeoblb32.exe
        167⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Olijhmgj.exe
        
        C:\Windows\system32\Olijhmgj.exe
        168⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Oafcqcea.exe
        
        C:\Windows\system32\Oafcqcea.exe
        169⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Pllgnl32.exe
        
        C:\Windows\system32\Pllgnl32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7076
        
        C:\Windows\SysWOW64\Pojcjh32.exe
        
        C:\Windows\system32\Pojcjh32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6172
        
        C:\Windows\SysWOW64\Pcjiff32.exe
        
        C:\Windows\system32\Pcjiff32.exe
        172⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Bbgeno32.exe
        
        C:\Windows\system32\Bbgeno32.exe
        173⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Bjnmpl32.exe
        
        C:\Windows\system32\Bjnmpl32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Bokehc32.exe
        
        C:\Windows\system32\Bokehc32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6656
        
        C:\Windows\SysWOW64\Bjpjel32.exe
        
        C:\Windows\system32\Bjpjel32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6820
        
        C:\Windows\SysWOW64\Bbnkonbd.exe
        
        C:\Windows\system32\Bbnkonbd.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Gdjibj32.exe
        
        C:\Windows\system32\Gdjibj32.exe
        178⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Hmechmip.exe
        
        C:\Windows\system32\Hmechmip.exe
        179⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        181⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Kjepjkhf.exe
        
        C:\Windows\system32\Kjepjkhf.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4564
        
        C:\Windows\SysWOW64\Lenicahg.exe
        
        C:\Windows\system32\Lenicahg.exe
        183⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        184⤵
        
        PID:964
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        185⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        186⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Nhmofj32.exe
        
        C:\Windows\system32\Nhmofj32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Ojbacd32.exe
        
        C:\Windows\system32\Ojbacd32.exe
        188⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Oejbfmpg.exe
        
        C:\Windows\system32\Oejbfmpg.exe
        189⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Pldcjeia.exe
        
        C:\Windows\system32\Pldcjeia.exe
        190⤵
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        191⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Aajohjon.exe
        
        C:\Windows\system32\Aajohjon.exe
        192⤵
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        193⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        194⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        195⤵
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        196⤵
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        197⤵
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        198⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        199⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        201⤵
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        202⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        203⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        204⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        205⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4052
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        207⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        208⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        209⤵
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        210⤵
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        211⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1236
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1212
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        214⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        215⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        216⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        219⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4628
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        221⤵
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        222⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:932
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        224⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        225⤵
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        226⤵
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        227⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        228⤵
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        229⤵
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        230⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        231⤵
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        232⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        234⤵
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        235⤵
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        236⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        237⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        238⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        239⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        240⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        241⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236

C:\Windows\SysWOW64\Amcehdod.exe
C:\Windows\system32\Amcehdod.exe
1⤵
- Modifies registry class
PID:5284
- C:\Windows\SysWOW64\Bhhiemoj.exe
  C:\Windows\system32\Bhhiemoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:1864
- - C:\Windows\SysWOW64\Bobabg32.exe
    C:\Windows\system32\Bobabg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:4452
  - - C:\Windows\SysWOW64\Bgpcliao.exe
      C:\Windows\system32\Bgpcliao.exe
      4⤵
      PID:5396
    - - C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        5⤵
        Drops file in System32 directory
        
        PID:1348
      - C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        6⤵
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        7⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        8⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        9⤵
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        10⤵
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        11⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        12⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        13⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        14⤵
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        15⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        16⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        17⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        18⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        19⤵
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        21⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        22⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        23⤵
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        24⤵
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        25⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2688
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        27⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        28⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        29⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 412
        30⤵
        Program crash
        
        PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5388 -ip 5388
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agdhbi32.exe

Filesize
181KB

MD5
d3ad58eb501fe65338280f9a0a3a3183

SHA1
baf104e78e61919ca0b3b5d0ea35f5eb225ea47c

SHA256
b39f02429b79023b1df92f79359a26ec559b64588b85f65235378b621246bb50

SHA512
38dd1ed73ddba8e06f2b0757317487cb60e7d2c49c790b4bfb7f499241f7022a03b83f3bf7581a6056de2e50702df0a9afff0b06f134b9c59a165140619a9835

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
181KB

MD5
e1bb715821303f45f284cf09a435373f

SHA1
ea1c08067f4516e956b51f207574524ac0d1971d

SHA256
02ef338ca78feb47ec7169408aae0e818b2138a9eae5807670f4172dce52d9a1

SHA512
577557abecf85808022e4c01236119b233588dfbd3747de6fd64be54913d4d62305dc4058d5443631591a10372fdb7ca7289de14b7c234a5bfe9c04d3e1fe489

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
181KB

MD5
e1bb715821303f45f284cf09a435373f

SHA1
ea1c08067f4516e956b51f207574524ac0d1971d

SHA256
02ef338ca78feb47ec7169408aae0e818b2138a9eae5807670f4172dce52d9a1

SHA512
577557abecf85808022e4c01236119b233588dfbd3747de6fd64be54913d4d62305dc4058d5443631591a10372fdb7ca7289de14b7c234a5bfe9c04d3e1fe489

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
181KB

MD5
a05ba419fa7cbf6ef9943e50d8e80d07

SHA1
4c79ffb78a50bf126349f076ba1b502f4f9044c1

SHA256
b3876d6e974fb2ca1cef773fc8da1f4af28efd34ef684a4062cc259b8e9b4988

SHA512
7dff545743a50f33930f06530aee27582756005da54b1c381415dd70a165f2f9cebdbfd3589b61779a9b64c781b6e53bffa281195e1c315c82333c7270dc3a11

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
181KB

MD5
a05ba419fa7cbf6ef9943e50d8e80d07

SHA1
4c79ffb78a50bf126349f076ba1b502f4f9044c1

SHA256
b3876d6e974fb2ca1cef773fc8da1f4af28efd34ef684a4062cc259b8e9b4988

SHA512
7dff545743a50f33930f06530aee27582756005da54b1c381415dd70a165f2f9cebdbfd3589b61779a9b64c781b6e53bffa281195e1c315c82333c7270dc3a11

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
181KB

MD5
4d790e20386d173adabe3a900d542350

SHA1
9b3bf4db2c58fc05b2c61771af4e01e49c3feba7

SHA256
473bafbe1e5697143fc5c76a811cbbcc4c8b1d6d2c1b76c125f8fd3babd5ccae

SHA512
185487586f3d6179a75eb1076c988d16debcf3a686da3065932c9306bae639ff3c8525df9be0e5941dbca7c010997b8bfd3d2c670fd5702df7e74cd9d8c09169

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
181KB

MD5
d2108f898c6b8cb1390504bdf13ee793

SHA1
6fd943479d963b89142f0c4578402602a40044ab

SHA256
fd566b179cef1ca6db0eb7b4d7ab49cfed8877f1510c874761e972e5c9736cd3

SHA512
92677ad1f99f29d23898a88444dc36da9b5fbc256ed83229e8de44c90aafc59a3918fbdfada5a1e493530f3582b846f28bf7b0926003cc78df73f953251ba440

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
181KB

MD5
d2108f898c6b8cb1390504bdf13ee793

SHA1
6fd943479d963b89142f0c4578402602a40044ab

SHA256
fd566b179cef1ca6db0eb7b4d7ab49cfed8877f1510c874761e972e5c9736cd3

SHA512
92677ad1f99f29d23898a88444dc36da9b5fbc256ed83229e8de44c90aafc59a3918fbdfada5a1e493530f3582b846f28bf7b0926003cc78df73f953251ba440

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
181KB

MD5
283e7c4256e7b977b982cb7dd2aa1f95

SHA1
e95d255d7406b5c08eaffdff2d5473fd643c3982

SHA256
5511747723e3186eaa460781cd93c09c77ad4f543bb5a8c1322946263e3cb170

SHA512
f79ec1f5b4b8a7afb7a30b9a23f7a4cf1d961ed42a3738967b500f2545a09f970d245086cf5a43bbc3dbbde6e0dfa456a64ecdf395f68af5cb25874caa1453c9

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
181KB

MD5
283e7c4256e7b977b982cb7dd2aa1f95

SHA1
e95d255d7406b5c08eaffdff2d5473fd643c3982

SHA256
5511747723e3186eaa460781cd93c09c77ad4f543bb5a8c1322946263e3cb170

SHA512
f79ec1f5b4b8a7afb7a30b9a23f7a4cf1d961ed42a3738967b500f2545a09f970d245086cf5a43bbc3dbbde6e0dfa456a64ecdf395f68af5cb25874caa1453c9

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
181KB

MD5
4d790e20386d173adabe3a900d542350

SHA1
9b3bf4db2c58fc05b2c61771af4e01e49c3feba7

SHA256
473bafbe1e5697143fc5c76a811cbbcc4c8b1d6d2c1b76c125f8fd3babd5ccae

SHA512
185487586f3d6179a75eb1076c988d16debcf3a686da3065932c9306bae639ff3c8525df9be0e5941dbca7c010997b8bfd3d2c670fd5702df7e74cd9d8c09169

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
181KB

MD5
4d790e20386d173adabe3a900d542350

SHA1
9b3bf4db2c58fc05b2c61771af4e01e49c3feba7

SHA256
473bafbe1e5697143fc5c76a811cbbcc4c8b1d6d2c1b76c125f8fd3babd5ccae

SHA512
185487586f3d6179a75eb1076c988d16debcf3a686da3065932c9306bae639ff3c8525df9be0e5941dbca7c010997b8bfd3d2c670fd5702df7e74cd9d8c09169

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
181KB

MD5
202a23a161dfa00401180ae65f96a3a9

SHA1
e5e8e6b30fff37286295d995aa81ec716bee785a

SHA256
530f4a7d9eb944a906f27ae89ee77f840903d8221ba4c869655a4c23c4df859a

SHA512
2c2be9873a90a0fece7cc1e5b03ca39cf993da22130a4e21cd0bfab8bb99ba26936b5f3258733c1d4ec8ea3bff4257e9fd4dea64586cedb93a6f8b728b42eeff

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
181KB

MD5
202a23a161dfa00401180ae65f96a3a9

SHA1
e5e8e6b30fff37286295d995aa81ec716bee785a

SHA256
530f4a7d9eb944a906f27ae89ee77f840903d8221ba4c869655a4c23c4df859a

SHA512
2c2be9873a90a0fece7cc1e5b03ca39cf993da22130a4e21cd0bfab8bb99ba26936b5f3258733c1d4ec8ea3bff4257e9fd4dea64586cedb93a6f8b728b42eeff

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
181KB

MD5
4802572aaeabf9a1de0041fc9e70c9a7

SHA1
aa78c39efdcfafa7a1f13d0b031b496b4ac8fa8d

SHA256
7d9b46643d4847b14424150ba430918cfd01a3a1e508cb6a1437eb39e1b9a76b

SHA512
41b8d834ac3556ea7f797e123d7a8922931ecb1e07602da5ec12e7735adc23b20ae3cf42367998cdbd4a4d92236aeb1c68d1350a997d64d86cc739c4877e5bf2

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
181KB

MD5
4802572aaeabf9a1de0041fc9e70c9a7

SHA1
aa78c39efdcfafa7a1f13d0b031b496b4ac8fa8d

SHA256
7d9b46643d4847b14424150ba430918cfd01a3a1e508cb6a1437eb39e1b9a76b

SHA512
41b8d834ac3556ea7f797e123d7a8922931ecb1e07602da5ec12e7735adc23b20ae3cf42367998cdbd4a4d92236aeb1c68d1350a997d64d86cc739c4877e5bf2

Download Submit
C:\Windows\SysWOW64\Fkllnbjc.exe

Filesize
181KB

MD5
a375d329e6038ea9cca26761203f5665

SHA1
1473e2c8592284daa476828cefe267d6df093505

SHA256
17523bc3dbb00b86af0e3713af70d983a4c74f4bd0833f0c72ea97457e96f4ff

SHA512
6f0b200102f0ba2381e564aa6b36c34fb60f48113792a0af75bb70483b51c0c22d281ae5aaeb46bf38307db5be321cfea079afacea71be3aabd827894475ac53

Download Submit
C:\Windows\SysWOW64\Gdbmhf32.exe

Filesize
181KB

MD5
b553143001242ad84529bcb7b28581b5

SHA1
0bc18286b09f68ce73ea938d7ec30eab214e3f39

SHA256
e2ce279ab68157a90ee4383de599f9510f16ce73c19d1a779c81eb10269f8f50

SHA512
2be6aec6d9f382d5504fb204e81789885c05f8520709a85126b7fff89a830429d8404c15a7ef80ba2171d21619c3a8d8daed7df57155cce4ad7ea752a131bddf

Download Submit
C:\Windows\SysWOW64\Idkkpf32.exe

Filesize
181KB

MD5
2d84db0e89a21feabaa791f8cc8c1731

SHA1
0bf27a50e183c986e18361e9819c1321d280c309

SHA256
4fda1aa9b4d70fe8b3982650a20559497dfd2100f621b6422de80a0096ffa018

SHA512
61421285e15e87c3064fde1de1b9966bee0111dc825d2e933031bb0030dd12c345291e39a4e9b5cae99553270dab342ca1caeb83e5666b4ed1c6fa9884cf2385

Download Submit
C:\Windows\SysWOW64\Jhndljll.exe

Filesize
181KB

MD5
a0476d50c9a6c760b5e784c3dbbf32b8

SHA1
4d3be5d3b27d2c23d194c3f7010e71ed1c4656ff

SHA256
3e3ddc1e032c910da5dddc126c4a2c5ee76b2937eb44e9f11c23884ffc2decc3

SHA512
eba8ceffed4fbaa39042a195b38753816101aea7b18a9a2233e0cbf245f0d2f67675b80e9dccb9c10ff5cc3071264281eb98fe8169790033c190ba0126e5dd2b

Download Submit
C:\Windows\SysWOW64\Jnpfop32.exe

Filesize
181KB

MD5
9999b3d99916304f38d069189f838bfd

SHA1
9ddf8f073f423f7a3431ed70e1c0469b00d72624

SHA256
a1a95791d76a48d04fbf92e937720603de6d35f40f40e8b1e48baad5afdea191

SHA512
0a8f14a75ba126171d150df342456bb2989d1c444fb621c7f65e9f66785bf196868ca2be1165525f2587e65a21f788eb075ada01b0486cd7c776bf87e671420b

Download Submit
C:\Windows\SysWOW64\Koodbl32.exe

Filesize
181KB

MD5
9614c5a46108a82b6b23d15b50f92af2

SHA1
024b7568f8120b95c42427c1f15a222028afd5a3

SHA256
8f6ddd61deb2686887dfc7c8d0e70fd6517ca783f1e5f04cf936aabccf715d0c

SHA512
cd96b65ed589df6056e53118ace89dbed2fc92dd4a3f43e8304f31624693d96db8ad62dc5c1e53cd94b6e3ac810563012b52fb6dda74ea43ca07d9d923bbd47a

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
181KB

MD5
ab075117275d31402220df5ce532cf44

SHA1
723b8ede4193072896da87d351aea362c528fabb

SHA256
bdfe2d8fc69f12fe2703514ac46651ef17b7f6aa0d90051356a98a16458c369f

SHA512
ca0d3017e5a1cfb03a4ff6ac12903f5c8f970bc82aedd12cc716e9972190ac15ef2175a912e9f314c4aa43df19d79598493d6714a6f4534208e2a847feabacee

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
181KB

MD5
ab075117275d31402220df5ce532cf44

SHA1
723b8ede4193072896da87d351aea362c528fabb

SHA256
bdfe2d8fc69f12fe2703514ac46651ef17b7f6aa0d90051356a98a16458c369f

SHA512
ca0d3017e5a1cfb03a4ff6ac12903f5c8f970bc82aedd12cc716e9972190ac15ef2175a912e9f314c4aa43df19d79598493d6714a6f4534208e2a847feabacee

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
181KB

MD5
ca4763b6e8e4f178aa8df2ddc424175b

SHA1
d50055db25780a532f576079d858cbbd98831963

SHA256
bbcfd8868e6b6a87ca3cd17c327b4fb174c32fb673d320e71544b7e09bbace61

SHA512
cd2b9f4b7e5c22d4c71dd9b974196db8da189b5d7b2d980640ed806fb2ff32fafdb3ece56aecf925bc3c36ac1d638b95c8b5e78e321c5a54e675cfcc7fcf7d1b

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
181KB

MD5
ca4763b6e8e4f178aa8df2ddc424175b

SHA1
d50055db25780a532f576079d858cbbd98831963

SHA256
bbcfd8868e6b6a87ca3cd17c327b4fb174c32fb673d320e71544b7e09bbace61

SHA512
cd2b9f4b7e5c22d4c71dd9b974196db8da189b5d7b2d980640ed806fb2ff32fafdb3ece56aecf925bc3c36ac1d638b95c8b5e78e321c5a54e675cfcc7fcf7d1b

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
181KB

MD5
c96d100d60bc2f222b1caa1dbb7dee35

SHA1
cb72eb2e36a1157b6183d08cb7cb36cb23a40d82

SHA256
8cf960507b5717693c70b9da8ce0b79d1b963f4a7d179efbf872716701f62bf9

SHA512
09b36f2aab2ab2747064d8058972e7b1002a131da626d812075925be0ae7c9bc44b343c0540a05d7adf0a3a32cd60ebeb63018093690112fb964836797b8eeb7

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
181KB

MD5
c96d100d60bc2f222b1caa1dbb7dee35

SHA1
cb72eb2e36a1157b6183d08cb7cb36cb23a40d82

SHA256
8cf960507b5717693c70b9da8ce0b79d1b963f4a7d179efbf872716701f62bf9

SHA512
09b36f2aab2ab2747064d8058972e7b1002a131da626d812075925be0ae7c9bc44b343c0540a05d7adf0a3a32cd60ebeb63018093690112fb964836797b8eeb7

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
181KB

MD5
53a192fe16bc2e2417864bf86a02106e

SHA1
1f5cbf82ca5c69d28cdbb56a656ed368177adc9d

SHA256
f8b380e7c671e6b0d936425d06ab2852cae558ba59539f759308994d3f701fb8

SHA512
ab4ee3e4ad03559f4fe638c75c13aa68258a6c969ffc45f107e526609bd7c3aa7edf955c701e2a55aa21f2adb2659671f3f6a06f1d5b024487c4dde90b17847a

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
181KB

MD5
53a192fe16bc2e2417864bf86a02106e

SHA1
1f5cbf82ca5c69d28cdbb56a656ed368177adc9d

SHA256
f8b380e7c671e6b0d936425d06ab2852cae558ba59539f759308994d3f701fb8

SHA512
ab4ee3e4ad03559f4fe638c75c13aa68258a6c969ffc45f107e526609bd7c3aa7edf955c701e2a55aa21f2adb2659671f3f6a06f1d5b024487c4dde90b17847a

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
181KB

MD5
8e2857d8e2efaed48ab04376d65e6c27

SHA1
7b13f52809312632d329cbfe3bfd8313041fdb5a

SHA256
8062a31916ff74994333b942f9a58a18abb23a3d705ecb848572cd0f819fb282

SHA512
e013b57c9f46db0b7a62a698a033682c1c0081a9d93b672aa1f797e260e5a87eb07e4ae904e240fa632dbd4940e46f6d518cdd111f1d85673b6af398537f55ac

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
181KB

MD5
8e2857d8e2efaed48ab04376d65e6c27

SHA1
7b13f52809312632d329cbfe3bfd8313041fdb5a

SHA256
8062a31916ff74994333b942f9a58a18abb23a3d705ecb848572cd0f819fb282

SHA512
e013b57c9f46db0b7a62a698a033682c1c0081a9d93b672aa1f797e260e5a87eb07e4ae904e240fa632dbd4940e46f6d518cdd111f1d85673b6af398537f55ac

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
181KB

MD5
26f85b390ef389afe413818f29855531

SHA1
ffd24cdada55f3e0fa78217f0834aa3ac167d67e

SHA256
1fb914bbd1ac8b60257342888f4d7d5d4f6c4355647f063c9cd9b8aca1373b53

SHA512
079689f8fa0f1edbcd691e110948830aced74f0158c8a3c4538c38a3acbeccdc8f6bc5a06637e3f3519b667ed58aa323de2d5b2f6b255be1918c1886c2b1241f

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
181KB

MD5
26f85b390ef389afe413818f29855531

SHA1
ffd24cdada55f3e0fa78217f0834aa3ac167d67e

SHA256
1fb914bbd1ac8b60257342888f4d7d5d4f6c4355647f063c9cd9b8aca1373b53

SHA512
079689f8fa0f1edbcd691e110948830aced74f0158c8a3c4538c38a3acbeccdc8f6bc5a06637e3f3519b667ed58aa323de2d5b2f6b255be1918c1886c2b1241f

Download Submit
C:\Windows\SysWOW64\Mfqlfb32.exe

Filesize
181KB

MD5
69159a3ac1ceb1439b8d05973bda4096

SHA1
bac600321065f367f894922b53e7cbcd02bfab7f

SHA256
2ebd4f6645efe646e3134fd5d0ed17a21ab47b825bd411bf5185ba6ac424dbbe

SHA512
ffa10be6b26a1d7e950f6dff5bfe4602497af1e66a492d800bf1a6922f7d9f6bb8e652f6a035a6be67f6a1fac237a3e421960734120bd62ff119f34cbb3d7e8f

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
181KB

MD5
94bab7d761dd70dbf4b83bfbf3fe79d5

SHA1
ca803729bacaff6ba00f93e145cfcd1942e340c6

SHA256
7275d7cd07eb143ef5201ba528c36714e8e65915bd6b4b7fc945da78bf83458b

SHA512
cded6024bb4028026788fc5a9c47d8a431f4cae6d3cbdaae827683dd30e915ff29a2cd0d3e6a254749b49e097452cdceec8b15d4a7d51fda274a8817291f4348

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
181KB

MD5
94bab7d761dd70dbf4b83bfbf3fe79d5

SHA1
ca803729bacaff6ba00f93e145cfcd1942e340c6

SHA256
7275d7cd07eb143ef5201ba528c36714e8e65915bd6b4b7fc945da78bf83458b

SHA512
cded6024bb4028026788fc5a9c47d8a431f4cae6d3cbdaae827683dd30e915ff29a2cd0d3e6a254749b49e097452cdceec8b15d4a7d51fda274a8817291f4348

Download Submit
C:\Windows\SysWOW64\Mifljdjo.exe

Filesize
181KB

MD5
08484954aff1a505f857be22a2d6de4c

SHA1
63b487582b18685b0ff05162a9ece8ce4e992338

SHA256
aa082a110f68a5e0d3e771244ec9c71d49b4d8b6bbcc6fe8c5b06badfd0da4aa

SHA512
aa20cb92efc0cf15da1437ea30f4926c7d1420706ac5d99398039a160a66d3668302df3e1f58dd1f9e8e10b1d1b319769c39e29746d439d8195c349086de101d

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
181KB

MD5
0be10217d30fc939b878f0a24b0d8380

SHA1
869569c49142711bc2dd404060cd09e2e0032db6

SHA256
d3e3c86e25a294fde3caefbcb696ccedfe470d7fd5abc1e36b3ea1020607c88f

SHA512
5344570211c4ad94d868f28a7e9390080afe24ff6fd41357408ba9dbaf975f34aded04a496dbb486f57b2a2d85634b2f47059025a448b31d6ef635222f78a26a

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
181KB

MD5
0be10217d30fc939b878f0a24b0d8380

SHA1
869569c49142711bc2dd404060cd09e2e0032db6

SHA256
d3e3c86e25a294fde3caefbcb696ccedfe470d7fd5abc1e36b3ea1020607c88f

SHA512
5344570211c4ad94d868f28a7e9390080afe24ff6fd41357408ba9dbaf975f34aded04a496dbb486f57b2a2d85634b2f47059025a448b31d6ef635222f78a26a

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
181KB

MD5
94e05344a065af665618b324646bbe9e

SHA1
39994ba54847732bfdaaed0d402b8d85074a0020

SHA256
4ebbd5c2dbe6969ba52735eb3e87753d644a5155d42075d87b4ba381b3335d6f

SHA512
8cfcb36795533efb175985f6294671c0ae7cefd9e7b64828d2221d40790b6b8d43e16f8c2345198c76abf68298decb9149e7bf972b23e2e36dcb38dae4583d4e

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
181KB

MD5
94e05344a065af665618b324646bbe9e

SHA1
39994ba54847732bfdaaed0d402b8d85074a0020

SHA256
4ebbd5c2dbe6969ba52735eb3e87753d644a5155d42075d87b4ba381b3335d6f

SHA512
8cfcb36795533efb175985f6294671c0ae7cefd9e7b64828d2221d40790b6b8d43e16f8c2345198c76abf68298decb9149e7bf972b23e2e36dcb38dae4583d4e

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
181KB

MD5
0b451412d03bf43b04e77dec2e70f695

SHA1
221fb9b47ef45582b614a8df367ad25485ffff5a

SHA256
446580f192fc6687194e32ddf5e9047334d3714e59726b30150b34b82c0e4f02

SHA512
bc0885fed9d50d7eb7179934dad8c43df7a95d2874fc5b4566b8a3c4fed75ae2e7bb008657cdc69e47fd132236b6c8104b18d4113fbf708ac352d0a9f6eabd6b

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
181KB

MD5
0b451412d03bf43b04e77dec2e70f695

SHA1
221fb9b47ef45582b614a8df367ad25485ffff5a

SHA256
446580f192fc6687194e32ddf5e9047334d3714e59726b30150b34b82c0e4f02

SHA512
bc0885fed9d50d7eb7179934dad8c43df7a95d2874fc5b4566b8a3c4fed75ae2e7bb008657cdc69e47fd132236b6c8104b18d4113fbf708ac352d0a9f6eabd6b

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
181KB

MD5
75e18d9f177c638fbdd3d5dcfab66fbc

SHA1
9495db3fd5e6ce84a4750b45f4bc9b53f3db7a07

SHA256
92824cf46c4397745ba08247755f4ed91f34f66d30da34ea873f1def204334a0

SHA512
f17cad6c7b75be00bbc5a0f21e0094c26263bf05f29fbb067859c3268179045bd40c7cac5a83993d58b0e89a616b63f321196d988d7169e4b911c9cd1d35166f

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
181KB

MD5
75e18d9f177c638fbdd3d5dcfab66fbc

SHA1
9495db3fd5e6ce84a4750b45f4bc9b53f3db7a07

SHA256
92824cf46c4397745ba08247755f4ed91f34f66d30da34ea873f1def204334a0

SHA512
f17cad6c7b75be00bbc5a0f21e0094c26263bf05f29fbb067859c3268179045bd40c7cac5a83993d58b0e89a616b63f321196d988d7169e4b911c9cd1d35166f

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
181KB

MD5
badd46baac67c0ce8c18fd3e054e5312

SHA1
1eed863e0bb0d88f7d29daed5ae80390e9b81456

SHA256
395ae2c42d91027ac36981779d3295da5aa4dcea435a277081e02ac9b7af2008

SHA512
8a6ad12985d0ef356b75a1e9acc29f3603e5d91bd738d43911fc00e9ea527e97b061e8213859ac13318d3e43b8a403376f87b825a274ef914c5b7d356446cb93

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
181KB

MD5
badd46baac67c0ce8c18fd3e054e5312

SHA1
1eed863e0bb0d88f7d29daed5ae80390e9b81456

SHA256
395ae2c42d91027ac36981779d3295da5aa4dcea435a277081e02ac9b7af2008

SHA512
8a6ad12985d0ef356b75a1e9acc29f3603e5d91bd738d43911fc00e9ea527e97b061e8213859ac13318d3e43b8a403376f87b825a274ef914c5b7d356446cb93

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
181KB

MD5
f141cdfc1bf863cdd8801b898c74e27a

SHA1
fff868d059ce3f4f7ea74ab88a3e452104338d30

SHA256
bd77449daf4bd1b4d9c7374e2a33c6488aedd43fc0d0313eb2168b7aa5f0a1bc

SHA512
9463a6edadf2550772a108a55c9e9576b16a17d5a585f65b1ec89155549cbb9cf626fac65158023ba913a9d381a3fad34d2ddd263aeee927ca5448de7da96d16

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
181KB

MD5
f141cdfc1bf863cdd8801b898c74e27a

SHA1
fff868d059ce3f4f7ea74ab88a3e452104338d30

SHA256
bd77449daf4bd1b4d9c7374e2a33c6488aedd43fc0d0313eb2168b7aa5f0a1bc

SHA512
9463a6edadf2550772a108a55c9e9576b16a17d5a585f65b1ec89155549cbb9cf626fac65158023ba913a9d381a3fad34d2ddd263aeee927ca5448de7da96d16

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
181KB

MD5
d6dd106936d1750d13df256fe80940de

SHA1
1421e76bcba4d69d742a8f6596db4b4e13f7ab1b

SHA256
86b477c15d0aadbe504003acd2a5175679e154a5da460ccf3f84ad94aa70aa3b

SHA512
8325ca20aae47bb19a7c800fef7e92510fbe6d6a58cf4dbf8a48f6129ab1bf8c747af203697616f33e825e8ef76ab13f42cf1d539d0e8424952ee230aeb698d4

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
181KB

MD5
d6dd106936d1750d13df256fe80940de

SHA1
1421e76bcba4d69d742a8f6596db4b4e13f7ab1b

SHA256
86b477c15d0aadbe504003acd2a5175679e154a5da460ccf3f84ad94aa70aa3b

SHA512
8325ca20aae47bb19a7c800fef7e92510fbe6d6a58cf4dbf8a48f6129ab1bf8c747af203697616f33e825e8ef76ab13f42cf1d539d0e8424952ee230aeb698d4

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
181KB

MD5
078b04001c0591028e5aba38d6066064

SHA1
7b956406320e4d7fb07744072240d4186164e52e

SHA256
ccabf9107b2c582f5adf952c2e1c7ee3ce9d8bdff962d25e7e25df8eb92a7fbb

SHA512
fb18daf6e1bb8814e334287603183305776bbb234ac554818546ced0bbd59b586278d574b1c78f720c3276c3e38e83d5fa41fda0707502e7f9f0d0a379cec23d

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
181KB

MD5
078b04001c0591028e5aba38d6066064

SHA1
7b956406320e4d7fb07744072240d4186164e52e

SHA256
ccabf9107b2c582f5adf952c2e1c7ee3ce9d8bdff962d25e7e25df8eb92a7fbb

SHA512
fb18daf6e1bb8814e334287603183305776bbb234ac554818546ced0bbd59b586278d574b1c78f720c3276c3e38e83d5fa41fda0707502e7f9f0d0a379cec23d

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
181KB

MD5
562a5414b6ed45b3fdba70dceb20d489

SHA1
ea30af5628c2ea5ccbaec167ddf432a51bb21ae5

SHA256
a58e1e8355055666a24b962caf6459c12f855dc35079066b3ca5e5f3722a7c74

SHA512
6696fb927cef3fe504b228972bed9349cea0725ea9f59d879237a7c860b67338500769666edd7cf5bdeb61ebf98f16f8c7f10d0deaad0b0baf12e359afb0f2c1

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
181KB

MD5
562a5414b6ed45b3fdba70dceb20d489

SHA1
ea30af5628c2ea5ccbaec167ddf432a51bb21ae5

SHA256
a58e1e8355055666a24b962caf6459c12f855dc35079066b3ca5e5f3722a7c74

SHA512
6696fb927cef3fe504b228972bed9349cea0725ea9f59d879237a7c860b67338500769666edd7cf5bdeb61ebf98f16f8c7f10d0deaad0b0baf12e359afb0f2c1

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
181KB

MD5
562a5414b6ed45b3fdba70dceb20d489

SHA1
ea30af5628c2ea5ccbaec167ddf432a51bb21ae5

SHA256
a58e1e8355055666a24b962caf6459c12f855dc35079066b3ca5e5f3722a7c74

SHA512
6696fb927cef3fe504b228972bed9349cea0725ea9f59d879237a7c860b67338500769666edd7cf5bdeb61ebf98f16f8c7f10d0deaad0b0baf12e359afb0f2c1

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
181KB

MD5
bf5c350885d03cd0e62fe969517b0a0f

SHA1
a1e04abf1f082d45fec4c5da46866c1f192ab9bd

SHA256
d968c3e96bd3c225a217c3a8a3d5fbc326f188b74d1003a430b241220e63074d

SHA512
00828b0cf7c04b1b9c47cc85db0dea5b116c62fd18f686cedd35abfaf4982927202be44558e6dbc192391c8db8c66f9e966ede83e876409a49ef20c14e320be0

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
181KB

MD5
bf5c350885d03cd0e62fe969517b0a0f

SHA1
a1e04abf1f082d45fec4c5da46866c1f192ab9bd

SHA256
d968c3e96bd3c225a217c3a8a3d5fbc326f188b74d1003a430b241220e63074d

SHA512
00828b0cf7c04b1b9c47cc85db0dea5b116c62fd18f686cedd35abfaf4982927202be44558e6dbc192391c8db8c66f9e966ede83e876409a49ef20c14e320be0

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
181KB

MD5
08e0c1448ae10f1cfeb2653c6b784963

SHA1
fb97a054ed0145c5d2f4cbf9271589fccc89b58e

SHA256
2e3563bda856c1e78f51de63f834b703d353b92c3905c95b7f7989f8266062e9

SHA512
0afbb300875c44ee37378dccacfe50eedf3449f7581e91366853dda5d59f57e5a6974f748999549c32f181efa487b628af813907bc0ae42b598aada21671e7ef

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
181KB

MD5
08e0c1448ae10f1cfeb2653c6b784963

SHA1
fb97a054ed0145c5d2f4cbf9271589fccc89b58e

SHA256
2e3563bda856c1e78f51de63f834b703d353b92c3905c95b7f7989f8266062e9

SHA512
0afbb300875c44ee37378dccacfe50eedf3449f7581e91366853dda5d59f57e5a6974f748999549c32f181efa487b628af813907bc0ae42b598aada21671e7ef

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
181KB

MD5
71aae264c2852f5eb00654ba1eaff20c

SHA1
02371f87185f32aeb46ad7b1cfac5a954c530c99

SHA256
3f47bb606fc1f1e1143a61eb1b01aaa95413a91a52b4e1fb42f3a6dcaf609877

SHA512
c42498d8e51758877d7ef7bf99dd68265d6abf2cf3542bb7683720060d949f71b1e95627fce07de3723873cdd1569e11d50b37d792651c131973cd1fa162ddfa

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
181KB

MD5
71aae264c2852f5eb00654ba1eaff20c

SHA1
02371f87185f32aeb46ad7b1cfac5a954c530c99

SHA256
3f47bb606fc1f1e1143a61eb1b01aaa95413a91a52b4e1fb42f3a6dcaf609877

SHA512
c42498d8e51758877d7ef7bf99dd68265d6abf2cf3542bb7683720060d949f71b1e95627fce07de3723873cdd1569e11d50b37d792651c131973cd1fa162ddfa

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
181KB

MD5
902209349ee10ce09ebfd3abcd053a5c

SHA1
ba263837e0f97958093b60e87436a7abbdf94025

SHA256
c61447789b09b77fe858bf0ea0c05badfaeeafe236ba91d497e345e724076430

SHA512
d0344b6a79d03865a9aed95df913f90f583bf4d0285402158e5e76f2a8284b3c53c18bb8e907a79e0b0256239f42373a1388a153d725185764a12566b001a94c

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
181KB

MD5
902209349ee10ce09ebfd3abcd053a5c

SHA1
ba263837e0f97958093b60e87436a7abbdf94025

SHA256
c61447789b09b77fe858bf0ea0c05badfaeeafe236ba91d497e345e724076430

SHA512
d0344b6a79d03865a9aed95df913f90f583bf4d0285402158e5e76f2a8284b3c53c18bb8e907a79e0b0256239f42373a1388a153d725185764a12566b001a94c

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
181KB

MD5
ce16981031dc6e7aa62fbb09ff700f13

SHA1
cf2caa33744eaf52b46a8bd595b5d67c7517c4cd

SHA256
d2e5ca97b043fca456232705ceaa3fb8e4d8c0aa0c45d1776178a384b64b5f46

SHA512
c176d0ecb40bbc25263b60f408a890bcb3e49a91422c9729afe5e17f7f5ca431bf21dbd5a4505270c772f3c473ec89161af50f6f37e3be89759864ed955cb757

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
181KB

MD5
ce16981031dc6e7aa62fbb09ff700f13

SHA1
cf2caa33744eaf52b46a8bd595b5d67c7517c4cd

SHA256
d2e5ca97b043fca456232705ceaa3fb8e4d8c0aa0c45d1776178a384b64b5f46

SHA512
c176d0ecb40bbc25263b60f408a890bcb3e49a91422c9729afe5e17f7f5ca431bf21dbd5a4505270c772f3c473ec89161af50f6f37e3be89759864ed955cb757

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
181KB

MD5
62b9b55c3f4c1cbc631e7f4b300ec278

SHA1
819ea8fe0167cdcb8c07beca51c66e4a94c871e2

SHA256
eca9afc8d9a5fc4e8bd0164c56d75c637390d36cad8561bfd879383fd9a9750d

SHA512
d9b2eb81b803ecbf54f4b81bf0102fa5231e3686b48e2a19e7b9d8fd72a3ab63d11d5ba9990c7ba14f93935a44f614f154ad6069e7e1e73088614393f4c1b6c1

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
181KB

MD5
62b9b55c3f4c1cbc631e7f4b300ec278

SHA1
819ea8fe0167cdcb8c07beca51c66e4a94c871e2

SHA256
eca9afc8d9a5fc4e8bd0164c56d75c637390d36cad8561bfd879383fd9a9750d

SHA512
d9b2eb81b803ecbf54f4b81bf0102fa5231e3686b48e2a19e7b9d8fd72a3ab63d11d5ba9990c7ba14f93935a44f614f154ad6069e7e1e73088614393f4c1b6c1

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
181KB

MD5
ee14114eeea1bb21872c4177add15df3

SHA1
5126f1db0c0ea4dc3e279f9e8b1762d83ac9e75c

SHA256
de030d99d858e5027736f571a2cc1c64a7dc80adec362d869ac46b950e93e41c

SHA512
349fbd733ee03ebf3d978b5242ff81ce94d5661e8c953631aebe91107394d8b37c790093ad89586da7f9b7f3af5aa437e2421cd8a8ba830ad3954dc4dfa113a8

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
181KB

MD5
ee14114eeea1bb21872c4177add15df3

SHA1
5126f1db0c0ea4dc3e279f9e8b1762d83ac9e75c

SHA256
de030d99d858e5027736f571a2cc1c64a7dc80adec362d869ac46b950e93e41c

SHA512
349fbd733ee03ebf3d978b5242ff81ce94d5661e8c953631aebe91107394d8b37c790093ad89586da7f9b7f3af5aa437e2421cd8a8ba830ad3954dc4dfa113a8

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
181KB

MD5
ee14114eeea1bb21872c4177add15df3

SHA1
5126f1db0c0ea4dc3e279f9e8b1762d83ac9e75c

SHA256
de030d99d858e5027736f571a2cc1c64a7dc80adec362d869ac46b950e93e41c

SHA512
349fbd733ee03ebf3d978b5242ff81ce94d5661e8c953631aebe91107394d8b37c790093ad89586da7f9b7f3af5aa437e2421cd8a8ba830ad3954dc4dfa113a8

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
181KB

MD5
52cff7c9f8ebb8c4ce5fb899068736c0

SHA1
f12efdb97481aaaf277741d52429c41ce64e52bd

SHA256
55f02e33be734f31c1a590b77ed9b3f2b9ef4053af83d09dcaeaf0bdf085d4f6

SHA512
2f670a53bc7f702030464408c1d99f38605936b9f600fde5f4818e00843c7d52352e2b96005ca7cb31bc1950c62f8df970e543bf8c573690363b6a5a7490d055

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
181KB

MD5
52cff7c9f8ebb8c4ce5fb899068736c0

SHA1
f12efdb97481aaaf277741d52429c41ce64e52bd

SHA256
55f02e33be734f31c1a590b77ed9b3f2b9ef4053af83d09dcaeaf0bdf085d4f6

SHA512
2f670a53bc7f702030464408c1d99f38605936b9f600fde5f4818e00843c7d52352e2b96005ca7cb31bc1950c62f8df970e543bf8c573690363b6a5a7490d055

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
181KB

MD5
3504eae301598daef9f166a87fe9d2c5

SHA1
8cae3a93fba938e7854dbd9d09a1e771a7969e73

SHA256
b954c80afe6bcaf7d30fe22b4f399a6e5cdb026948fd22bd1c854e551b4745d8

SHA512
fab8ab6dc3b7039daf0d3361612aba1615604579027951efa885650beef2aa6eaff7035de922743eb93ead543d5555b6618e884711f6102a29b189ebf4fa9689

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
181KB

MD5
3504eae301598daef9f166a87fe9d2c5

SHA1
8cae3a93fba938e7854dbd9d09a1e771a7969e73

SHA256
b954c80afe6bcaf7d30fe22b4f399a6e5cdb026948fd22bd1c854e551b4745d8

SHA512
fab8ab6dc3b7039daf0d3361612aba1615604579027951efa885650beef2aa6eaff7035de922743eb93ead543d5555b6618e884711f6102a29b189ebf4fa9689

Download Submit
memory/540-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-433-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/984-421-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/992-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1236-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1236-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-652-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3720-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3828-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3840-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4048-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4148-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4148-647-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-649-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4652-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4652-651-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4772-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4772-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-650-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-648-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads