8b0382f11f3da46441fc61def595d3bc6b8c710257bcde501f75873d808d0e19

Analysis

max time kernel
138s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02d73beb1b6a17c441e8110f8a82a250_NeikiAnalytics.exe
Size

96KB
MD5

02d73beb1b6a17c441e8110f8a82a250
SHA1

19df72728330a144f3b98bfeff037222f4ca3f5b
SHA256

8b0382f11f3da46441fc61def595d3bc6b8c710257bcde501f75873d808d0e19
SHA512

8ef1a0d1f1e3815120caac45b8f3d4bddabed96b1011c945541506d1fca395264b7ea7aea7b84a2c3680e4b44b5fa167536ff40aa4683d5ab22eac169aa7c630
SSDEEP

1536:ZgvgkjsC/hHFo5K2rfnNNNpujrHVcM4ETrAPgnDNBrcN4i6tBYuR3PlNPMAZ:p/oq5brfnNNNpujr1pLTrAPgxed6BYuL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pengdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dekhneap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffkjlp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aegikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdhfhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhkhibmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqnaim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clbceo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcojed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okloegjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becifhfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafbne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddojq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickchq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cecbmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkldb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cknnpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dboigi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eocenh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckajehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbbbabh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnjjpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elppfmoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kepelfam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmeobkq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllpbldb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkojgao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe

Executes dropped EXE 64 IoCs

pid	Process
4212	Oqbamo32.exe
4480	Ogljjiei.exe
4896	Oqdoboli.exe
2424	Occkojkm.exe
1300	Okjbpglo.exe
1920	Oqgkhnjf.exe
932	Okloegjl.exe
1464	Onklabip.exe
2872	Ogcpjhoq.exe
4068	Ojalgcnd.exe
1256	Oqkdcn32.exe
3112	Pgemphmn.exe
3676	Pqnaim32.exe
916	Pclneicb.exe
4484	Pnbbbabh.exe
4780	Pcojkhap.exe
4308	Pndohaqe.exe
876	Pengdk32.exe
1668	Pkhoae32.exe
1836	Pnfkma32.exe
804	Pkjlge32.exe
924	Pbddcoei.exe
1904	Qgallfcq.exe
1152	Qnkdhpjn.exe
3612	Qchmagie.exe
4332	Qnnanphk.exe
1052	Aegikj32.exe
4372	Ajdbcano.exe
2068	Abkjdnoa.exe
4348	Aejfpjne.exe
2636	Aldomc32.exe
4772	Abngjnmo.exe
3192	Acocaf32.exe
632	Alfkbc32.exe
1284	Abpcon32.exe
1044	Aeopki32.exe
4284	Ahmlgd32.exe
1208	Ajkhdp32.exe
528	Angddopp.exe
1444	Aealah32.exe
2400	Ahoimd32.exe
3056	Abemjmgg.exe
4992	Becifhfj.exe
2836	Bhaebcen.exe
1700	Bnlnon32.exe
2224	Bbgipldd.exe
3956	Bdhfhe32.exe
3960	Blpnib32.exe
4980	Bnnjen32.exe
3644	Balfaiil.exe
856	Bdkcmdhp.exe
4776	Blbknaib.exe
5004	Bopgjmhe.exe
4884	Bejogg32.exe
2992	Bdmpcdfm.exe
216	Baaplhef.exe
2312	Bhkhibmc.exe
4436	Bkidenlg.exe
2740	Cdainc32.exe
412	Chmeobkq.exe
4840	Cklaknjd.exe
2044	Ceaehfjj.exe
2452	Cddecc32.exe
3552	Cknnpm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dddojq32.exe	Dafbne32.exe
File created	C:\Windows\SysWOW64\Dhpjkojk.exe	Dddojq32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Bnlnon32.exe	Bhaebcen.exe
File created	C:\Windows\SysWOW64\Fnhfnh32.dll	Cdainc32.exe
File opened for modification	C:\Windows\SysWOW64\Gmlhii32.exe	Gdeqhl32.exe
File opened for modification	C:\Windows\SysWOW64\Gokdeeec.exe	Gmlhii32.exe
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Lnhjmp32.dll	Jcllonma.exe
File created	C:\Windows\SysWOW64\Kiidgeki.exe	Kfjhkjle.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kbceejpf.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Gbdgfa32.exe	Gkkojgao.exe
File opened for modification	C:\Windows\SysWOW64\Becifhfj.exe	Abemjmgg.exe
File opened for modification	C:\Windows\SysWOW64\Fojlngce.exe	Fkopnh32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Bkjhib32.dll	Abngjnmo.exe
File created	C:\Windows\SysWOW64\Mhciec32.dll	Clnjjpod.exe
File created	C:\Windows\SysWOW64\Mnkhmbin.dll	Miemjaci.exe
File created	C:\Windows\SysWOW64\Pbddcoei.exe	Pkjlge32.exe
File opened for modification	C:\Windows\SysWOW64\Cecbmf32.exe	Cbefaj32.exe
File opened for modification	C:\Windows\SysWOW64\Clpgpp32.exe	Cefoce32.exe
File opened for modification	C:\Windows\SysWOW64\Jmknaell.exe	Jedeph32.exe
File created	C:\Windows\SysWOW64\Cknnpm32.exe	Cddecc32.exe
File created	C:\Windows\SysWOW64\Eocenh32.exe	Eleiam32.exe
File created	C:\Windows\SysWOW64\Hhmkaf32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Aealah32.exe	Angddopp.exe
File created	C:\Windows\SysWOW64\Laffdj32.dll	Hmhhehlb.exe
File created	C:\Windows\SysWOW64\Eheqhpfp.dll	Iiaephpc.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Blbknaib.exe	Bdkcmdhp.exe
File created	C:\Windows\SysWOW64\Keoakjca.dll	Cddecc32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Fbegho32.dll	Baaplhef.exe
File opened for modification	C:\Windows\SysWOW64\Eoolbinc.exe	Elppfmoo.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ehljfnpn.exe	Edpnfo32.exe
File created	C:\Windows\SysWOW64\Jgbcdnbb.dll	Gfembo32.exe
File opened for modification	C:\Windows\SysWOW64\Jlnnmb32.exe	Jmknaell.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Pcnakq32.dll	Ogcpjhoq.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Hcmgfbhd.exe	Hkfoeega.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Gebgohck.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Pcojkhap.exe	Pnbbbabh.exe
File created	C:\Windows\SysWOW64\Jpgmha32.exe	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Lbjlfi32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Collmj32.dll	Ehljfnpn.exe
File created	C:\Windows\SysWOW64\Gdeqhl32.exe	Gbgdlq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9320	10112	WerFault.exe	465

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnfbohh.dll"	Pndohaqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehljfnpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmlgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cecbmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdqgmmjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkagbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkmchi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldggoeb.dll"	Fojlngce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijhkffjm.dll"	Clpgpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcoimpn.dll"	Gbdgfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicinj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baaplhef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becifhfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkgaokd.dll"	Fllpbldb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aldomc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfkqkek.dll"	Acocaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flqimk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcmnpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegnoi32.dll"	Hkmefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fomhdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndgjk32.dll"	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhaebcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkmlofol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 4212	2560	02d73beb1b6a17c441e8110f8a82a250_NeikiAnalytics.exe	83
PID 2560 wrote to memory of 4212	2560	02d73beb1b6a17c441e8110f8a82a250_NeikiAnalytics.exe	83
PID 2560 wrote to memory of 4212	2560	02d73beb1b6a17c441e8110f8a82a250_NeikiAnalytics.exe	83
PID 4212 wrote to memory of 4480	4212	Oqbamo32.exe	84
PID 4212 wrote to memory of 4480	4212	Oqbamo32.exe	84
PID 4212 wrote to memory of 4480	4212	Oqbamo32.exe	84
PID 4480 wrote to memory of 4896	4480	Ogljjiei.exe	85
PID 4480 wrote to memory of 4896	4480	Ogljjiei.exe	85
PID 4480 wrote to memory of 4896	4480	Ogljjiei.exe	85
PID 4896 wrote to memory of 2424	4896	Oqdoboli.exe	86
PID 4896 wrote to memory of 2424	4896	Oqdoboli.exe	86
PID 4896 wrote to memory of 2424	4896	Oqdoboli.exe	86
PID 2424 wrote to memory of 1300	2424	Occkojkm.exe	87
PID 2424 wrote to memory of 1300	2424	Occkojkm.exe	87
PID 2424 wrote to memory of 1300	2424	Occkojkm.exe	87
PID 1300 wrote to memory of 1920	1300	Okjbpglo.exe	88
PID 1300 wrote to memory of 1920	1300	Okjbpglo.exe	88
PID 1300 wrote to memory of 1920	1300	Okjbpglo.exe	88
PID 1920 wrote to memory of 932	1920	Oqgkhnjf.exe	89
PID 1920 wrote to memory of 932	1920	Oqgkhnjf.exe	89
PID 1920 wrote to memory of 932	1920	Oqgkhnjf.exe	89
PID 932 wrote to memory of 1464	932	Okloegjl.exe	90
PID 932 wrote to memory of 1464	932	Okloegjl.exe	90
PID 932 wrote to memory of 1464	932	Okloegjl.exe	90
PID 1464 wrote to memory of 2872	1464	Onklabip.exe	91
PID 1464 wrote to memory of 2872	1464	Onklabip.exe	91
PID 1464 wrote to memory of 2872	1464	Onklabip.exe	91
PID 2872 wrote to memory of 4068	2872	Ogcpjhoq.exe	92
PID 2872 wrote to memory of 4068	2872	Ogcpjhoq.exe	92
PID 2872 wrote to memory of 4068	2872	Ogcpjhoq.exe	92
PID 4068 wrote to memory of 1256	4068	Ojalgcnd.exe	94
PID 4068 wrote to memory of 1256	4068	Ojalgcnd.exe	94
PID 4068 wrote to memory of 1256	4068	Ojalgcnd.exe	94
PID 1256 wrote to memory of 3112	1256	Oqkdcn32.exe	95
PID 1256 wrote to memory of 3112	1256	Oqkdcn32.exe	95
PID 1256 wrote to memory of 3112	1256	Oqkdcn32.exe	95
PID 3112 wrote to memory of 3676	3112	Pgemphmn.exe	96
PID 3112 wrote to memory of 3676	3112	Pgemphmn.exe	96
PID 3112 wrote to memory of 3676	3112	Pgemphmn.exe	96
PID 3676 wrote to memory of 916	3676	Pqnaim32.exe	97
PID 3676 wrote to memory of 916	3676	Pqnaim32.exe	97
PID 3676 wrote to memory of 916	3676	Pqnaim32.exe	97
PID 916 wrote to memory of 4484	916	Pclneicb.exe	98
PID 916 wrote to memory of 4484	916	Pclneicb.exe	98
PID 916 wrote to memory of 4484	916	Pclneicb.exe	98
PID 4484 wrote to memory of 4780	4484	Pnbbbabh.exe	99
PID 4484 wrote to memory of 4780	4484	Pnbbbabh.exe	99
PID 4484 wrote to memory of 4780	4484	Pnbbbabh.exe	99
PID 4780 wrote to memory of 4308	4780	Pcojkhap.exe	101
PID 4780 wrote to memory of 4308	4780	Pcojkhap.exe	101
PID 4780 wrote to memory of 4308	4780	Pcojkhap.exe	101
PID 4308 wrote to memory of 876	4308	Pndohaqe.exe	102
PID 4308 wrote to memory of 876	4308	Pndohaqe.exe	102
PID 4308 wrote to memory of 876	4308	Pndohaqe.exe	102
PID 876 wrote to memory of 1668	876	Pengdk32.exe	103
PID 876 wrote to memory of 1668	876	Pengdk32.exe	103
PID 876 wrote to memory of 1668	876	Pengdk32.exe	103
PID 1668 wrote to memory of 1836	1668	Pkhoae32.exe	104
PID 1668 wrote to memory of 1836	1668	Pkhoae32.exe	104
PID 1668 wrote to memory of 1836	1668	Pkhoae32.exe	104
PID 1836 wrote to memory of 804	1836	Pnfkma32.exe	105
PID 1836 wrote to memory of 804	1836	Pnfkma32.exe	105
PID 1836 wrote to memory of 804	1836	Pnfkma32.exe	105
PID 804 wrote to memory of 924	804	Pkjlge32.exe	106

C:\Users\Admin\AppData\Local\Temp\02d73beb1b6a17c441e8110f8a82a250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02d73beb1b6a17c441e8110f8a82a250_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\Oqbamo32.exe
  C:\Windows\system32\Oqbamo32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\Ogljjiei.exe
    C:\Windows\system32\Ogljjiei.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\Oqdoboli.exe
      C:\Windows\system32\Oqdoboli.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\Occkojkm.exe
        
        C:\Windows\system32\Occkojkm.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\SysWOW64\Okjbpglo.exe
        
        C:\Windows\system32\Okjbpglo.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Oqgkhnjf.exe
        
        C:\Windows\system32\Oqgkhnjf.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Okloegjl.exe
        
        C:\Windows\system32\Okloegjl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Onklabip.exe
        
        C:\Windows\system32\Onklabip.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Ogcpjhoq.exe
        
        C:\Windows\system32\Ogcpjhoq.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Ojalgcnd.exe
        
        C:\Windows\system32\Ojalgcnd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Oqkdcn32.exe
        
        C:\Windows\system32\Oqkdcn32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Pgemphmn.exe
        
        C:\Windows\system32\Pgemphmn.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Pqnaim32.exe
        
        C:\Windows\system32\Pqnaim32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Pclneicb.exe
        
        C:\Windows\system32\Pclneicb.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Pnbbbabh.exe
        
        C:\Windows\system32\Pnbbbabh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Pcojkhap.exe
        
        C:\Windows\system32\Pcojkhap.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Pkhoae32.exe
        
        C:\Windows\system32\Pkhoae32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Pnfkma32.exe
        
        C:\Windows\system32\Pnfkma32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Pkjlge32.exe
        
        C:\Windows\system32\Pkjlge32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Pbddcoei.exe
        
        C:\Windows\system32\Pbddcoei.exe
        23⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Qgallfcq.exe
        
        C:\Windows\system32\Qgallfcq.exe
        24⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        25⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        26⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Qnnanphk.exe
        
        C:\Windows\system32\Qnnanphk.exe
        27⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        29⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Abkjdnoa.exe
        
        C:\Windows\system32\Abkjdnoa.exe
        30⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        31⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Aldomc32.exe
        
        C:\Windows\system32\Aldomc32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        35⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        36⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        37⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        39⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\Angddopp.exe
        
        C:\Windows\system32\Angddopp.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        41⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Ahoimd32.exe
        
        C:\Windows\system32\Ahoimd32.exe
        42⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Becifhfj.exe
        
        C:\Windows\system32\Becifhfj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Bhaebcen.exe
        
        C:\Windows\system32\Bhaebcen.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Bnlnon32.exe
        
        C:\Windows\system32\Bnlnon32.exe
        46⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        47⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        49⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        50⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        51⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:856
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        53⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Bopgjmhe.exe
        
        C:\Windows\system32\Bopgjmhe.exe
        54⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Bejogg32.exe
        
        C:\Windows\system32\Bejogg32.exe
        55⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        56⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        59⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Cklaknjd.exe
        
        C:\Windows\system32\Cklaknjd.exe
        62⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        63⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        69⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        70⤵
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        71⤵
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        72⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        73⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1288
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2060
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        76⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2144
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        78⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4796
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        80⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        81⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        82⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        83⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        84⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        87⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        88⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        89⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        91⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        92⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        93⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        94⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        95⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        96⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        97⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        100⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        103⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        104⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        105⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        106⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        107⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        108⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        109⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        111⤵
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        112⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        113⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        114⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        115⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        116⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        117⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        118⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        119⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        120⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        122⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        123⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        124⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        126⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        127⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        129⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        130⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        132⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        133⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        134⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        135⤵
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        136⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        140⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        141⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        143⤵
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        144⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        145⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        146⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        147⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        149⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        150⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        151⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        152⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        153⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        154⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        156⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        157⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        158⤵
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        159⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        160⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        161⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        162⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        163⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        164⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        165⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        166⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        168⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        169⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        170⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        171⤵
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        172⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        173⤵
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        174⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        175⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        176⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        177⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        178⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        180⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        181⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        184⤵
        Drops file in System32 directory
        
        PID:6576
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        185⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        186⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        187⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        188⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        189⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        190⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        191⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6716
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        193⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        194⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        195⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        196⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        197⤵
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        198⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        199⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        200⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        201⤵
        Drops file in System32 directory
        
        PID:7172
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        202⤵
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        203⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        204⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7356
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7412
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        207⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        208⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        209⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        210⤵
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        211⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        212⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        213⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        214⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        215⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7864
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        217⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        218⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        219⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        220⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        221⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8084
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        222⤵
        Drops file in System32 directory
        
        PID:8116
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        223⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        224⤵
        Drops file in System32 directory
        
        PID:7200
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        225⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        226⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        227⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        228⤵
        Modifies registry class
        
        PID:7532
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        229⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7592
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        230⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        231⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        232⤵
        Modifies registry class
        
        PID:7816
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        233⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        234⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        235⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        236⤵
        Modifies registry class
        
        PID:8128
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        237⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        238⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        239⤵
        Modifies registry class
        
        PID:7392
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        240⤵
        Modifies registry class
        
        PID:7560
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        241⤵
        Drops file in System32 directory
        
        PID:7692
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        242⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        243⤵
        Modifies registry class
        
        PID:7892
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        244⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        245⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7284
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        247⤵
        Drops file in System32 directory
        
        PID:7400
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        248⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        249⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        250⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7992
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        252⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        253⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        254⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        255⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7988
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        256⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7944
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        258⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        259⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        260⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        261⤵
        Modifies registry class
        
        PID:8236
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        262⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        263⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        264⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        265⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        266⤵
        Drops file in System32 directory
        
        PID:8452
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        267⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        268⤵
        Drops file in System32 directory
        
        PID:8540
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        269⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        270⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        271⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        272⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        273⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        274⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        275⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        276⤵
        Modifies registry class
        
        PID:8880
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        277⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8972
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9012
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        280⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        281⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9140
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        283⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8060
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        285⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        286⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        287⤵
        Drops file in System32 directory
        
        PID:7632
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        288⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        289⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8532
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        291⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        292⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        293⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        294⤵
        Modifies registry class
        
        PID:8816
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        295⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        296⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9020
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9084
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        299⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9164
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        300⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        301⤵
        Modifies registry class
        
        PID:8264
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8336
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        303⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        304⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        305⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        306⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        307⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        308⤵
        Modifies registry class
        
        PID:9004
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        309⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        310⤵
        Drops file in System32 directory
        
        PID:8232
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        311⤵
        Modifies registry class
        
        PID:8428
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        312⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        313⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        314⤵
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        315⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2848
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        316⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        317⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8536
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        318⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8936
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        319⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        320⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9040
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        321⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        322⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8660
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        324⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        325⤵
        Drops file in System32 directory
        
        PID:9220
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        326⤵
        Modifies registry class
        
        PID:9268
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        327⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        328⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        329⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9396
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        330⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        331⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        332⤵
        Drops file in System32 directory
        
        PID:9516
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        333⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        334⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        335⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        336⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        337⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        338⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9772
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        339⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        340⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        341⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        342⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        343⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9996
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        344⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        345⤵
        Modifies registry class
        
        PID:10080
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        346⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        347⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        348⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        349⤵
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        350⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        351⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        352⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        353⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        354⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9552
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        355⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        356⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9724
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        357⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        358⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9836
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        359⤵
        Drops file in System32 directory
        
        PID:9896
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        360⤵
        Drops file in System32 directory
        
        PID:9980
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        361⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10076
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        362⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        363⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        364⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        365⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9340
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        366⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        367⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        368⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9976
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        369⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        370⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        371⤵
        Modifies registry class
        
        PID:9992
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        372⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10112 -s 396
        373⤵
        Program crash
        
        PID:9320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 10112 -ip 10112
1⤵
PID:9260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
a9249e918861196a704cb9f8dde262b9

SHA1
3ffad376654f59f4b68c8ab9babcb5171b0d1721

SHA256
9f20b7173013547a5aa507eb9041b4d8644683605f2b73b3d6bf54b1f8b556ab

SHA512
14140096a68a97e79ab82677e01b916fcaf66892667e12fcb166b74845395c4fc0087b7ab5696590f91318b9fa9f00fa4a0ecf83ad42f9ebf4df599430d4ba50

Download Submit
C:\Windows\SysWOW64\Abkjdnoa.exe

Filesize
96KB

MD5
23b3045667a92cccc9b9c97b25ee18ed

SHA1
3e796622047a91432dfb941acacd98df60251e02

SHA256
ab3c9ae8fb07fa999968356fa14fb1d4c10c23110a159dde578777712fd410ae

SHA512
329dec3414b4bc3383111e77b2b7d49da6ea59c820541837123514cc6924ee2b255926865d830d023443d2db88145929750e5e3ed073b38d3315d4df9ad0a45b

Download Submit
C:\Windows\SysWOW64\Abngjnmo.exe

Filesize
96KB

MD5
be93001feffa029770f41a53964edc80

SHA1
bad9d422bc0be3a377d3a4c73f48bc9474a5d6f5

SHA256
07191eada31b3a50813c9daf9b41f8df7cf35f69cb4594f792238cfa5ee97324

SHA512
c316989cbc7ebe4bc58e0c1552a70987f6edd9650a34a3e881c34d4a5811d7e8cb85632d934c0575f0a8e91cdac4cee223c2c0f7d8e2530858be14a9c63209d6

Download Submit
C:\Windows\SysWOW64\Aegikj32.exe

Filesize
96KB

MD5
1cbb0149cc42004d72f0f4c725472501

SHA1
9335e56cd5cbf1a12118b274c57395dd4884fc9d

SHA256
c404aeba6554f53e58b9ef1ce994fd11e1e643da045096fba75ce85fe68e6576

SHA512
f530f81e747e62efb33068fed6edd4d50cfd14becdcc6c941479609efbb98c17eafbdf7f7331c13a6bf2b9d5bed367e33cd14d9a120a44004680c213ee33ff08

Download Submit
C:\Windows\SysWOW64\Aejfpjne.exe

Filesize
96KB

MD5
c6dca4ae009192aa0c09f825d55d8630

SHA1
c257dbe68ec2f26ff0f0a0da8aac71ce4191868f

SHA256
027064d620bb163ebfbf3e8feac3d4105e8aca4420a1f39f4fd658c189563749

SHA512
ee4f47dcba7f417c53704361ce3875d5385c61c98493c6b6a82d0251bb3492e6b8fc19190bc2f45dba59a49ee8cbeb42b6edd76bb1e3a54fca89cc16fbebb69e

Download Submit
C:\Windows\SysWOW64\Ajdbcano.exe

Filesize
96KB

MD5
ef8769e1ddcb95a96ffeccada714001c

SHA1
880e4d97302afe428b6989dbe858c347c28244c8

SHA256
4747cc705530f757c81a6f20d7ce8d07065421cd9e2209a4b06ca45f5b61e957

SHA512
e5160fc60d104e7364577b2b0e42450138dcc8e120c7ee2d54d152984c11da4f1329584c8f2e92247cd9d506e68416b7587678cb080f1a05754941e3dddf5577

Download Submit
C:\Windows\SysWOW64\Aldomc32.exe

Filesize
96KB

MD5
38fb33d22de68407e8ee5014aff58043

SHA1
f5b9eea86bdd43c95f68fa97e685e3541a096685

SHA256
c111ef46055b895bc563ed49682b555223297e0336dab2ba11bc18f1729c1379

SHA512
1fba98ba6eb755868392808bcea71ff7315cbf169ffefcd666343bee0e62afc0c0956ee696af9c484c812b0683fc1a4f1644f47445096a58693c869712893bdd

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
620be7f258dbb934a4809c2e79412a02

SHA1
69df3373a7a2306438cb30023c205a63c3371a77

SHA256
c69a790bdc9f23676a699503d74709e4bffb7e9da995edc503e8356c94c1b8e7

SHA512
70e7402580012f2c7b3081453e5d0619f63c4d87a9b9d41be6b955909e5b87c0f4a30c4032f70a9717e82fa74590950545e6698462c5c20b7391a21ae9025f2f

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
64d0bd6746f3165d4340f8908f8733cd

SHA1
ddb4d4c8ee86e878ce3fe431e73ab46fcab22ccf

SHA256
e04fae06d11aaf0429fe2c08f617a96e8ac0ff516631ccb935c0ebe6957b68a2

SHA512
7801847549c03aa6ab25af30267c9dc9046080402292e826ca74d48155836760ba1daacc137e1419f575bbaa12f2e82e49794984e7e8afd38593e87b20f934c4

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
ec021fd59f072775940eca10cd3b97ab

SHA1
4c1c002011aaa4d1704ba746415f38dd182a2799

SHA256
33110a4f1baa37144c93be57e554bc7d3f70f4ca664f46419835b7ec7f359437

SHA512
9c2a23cb4a41ac835c3e106e994b7320abba17b04cbb4bec91a709ed8509cbfd252ccf18a884532db9ac26e486a84662fcf108ed7d62a748635baa511f258e94

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
c010c8dd10537d89d737cbbd3777e240

SHA1
6741ba3bdd406b120de5388382eadc0ba755c769

SHA256
53d5b172e7b65198fbd70522add4807e9184bea8ecf641e28d7fe57517beff7a

SHA512
47613850fbe16b1e17f30622205956cc8c955d67b3b47dd81edabde6c5aefd5d27e899b7dcb07b2fbfc23ce6b64f5c0c47a88a28e69d022c7ac7519f1b8ce230

Download Submit
C:\Windows\SysWOW64\Dlgmpogj.exe

Filesize
96KB

MD5
da363804f31d1bf36266db792a0f89d3

SHA1
9bdca28c0b47e64a0c2cef7a04a584ee3dcbf100

SHA256
b7f32371f2b786272d81d5764ed2ad6ecf53b400d910b2f7d595ed1bb77b97b3

SHA512
efb172fdd4405b9d5c480cd2c059a8ca0e098ab294cc74a4fab4af81fea1f0cd359d804d5f5835dec9144eeb298f4e939ce804b398e2aa7e696aaa612a6c1bb8

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
96KB

MD5
259685f89f5f24da0dcf6052b5c567b7

SHA1
74f290cac06cf41d885c7885c2a5b25bbff41ea2

SHA256
8b01599fe816227a7a1883d7e87c6452bcdd898e0ab7df04cff6949ef3ece13d

SHA512
9201af07420bb28780259aa88d4e4f81a2d6b865aece5268b3b3b5a9d2f39af9364b0df43e14894d1d36e622cc13faa7abab7e404fe3b4ffd7d9060cb0b5570e

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
96KB

MD5
d3ad9a6c163f9bcaa9e093f49df51ecd

SHA1
e11763497577ca75b75a4dd53a95db421ac500ff

SHA256
b2bbc865d2d8df26a93e074eaf2f86a1d49d3f981641579c47611df33a2376d9

SHA512
819bcd291b662d83f25791282a05fc7dfee4e32707737904b17975de75290fd45543d69b014e1d05b0cde5cf1b807632fbc8949aa465ee9f949b1cd982d37222

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
96KB

MD5
257a8a9278d5148527cadb09cd22bb1c

SHA1
158403041e940dc83d996c4a1e3986cab861dd93

SHA256
9f67005190c4c578c5f00d0a562afab0f7632c2ac485942e36ca6aa9ebe5ee1a

SHA512
a34de9a904f30901a7a9120ffc126c03c6b2d497677dcf8d462f00cb24537528605955a79fc52d89cbeaac3bf525a32b10955b75478876c73cd7f7da9fef499a

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
96KB

MD5
60520b9e0ec2dff87cbb045d4a837d8e

SHA1
136ccc4f96631e61675b5677e3ed900165b63118

SHA256
a09f31a065c43b7652772da53ca1dc1de5dfe3488ee296fb1113140646a95fc0

SHA512
c9f74713ab495a75c36de0f439f432745dd65ca765cf7865cd72ad90c16eb93d61172060eda529315aa52361bd66b84545370ba11f42e2cc32c0abeba0b0c1bb

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
96KB

MD5
cdbb187d2c9815824682f1a6e815cccb

SHA1
0618d866612531dfd302fbc1276ce741b9a30282

SHA256
19e5f44b2394b5b29e817c56e6876601ef7bf13f2ed7620b1996b2bfbd9c3e57

SHA512
fef9dd071cd8470c679ecbd5daee5fbf06502429d87db02359e7b0bcf8fe718d22b7dfa0fd783128f8829f7a8be6a94f3d370e3ce8d4280a9a4fb0322ec27de7

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
96KB

MD5
e70aca156196cc78b7920eaeaf75a679

SHA1
12a350d8f0fac1d1554077b4d51efd6a2a33a4b4

SHA256
9796380564016e16a320a987fa8bd5487ef5f62a29a712a14ba99c19e96278f8

SHA512
1f284212ea56ca04bd825f906936ac9bbc5208e8a7d5532c62eff51198e76ce553937e729b63eedf2c98bf270983539bd9843fb75f748a14df0acd0e237a5a48

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
96KB

MD5
0a52f003e12eb93f20dae6657eea8515

SHA1
8d463025096a70f2d6105a0900bdf8e11a08632f

SHA256
228ec2e8085fafee9886c7af021b8b8a0d9ab9cb4f69d6cb0311fe1eaadbd227

SHA512
a5bb6377b7c005a4484326e41564e6941cc9db872653fff41ba9f6ee708789e8d18cd094b4651e534964b0853168a50ea633caac681eea52ae8ca964d74c069a

Download Submit
C:\Windows\SysWOW64\Occkojkm.exe

Filesize
96KB

MD5
7cfeb822e439623a9e69b5085badc564

SHA1
315f0b141dff4e1da28fa2db76b64b9c3d0d5892

SHA256
bbeafe427f58be1e4baac2ce49204c081ac79c7ec8b450a5ea7f5a83fc84e9f3

SHA512
b4cf3b91bdce02fd7afee453aac8ec99a21aaada9a49fcbcb4c8a971f7ddd763eea8ecb00f288cc06fc3b87e041febf337e14225a91c8b882df27ab9102dcac4

Download Submit
C:\Windows\SysWOW64\Ogcpjhoq.exe

Filesize
96KB

MD5
5169bf7a705291738fabc3de6f07323d

SHA1
54216d6f21b717cac11aafe2d71fbc8f0237ff72

SHA256
fe4174a59f80c1e8fa96add1c68a4d00ae2a23f1f111d81f7c7b1d330c5b6232

SHA512
57f91e85415514587a3840b465e9bfbb396009fc76e0d8bc9bfb77118e9ed6cd6a58ffb2df42bc07725c9becf70ffa867bc12af210ebfb9078e4748ddcfec78f

Download Submit
C:\Windows\SysWOW64\Ogljjiei.exe

Filesize
96KB

MD5
c5ad197c7ae5c89a6feee475ab392a47

SHA1
55ee8749048b10512698ab67cb24505b8c062b08

SHA256
acce7eddc3dfa9e5d49dcfd05e6fdc6f030034c710d519e0064fa3b4df90497d

SHA512
7be6e014221010962a4f7b7795ca8865523dbed56f50cde1e02615efd42101932cce7ff3cf5c1f6edbbd8d486a9c70e9e20a3a77c2a3b21717db913b96d67a3b

Download Submit
C:\Windows\SysWOW64\Ojalgcnd.exe

Filesize
96KB

MD5
a65b2feed07ec5d75f4a584fbd4e96c7

SHA1
059b8718b1fe9e3374477964d33a6d3ce7e6f584

SHA256
86a0fba72698f8bed3bac3e249f950920fe390d3e63d48193f0cb13d08e93643

SHA512
4d77455422ada7baba3ebe91cbcf15f4747bcae614a0b835b10495abee84b2288cd0c65c73c3f20bf0592e8159b9a5af47d6ae7c2879f3e9af06467bcd365ae0

Download Submit
C:\Windows\SysWOW64\Okjbpglo.exe

Filesize
96KB

MD5
07b2068ab7f59b61174fa0687bc225aa

SHA1
8d69106f60c077d0ca1526819372cd5f41e6b3d9

SHA256
a04002e8dde7fc560cf678754d3d438629c77949ec2a6877e37473760f4b6047

SHA512
389d24fe9970b4c4105f5f28bf7d931b39e14e9f79de3d3bdcf9f0e338676b8f97d9eb8f78819f834abeb5befc6554e165aaca224e18694f70890cdb1de23c36

Download Submit
C:\Windows\SysWOW64\Okloegjl.exe

Filesize
96KB

MD5
5662435b09ee2fb6143f34d2f31ac513

SHA1
6e3bb665ec337a1e1819400aee4edc23f4ea734c

SHA256
5ea1d3e29b664f8f703025f20855dfb804cdd625179cadb4af3cde3a00b2edf4

SHA512
b5a67d4d84ae8f93581369111e1592a446c967c10f5f4dab24f5dbf61215952edce3b8f0f44d4e8915e3089a33ce3b3aa8ba47c4e570e8bfdfab98e9114eb788

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
96KB

MD5
17d89820a05f1d4b0516db8a0cf6556f

SHA1
04da5c757265b5f28d5ea82349c3fb99a9b53772

SHA256
e8dfa93bc2ccfd559e56d96713f113830a0c459c352dd40be195279bc1c56710

SHA512
3d70bd4f8481fc8aaf982fd471d2cb7d5ae143430b40b278162c6a3f2bcf180c5dfab82edc88d41d7582f04c2592c6987105fa7e0ef15e1ffa597745737b8517

Download Submit
C:\Windows\SysWOW64\Onklabip.exe

Filesize
96KB

MD5
3c4393c751438a09aef2937e6705d84f

SHA1
af02aa8ef01e6ca199eeee231751ca12a12d428d

SHA256
a1fbf795c6a69f057363c0227f0fc9a46c9d325a585d7b4d582429430c5b7dfd

SHA512
09205a961a485176d1e63174aa58804b847aea76e4dd049f8eacf96699d5593c1003dc137173208f877b94330e0f5192a42ffc8be2673fd40966a673f5fbd0fc

Download Submit
C:\Windows\SysWOW64\Oqbamo32.exe

Filesize
96KB

MD5
be78e1462416f013951569f0edae11dd

SHA1
803e169dc49f31e64f176bf1129918534b59ad72

SHA256
5f5190a50d94348fc50f6abebe46b4cb27fd995625b99d892f60bb5d9438d986

SHA512
09ab6a7c49c0d8f2dcbb0ea208d64a48c1f677c1059989625aa6c2fba49a93fa34601423a9d84b37457ac6b1c4906d288ff35a811387e11f6c78be9f223385c6

Download Submit
C:\Windows\SysWOW64\Oqdoboli.exe

Filesize
96KB

MD5
78628dcf7a1c9b8acc4c0889fc511e88

SHA1
04c2946fa2f8a38683315031034e0f929118e22a

SHA256
a9176508bead7f6da14b8e9519c1d4a1ea46aa307adca9fb5e699bb4dd51b83b

SHA512
8467450d94d6f631e5c65714152b81181d6d71f01702e54fd61ab8c7da81dbae06b2b113568edbcdb6e3ac31e05e08133ce277f07fd411ba07b0c597090b5904

Download Submit
C:\Windows\SysWOW64\Oqgkhnjf.exe

Filesize
96KB

MD5
4ef3ec0f77b2ea685e02718c107f872d

SHA1
76cebc1c0d18547ec086ca6f63bcd6733561c264

SHA256
183e7a20cfd60fd4a447f69e68b83da99f9a5cb14da77c3c053dd25ebe866a8b

SHA512
6f676002fec24f38c98b657ee48116955de31b6528fe278c24cd92bd790d0c955c7ee12cc147f0b037bef8a53d3c5e9cc6ad58faba10abb7b4f20e402051573d

Download Submit
C:\Windows\SysWOW64\Oqkdcn32.exe

Filesize
96KB

MD5
e684c503d51e67cc8f72da7e6009b00e

SHA1
cfaafb05b66505fb9f48e39d6717dc9eb46811e6

SHA256
ac7a12941e46659afee96359b15d6cbb3c3147c55f2f3f26d4fe11b3b65c952c

SHA512
ed3b8ca5105eaa8e48039bc5a3fe6d6f1811ea0960ea8e34c981896a8be984171e00a7556e4844e8699bf4e6ce5d39656567eaa257f17acf09703013cd04f733

Download Submit
C:\Windows\SysWOW64\Pbddcoei.exe

Filesize
96KB

MD5
c72ec1e75dba978f99c6974409e61b4e

SHA1
e198daa4e3ecff98e69f1e20348cb0df19a6d04a

SHA256
47da0b453c4363394549ec942e13d0a0060c5f61543a620414788a9879ea9f5e

SHA512
0e19ea8767a449dd75049bd602ef12a3f4356b69fa540a0b9083ea9c2cea1dc4ee69550f4940a82de9624a5a2569682a1a4ec27ea3b8ff5e8e0047091db10b49

Download Submit
C:\Windows\SysWOW64\Pclneicb.exe

Filesize
96KB

MD5
3c6b8bef835fa1c0c6b9b3c9a1695f0b

SHA1
5ae4fe39d3e779d2d65805a74c307ebdbcb7ffe3

SHA256
df0ce1ae584e4bd780990e8216f70a0bd044a8156315a6fcfbcc0e1eed1e073f

SHA512
156bb9b09e201f3345aa6b63adf7b2085c00db888bf9df8405bf6c0a73244e624d79408eee38eb69e264d826a1c38c8307f293aeb008143e22d885200123097f

Download Submit
C:\Windows\SysWOW64\Pcojkhap.exe

Filesize
96KB

MD5
acaf1842784d0224c75d074cda68d33f

SHA1
4a82169b9ca11ae84b1744036b7978b392af2402

SHA256
9d803a55729b334ba9171856f8b10b9aa70360aee3fae0d9158edbfab17367d2

SHA512
53edd2d95d35c11eece8e1bc3a06e45bca8d427a42c50fb165ffed0984876c9437db87888499aef8a0a40991b20f937a6fad3f0b442e9590c910e6c9211116b7

Download Submit
C:\Windows\SysWOW64\Pengdk32.exe

Filesize
96KB

MD5
aef60b78d61c893e71fc514cf8c94e69

SHA1
3f1e6cabcf12c6e2c30a918a0500e50bf35e9b94

SHA256
5d0ab2bc50a7a6815f07291ab137969b4f72dd5579624f8ba4482b395bd8023e

SHA512
9abeba7d7562f954ce409271c873006e67c89c8180701dc4955b22b161cfced11a0df6af641dae37bd44e538a3c1598c75d2398bfde8fde842a7510275791f54

Download Submit
C:\Windows\SysWOW64\Pgemphmn.exe

Filesize
96KB

MD5
ac396673f59d2cbea0a426200607a722

SHA1
303511bc91fa356ebc79de6792ae88226ed7c973

SHA256
4f4db19eb2c028e3e71313c72dee2d70ec60d3fdca4e918999b1e7f631e38db3

SHA512
4fd5602725b37b0835250266242704c2371f6d04645f35410b992ad102b5a311f5886d1752e9662823f4d6abbfff24d1e154b5f224e2a0ff0db84eb26a2cfafb

Download Submit
C:\Windows\SysWOW64\Pkhoae32.exe

Filesize
96KB

MD5
3ec950bc47948ad531727bae9bc8a8ed

SHA1
47e6e9897ab93339c7b4e39cf51383f83c81850d

SHA256
9b6ca907a328baa6e56c703caa263d8d129531b48a23b6a305a8fc762bf65d80

SHA512
655fced71dfe4374ae39493211eb5b825789a2e4e78fb5fe7a09f805f31c03d8ce55f40d9f44f8afb56128e9badf4b36e7bb30c484e0cdb49bf9856eddefc74b

Download Submit
C:\Windows\SysWOW64\Pkjlge32.exe

Filesize
96KB

MD5
b5d590ede8541ef8fd907ee07b42385e

SHA1
0d98b31831f0b0d0b5831640c97e597126ea43a9

SHA256
7d91c4fff8f4c23fad1fc84c5830561565fddd7872850ff2692615383ce4ced5

SHA512
a2a0854cad228de806bc686662c18890b753ce0c10de40ae1b885911d587a853d5c5422c9a1ca93f70b7d8b080a81894c4d693585c3f8e936251d754e9483aad

Download Submit
C:\Windows\SysWOW64\Pnbbbabh.exe

Filesize
96KB

MD5
e2f6b69425c83d34f1b987e96b68716b

SHA1
e842ddbbeb2c6b25876fde4f6a68e637f0bd5cef

SHA256
f979e2f34f7fbd8d1f2ff079fa1641844c7586b7a27b183e4262bd4c9f439962

SHA512
06a242ebae84de23aebe4750a270836f375706899ededc3f2682a83326933dde1be286bf9c4f2f46ba552f7df0328da192f415747a3ba4cf66e99fd16c57453a

Download Submit
C:\Windows\SysWOW64\Pndohaqe.exe

Filesize
96KB

MD5
058b71c615d0bec57a76b9dbe699c5fe

SHA1
44950551c42fa538a93d68e995cd3c094e1ce568

SHA256
e4c911c3197f1da6ba10b25ef46662d6b36a0f02e97b6584cdb9075484fd8d68

SHA512
13095b8fff6682cf44e14103fbfc789eb2f7048e23db2ec5b0b8bfdc20a4ef51c4efb81ab9f9a79ddc13c0736e3fe55be494dcd2eaae08d775e30fcfbb37ddac

Download Submit
C:\Windows\SysWOW64\Pnfkma32.exe

Filesize
96KB

MD5
37735345bb04ae078be59f148c9d0a08

SHA1
869b2b34fa92467f1593054785563dc4fa82ef8f

SHA256
f317c43ceb3c25c1d6a373b4427cefddb726668d90788a9a5a334311ec4320a7

SHA512
f975f0f7e5198339ffaea45d763ae4c65fcfbd4295874fc0cc771d1c96bda7d1b1c77e9889120074d38f6120a0a8ecdc6081b6539b305448557250ebc6f9ef7e

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
96KB

MD5
6b1bc28ae05ab748a00a31dd84beb926

SHA1
e10d05407cfd728a702c943d0c14c1b4e5ab5060

SHA256
6a5f28ef3816e25b0c7076db42af5eee110185efdf8a7893db9dda8918cce8e8

SHA512
f21cf42c643473275ff77460d30e096aa7f74c3263918ce37855dfd7706f1e98827ac4ba0e2a0d132a49a39a00799542d7975078c39379e2f1d716564f5dbb03

Download Submit
C:\Windows\SysWOW64\Pqnaim32.exe

Filesize
96KB

MD5
257affa0d45c2a05d18d6888a28aeb40

SHA1
70445aedfad0720480e8b4a18107029699bc3885

SHA256
8d32ecdd15e11e38b197400f72e4a0d988763dd3e6b9b258b403c70883e4a938

SHA512
48603f51e14b0bef21f2cedc5eafcc74fefe12ba78b67ce21bb0dbce594cd804e8f4288b65eb58a947b52d7a754ed02e062eb36b68307c03c27664a85a8f28d8

Download Submit
C:\Windows\SysWOW64\Qchmagie.exe

Filesize
96KB

MD5
3dd6c11ce3bf61a68db30b230efab4d3

SHA1
456086e97b1d66f75992167656d295dede37887a

SHA256
4933387c171da0bbfd1fa2247db7489d11964f6766ad590796983b38706ee185

SHA512
533da1f314e717ba35e51587d0d00f6a97268e959e258798bd81e2bef67e11629fc48cade08ba6b154685273d9e04cc73ef9f93cd6a1f12b749ad9035770401a

Download Submit
C:\Windows\SysWOW64\Qgallfcq.exe

Filesize
96KB

MD5
c96615238b5d890a466274feccc37167

SHA1
218c5b82bc098e543a5cc6aa4f63ebb1725357bb

SHA256
39327be3c85f98ee5545de0a2b1f48c2ca81646d9d46d665df752174c850e097

SHA512
87d56aef62ecb8070b9ea7fcfd273c2a4ac5b5f514d85f2199c6abe51db24f4c4709ec792661d474855ac830f7781bdee5fd3e59890eb8bf1ce3cf82da30f8e5

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
96KB

MD5
d76313e25d172f6f2aa90d0297a54357

SHA1
e9368f8268dbdbaa71d120422bfa3dde615cb765

SHA256
3dd0d408737804da88d99df37a6b4f5e39f2764a49e64d5f8a7bf1fa659d7c56

SHA512
b23699eda6c092b445e29134d4d2e0327a4e099df156685e6aed9f98cf6ace1aac9bf520083c03b8ba6a30f07b5c3e22bff59c18b42301ea18912f85cc4eba4b

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
96KB

MD5
822149a0c06972d7ffa2c68c66f0b0fb

SHA1
639baca6f62e560b06fb3a1e6a06f9740591870e

SHA256
68ed83d5c70d549eeb6287a36d4dcf49633b04c0efbec35ec5b6040573ac5c0b

SHA512
7dc8285d88279af7f259fe82a2f11bffb2d8778898839609cbf4891ea26e493f69b864575cb6cbacd3d7897385afdfb21f6b20bdcec6375d794c57e8c20e7b18

Download Submit
C:\Windows\SysWOW64\Qnnanphk.exe

Filesize
96KB

MD5
e1ce63914245d771b19fb4cab3b89ff7

SHA1
01945e1f721f3f6bc9317c0312913173912ec417

SHA256
af77ee59cf61808a7df1dce221f6e051aae1db8aeb2d559ac5e45bf23be6e3f6

SHA512
ed3735d893c3d48390a8800332279d4a722fa8e289751bb1d0aaf63924fd177ce7924248927be174577917780d256bb9be5098c05481163efdc986ac9dfe1688

Download Submit
memory/216-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/412-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/528-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/632-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/804-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/856-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/876-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/916-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/924-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/932-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/984-577-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1016-540-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1044-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1052-217-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-587-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-483-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1152-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1160-461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1180-497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1208-297-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1256-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1284-275-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1288-507-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1300-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1300-583-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1400-584-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1444-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1464-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1464-599-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1588-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1836-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1920-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1920-586-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2044-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2144-525-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2224-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2312-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2424-37-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2452-447-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2636-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-546-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-423-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2836-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2872-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2992-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3056-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3112-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3192-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3240-553-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3344-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3436-477-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3552-450-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3612-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3644-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3676-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3792-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3956-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3960-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4068-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4212-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4212-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4284-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4308-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4332-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4348-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4372-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4392-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4436-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-563-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4484-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4648-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4672-567-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4772-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4776-381-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4780-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4796-537-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4840-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-566-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4980-363-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4992-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5020-495-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5168-597-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads