c1341c7522858aed0ce0366e0baa06ffc97d6eb6de704b51972df1609a14b6f2

Analysis

max time kernel
95s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1279a100db108e7709927f7156cd5020_NeikiAnalytics.exe
Size

79KB
MD5

1279a100db108e7709927f7156cd5020
SHA1

c26ff22030a2d43515f7a443bc0329fa72ad82f8
SHA256

c1341c7522858aed0ce0366e0baa06ffc97d6eb6de704b51972df1609a14b6f2
SHA512

aadf3c4fa70d822a708b85a68b12c5f1a80b87a095a368072820ee68b3fb6d4773e67ba05704c48ad1f77fdb0814f3268b933d243148ef2f2be02ebefddb5f64
SSDEEP

1536:H/5fv54lD0pWn/aDpKQEFvwu7ugUESiFkSIgiItKq9v6DK:f9SD8WxugUESixtBtKq9vV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbcilkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flnlhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcjapi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alkdnboj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnihcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkjlge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paegjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iejcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pabkdmpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndkahnhh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfkma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bemlmgnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbaemi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbbeade.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofbch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpnombl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnnjen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceaehfjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eefhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hflcbngh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahkobekf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdainc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaejf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blbknaib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hflcbngh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcefno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkcmdhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeidoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkmchi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fohoigfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcojed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfembo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaedkdp.exe

Executes dropped EXE 64 IoCs

pid	Process
4824	Nkncdifl.exe
752	Nbhkac32.exe
4740	Nkqpjidj.exe
2072	Nnolfdcn.exe
1468	Ndidbn32.exe
60	Nggqoj32.exe
4532	Nnaikd32.exe
2396	Ndkahnhh.exe
4248	Ncnadk32.exe
1400	Ojhiqefo.exe
1108	Oqbamo32.exe
4660	Ocqnij32.exe
4812	Okhfjh32.exe
3860	Obangb32.exe
4360	Occkojkm.exe
4528	Okjbpglo.exe
2284	Oqgkhnjf.exe
4220	Ocegdjij.exe
608	Ojopad32.exe
1840	Oqihnn32.exe
2164	Ogcpjhoq.exe
2056	Obidhaog.exe
2288	Pcjapi32.exe
2176	Pkaiqf32.exe
3996	Pbkamqmd.exe
3472	Pghieg32.exe
1960	Pjffbc32.exe
4900	Pqpnombl.exe
1244	Pcojkhap.exe
4436	Pjhbgb32.exe
4600	Pndohaqe.exe
3276	Pabkdmpi.exe
2428	Pkhoae32.exe
224	Pnfkma32.exe
1584	Paegjl32.exe
3756	Pcccfh32.exe
2324	Pkjlge32.exe
4100	Pnihcq32.exe
3256	Pagdol32.exe
2856	Qcepkg32.exe
2532	Qjpiha32.exe
456	Qajadlja.exe
2580	Qloebdig.exe
1776	Qjbena32.exe
4948	Qalnjkgo.exe
2252	Acjjfggb.exe
3000	Anpncp32.exe
2868	Aejfpjne.exe
1000	Aldomc32.exe
1484	Abngjnmo.exe
4300	Aelcfilb.exe
2556	Ahkobekf.exe
1932	Abpcon32.exe
4144	Aeopki32.exe
2500	Ahmlgd32.exe
4028	Ajkhdp32.exe
3912	Aealah32.exe
4968	Adcmmeog.exe
1664	Alkdnboj.exe
4372	Becifhfj.exe
2296	Bjpaooda.exe
3116	Bnlnon32.exe
2348	Bajjli32.exe
3152	Beeflhdh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mfadpi32.dll	Iejcji32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Obangb32.exe	Okhfjh32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Qloebdig.exe	Qajadlja.exe
File created	C:\Windows\SysWOW64\Fhpili32.dll	Eofbch32.exe
File created	C:\Windows\SysWOW64\Lgdalf32.dll	Ehnglm32.exe
File created	C:\Windows\SysWOW64\Gfembo32.exe	Gcfqfc32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Bnnjen32.exe	Blpnib32.exe
File created	C:\Windows\SysWOW64\Jpgmha32.exe	Jmhale32.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Becifhfj.exe	Bahmfj32.exe
File opened for modification	C:\Windows\SysWOW64\Bnnjen32.exe	Blpnib32.exe
File created	C:\Windows\SysWOW64\Dahode32.exe	Dojcgi32.exe
File created	C:\Windows\SysWOW64\Eadopc32.exe	Eofbch32.exe
File created	C:\Windows\SysWOW64\Kpeiioac.exe	Kepelfam.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Jcllonma.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jnmkhg32.dll	Ogcpjhoq.exe
File opened for modification	C:\Windows\SysWOW64\Pkaiqf32.exe	Pcjapi32.exe
File created	C:\Windows\SysWOW64\Qcepkg32.exe	Pagdol32.exe
File created	C:\Windows\SysWOW64\Blbknaib.exe	Bdkcmdhp.exe
File created	C:\Windows\SysWOW64\Nekfmb32.dll	Hflcbngh.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Gfniiokn.dll	Pabkdmpi.exe
File created	C:\Windows\SysWOW64\Ienanm32.dll	Cbqlfkmi.exe
File created	C:\Windows\SysWOW64\Dccbbhld.exe	Dohfbj32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ncnadk32.exe	Ndkahnhh.exe
File created	C:\Windows\SysWOW64\Qgphkcho.dll	Ocegdjij.exe
File created	C:\Windows\SysWOW64\Bjdkjo32.exe	Blbknaib.exe
File created	C:\Windows\SysWOW64\Mdmaef32.dll	Dkjmlk32.exe
File created	C:\Windows\SysWOW64\Kplcdidf.dll	Eefhjc32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Aejfpjne.exe	Anpncp32.exe
File opened for modification	C:\Windows\SysWOW64\Fomhdg32.exe	Flnlhk32.exe
File created	C:\Windows\SysWOW64\Fooeif32.exe	Fhemmlhc.exe
File opened for modification	C:\Windows\SysWOW64\Hmfkoh32.exe	Hflcbngh.exe
File created	C:\Windows\SysWOW64\Ibnccmbo.exe	Ildkgc32.exe
File opened for modification	C:\Windows\SysWOW64\Fooeif32.exe	Fhemmlhc.exe
File created	C:\Windows\SysWOW64\Hkfoeega.exe	Hbnjmp32.exe
File created	C:\Windows\SysWOW64\Bagplp32.dll	Jcioiood.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Hjqaij32.dll	Dllfkn32.exe
File created	C:\Windows\SysWOW64\Lmldgi32.dll	Iehfdi32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Echmafdm.dll	Occkojkm.exe
File opened for modification	C:\Windows\SysWOW64\Ehnglm32.exe	Eepjpb32.exe
File opened for modification	C:\Windows\SysWOW64\Gokdeeec.exe	Gmlhii32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8872	8720	WerFault.exe	412

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqgkhnjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckajehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meknidfo.dll"	Qjbena32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bldgdago.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekhjmiad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqbamo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkidenlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmehcnhg.dll"	Ikbnacmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipnbb32.dll"	Ndkahnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eefhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eamhodmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhi32.dll"	Dojcgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnaikd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edpnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnepdqjg.dll"	Elppfmoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iehfdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Megkhf32.dll"	Blpnib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmlhii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1279a100db108e7709927f7156cd5020_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbaemi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klqcioba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qajadlja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkjmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocegdjij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehgqln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cojjqlpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkffk32.dll"	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apignbdf.dll"	Fdnjgmle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingapb32.dll"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeflhdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfmfg32.dll"	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckajehi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkkojgao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihdea32.dll"	Ehedfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpeiioac.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 4824	4584	1279a100db108e7709927f7156cd5020_NeikiAnalytics.exe	82
PID 4584 wrote to memory of 4824	4584	1279a100db108e7709927f7156cd5020_NeikiAnalytics.exe	82
PID 4584 wrote to memory of 4824	4584	1279a100db108e7709927f7156cd5020_NeikiAnalytics.exe	82
PID 4824 wrote to memory of 752	4824	Nkncdifl.exe	83
PID 4824 wrote to memory of 752	4824	Nkncdifl.exe	83
PID 4824 wrote to memory of 752	4824	Nkncdifl.exe	83
PID 752 wrote to memory of 4740	752	Nbhkac32.exe	84
PID 752 wrote to memory of 4740	752	Nbhkac32.exe	84
PID 752 wrote to memory of 4740	752	Nbhkac32.exe	84
PID 4740 wrote to memory of 2072	4740	Nkqpjidj.exe	85
PID 4740 wrote to memory of 2072	4740	Nkqpjidj.exe	85
PID 4740 wrote to memory of 2072	4740	Nkqpjidj.exe	85
PID 2072 wrote to memory of 1468	2072	Nnolfdcn.exe	86
PID 2072 wrote to memory of 1468	2072	Nnolfdcn.exe	86
PID 2072 wrote to memory of 1468	2072	Nnolfdcn.exe	86
PID 1468 wrote to memory of 60	1468	Ndidbn32.exe	87
PID 1468 wrote to memory of 60	1468	Ndidbn32.exe	87
PID 1468 wrote to memory of 60	1468	Ndidbn32.exe	87
PID 60 wrote to memory of 4532	60	Nggqoj32.exe	88
PID 60 wrote to memory of 4532	60	Nggqoj32.exe	88
PID 60 wrote to memory of 4532	60	Nggqoj32.exe	88
PID 4532 wrote to memory of 2396	4532	Nnaikd32.exe	89
PID 4532 wrote to memory of 2396	4532	Nnaikd32.exe	89
PID 4532 wrote to memory of 2396	4532	Nnaikd32.exe	89
PID 2396 wrote to memory of 4248	2396	Ndkahnhh.exe	90
PID 2396 wrote to memory of 4248	2396	Ndkahnhh.exe	90
PID 2396 wrote to memory of 4248	2396	Ndkahnhh.exe	90
PID 4248 wrote to memory of 1400	4248	Ncnadk32.exe	91
PID 4248 wrote to memory of 1400	4248	Ncnadk32.exe	91
PID 4248 wrote to memory of 1400	4248	Ncnadk32.exe	91
PID 1400 wrote to memory of 1108	1400	Ojhiqefo.exe	92
PID 1400 wrote to memory of 1108	1400	Ojhiqefo.exe	92
PID 1400 wrote to memory of 1108	1400	Ojhiqefo.exe	92
PID 1108 wrote to memory of 4660	1108	Oqbamo32.exe	93
PID 1108 wrote to memory of 4660	1108	Oqbamo32.exe	93
PID 1108 wrote to memory of 4660	1108	Oqbamo32.exe	93
PID 4660 wrote to memory of 4812	4660	Ocqnij32.exe	95
PID 4660 wrote to memory of 4812	4660	Ocqnij32.exe	95
PID 4660 wrote to memory of 4812	4660	Ocqnij32.exe	95
PID 4812 wrote to memory of 3860	4812	Okhfjh32.exe	96
PID 4812 wrote to memory of 3860	4812	Okhfjh32.exe	96
PID 4812 wrote to memory of 3860	4812	Okhfjh32.exe	96
PID 3860 wrote to memory of 4360	3860	Obangb32.exe	97
PID 3860 wrote to memory of 4360	3860	Obangb32.exe	97
PID 3860 wrote to memory of 4360	3860	Obangb32.exe	97
PID 4360 wrote to memory of 4528	4360	Occkojkm.exe	98
PID 4360 wrote to memory of 4528	4360	Occkojkm.exe	98
PID 4360 wrote to memory of 4528	4360	Occkojkm.exe	98
PID 4528 wrote to memory of 2284	4528	Okjbpglo.exe	99
PID 4528 wrote to memory of 2284	4528	Okjbpglo.exe	99
PID 4528 wrote to memory of 2284	4528	Okjbpglo.exe	99
PID 2284 wrote to memory of 4220	2284	Oqgkhnjf.exe	100
PID 2284 wrote to memory of 4220	2284	Oqgkhnjf.exe	100
PID 2284 wrote to memory of 4220	2284	Oqgkhnjf.exe	100
PID 4220 wrote to memory of 608	4220	Ocegdjij.exe	101
PID 4220 wrote to memory of 608	4220	Ocegdjij.exe	101
PID 4220 wrote to memory of 608	4220	Ocegdjij.exe	101
PID 608 wrote to memory of 1840	608	Ojopad32.exe	103
PID 608 wrote to memory of 1840	608	Ojopad32.exe	103
PID 608 wrote to memory of 1840	608	Ojopad32.exe	103
PID 1840 wrote to memory of 2164	1840	Oqihnn32.exe	104
PID 1840 wrote to memory of 2164	1840	Oqihnn32.exe	104
PID 1840 wrote to memory of 2164	1840	Oqihnn32.exe	104
PID 2164 wrote to memory of 2056	2164	Ogcpjhoq.exe	106

C:\Users\Admin\AppData\Local\Temp\1279a100db108e7709927f7156cd5020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1279a100db108e7709927f7156cd5020_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\SysWOW64\Nkncdifl.exe
  C:\Windows\system32\Nkncdifl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\Nbhkac32.exe
    C:\Windows\system32\Nbhkac32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\Nkqpjidj.exe
      C:\Windows\system32\Nkqpjidj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Nnaikd32.exe
        
        C:\Windows\system32\Nnaikd32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Ndkahnhh.exe
        
        C:\Windows\system32\Ndkahnhh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Ncnadk32.exe
        
        C:\Windows\system32\Ncnadk32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Ojhiqefo.exe
        
        C:\Windows\system32\Ojhiqefo.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Oqbamo32.exe
        
        C:\Windows\system32\Oqbamo32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Ocqnij32.exe
        
        C:\Windows\system32\Ocqnij32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Okhfjh32.exe
        
        C:\Windows\system32\Okhfjh32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Obangb32.exe
        
        C:\Windows\system32\Obangb32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Occkojkm.exe
        
        C:\Windows\system32\Occkojkm.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Okjbpglo.exe
        
        C:\Windows\system32\Okjbpglo.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Oqgkhnjf.exe
        
        C:\Windows\system32\Oqgkhnjf.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ocegdjij.exe
        
        C:\Windows\system32\Ocegdjij.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Ojopad32.exe
        
        C:\Windows\system32\Ojopad32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\Oqihnn32.exe
        
        C:\Windows\system32\Oqihnn32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Ogcpjhoq.exe
        
        C:\Windows\system32\Ogcpjhoq.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Obidhaog.exe
        
        C:\Windows\system32\Obidhaog.exe
        23⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Pcjapi32.exe
        
        C:\Windows\system32\Pcjapi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Pkaiqf32.exe
        
        C:\Windows\system32\Pkaiqf32.exe
        25⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Pbkamqmd.exe
        
        C:\Windows\system32\Pbkamqmd.exe
        26⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Pghieg32.exe
        
        C:\Windows\system32\Pghieg32.exe
        27⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Pjffbc32.exe
        
        C:\Windows\system32\Pjffbc32.exe
        28⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Pqpnombl.exe
        
        C:\Windows\system32\Pqpnombl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Pcojkhap.exe
        
        C:\Windows\system32\Pcojkhap.exe
        30⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\Pjhbgb32.exe
        
        C:\Windows\system32\Pjhbgb32.exe
        31⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        32⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Pabkdmpi.exe
        
        C:\Windows\system32\Pabkdmpi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Pkhoae32.exe
        
        C:\Windows\system32\Pkhoae32.exe
        34⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Pnfkma32.exe
        
        C:\Windows\system32\Pnfkma32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Paegjl32.exe
        
        C:\Windows\system32\Paegjl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Pcccfh32.exe
        
        C:\Windows\system32\Pcccfh32.exe
        37⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Pkjlge32.exe
        
        C:\Windows\system32\Pkjlge32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Pagdol32.exe
        
        C:\Windows\system32\Pagdol32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        41⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Qjpiha32.exe
        
        C:\Windows\system32\Qjpiha32.exe
        42⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Qajadlja.exe
        
        C:\Windows\system32\Qajadlja.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        44⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Qjbena32.exe
        
        C:\Windows\system32\Qjbena32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Qalnjkgo.exe
        
        C:\Windows\system32\Qalnjkgo.exe
        46⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Acjjfggb.exe
        
        C:\Windows\system32\Acjjfggb.exe
        47⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Anpncp32.exe
        
        C:\Windows\system32\Anpncp32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        49⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Aldomc32.exe
        
        C:\Windows\system32\Aldomc32.exe
        50⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        51⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        52⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Ahkobekf.exe
        
        C:\Windows\system32\Ahkobekf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        54⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        55⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        56⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        57⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        58⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        59⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Bahmfj32.exe
        
        C:\Windows\system32\Bahmfj32.exe
        61⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Becifhfj.exe
        
        C:\Windows\system32\Becifhfj.exe
        62⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        63⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Bnlnon32.exe
        
        C:\Windows\system32\Bnlnon32.exe
        64⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        65⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Beeflhdh.exe
        
        C:\Windows\system32\Beeflhdh.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3240
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        69⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        72⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        73⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        74⤵
        
        PID:948
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        75⤵
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        76⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2068
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        78⤵
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        79⤵
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3220
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        81⤵
        
        PID:64
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3204
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2860
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        84⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        85⤵
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        86⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        87⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        88⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        89⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        90⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        91⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        92⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        93⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        94⤵
        
        PID:700
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        95⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        96⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        97⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        98⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        99⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        102⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        104⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        106⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        107⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        108⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        111⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        112⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        113⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        114⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        115⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        117⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        118⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        119⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        120⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        123⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        124⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        125⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        126⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        127⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        128⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        129⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        130⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        131⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        133⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        138⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        139⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        140⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        141⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        142⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        144⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        145⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        146⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        147⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        148⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        149⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        150⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        151⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        152⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        153⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        154⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        155⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        156⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        157⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        159⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        160⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        161⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        162⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        163⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        164⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        165⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        166⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        167⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        169⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        172⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        174⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6716
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        177⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        179⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        180⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        181⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        182⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        183⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        184⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        186⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        187⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        188⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        192⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        193⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        194⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        195⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        196⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        197⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        198⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        199⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        200⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        201⤵
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7048
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        204⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        206⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        207⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        208⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        210⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        212⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        213⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        215⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        216⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        217⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6576
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        219⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        220⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        221⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6260
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        224⤵
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        225⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        226⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        227⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        228⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        229⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        231⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        232⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        233⤵
        Drops file in System32 directory
        
        PID:7236
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        234⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7316
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        236⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        237⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        238⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        239⤵
        Drops file in System32 directory
        
        PID:7480
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        241⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        242⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        243⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        244⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        245⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        246⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        247⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        248⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        249⤵
        Modifies registry class
        
        PID:7916
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        250⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        251⤵
        Drops file in System32 directory
        
        PID:8004
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        252⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8088
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        254⤵
        Modifies registry class
        
        PID:8132
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        255⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        256⤵
        Drops file in System32 directory
        
        PID:7208
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7284
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7332
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        259⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        260⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        261⤵
        Drops file in System32 directory
        
        PID:7556
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7644
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        263⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7704
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        264⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        265⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        266⤵
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        267⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        268⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        269⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        270⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        271⤵
        Modifies registry class
        
        PID:7260
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        272⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7504
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        274⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        275⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        276⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7956
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        278⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        279⤵
        Drops file in System32 directory
        
        PID:8164
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        280⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7472
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        282⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        283⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        284⤵
        Modifies registry class
        
        PID:7972
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        285⤵
        Modifies registry class
        
        PID:8148
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7392
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        287⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        288⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        289⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7600
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        291⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8152
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        292⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        293⤵
        Drops file in System32 directory
        
        PID:7528
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        294⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        295⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        296⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        297⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8336
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        299⤵
        Drops file in System32 directory
        
        PID:8380
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        300⤵
        Drops file in System32 directory
        
        PID:8424
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        301⤵
        Modifies registry class
        
        PID:8468
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        302⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        303⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        304⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8636
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        306⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8684
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        307⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        308⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        309⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        310⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        311⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        312⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        313⤵
        Drops file in System32 directory
        
        PID:8992
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        314⤵
        Drops file in System32 directory
        
        PID:9036
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        315⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        316⤵
        Modifies registry class
        
        PID:9124
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        317⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9168
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        318⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        319⤵
        Modifies registry class
        
        PID:8236
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        320⤵
        Drops file in System32 directory
        
        PID:8324
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        321⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        322⤵
        Modifies registry class
        
        PID:8456
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        323⤵
        Drops file in System32 directory
        
        PID:8528
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        324⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        325⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8664
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        326⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8720 -s 212
        327⤵
        Program crash
        
        PID:8872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8720 -ip 8720
1⤵
PID:8832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
79KB

MD5
91a3cf8194c744be06ec5728acef534e

SHA1
928a4b00b3abcc467e737904949726c49509c96e

SHA256
bcb9f3810e9469cffd3b299a9b626d36df9ebaa73d7f4117a3f402ca16c97db4

SHA512
88baa4214778d7a6451c8242d68d8ccf7e3bdd407b256ab7807174c12e54aa7a853545271b48c847846b13edc99d569c0783eff0260694de57bb923bd523f877

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
79KB

MD5
bce7e92c614e708c10e42d409c0bc915

SHA1
8a2146ceab5adf593b68b5a45e1cedc9f7040186

SHA256
3929b4af4f8187e482f3e25f78330baafc12e70391f44b5fb7f46b88f313acc3

SHA512
32eddf8fd06ea9dfbd8ee6de375b0f86b0eccb493f9993870bbccf3d7b6bf233a769bfe3e6eae0482ddb179576baf2c9778312db84047dff9663d198739c95d3

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
79KB

MD5
8e84ae4526e15b3019f4c6db3085a426

SHA1
83971b1f24ad7532a842f2fde8fee4c9701d7668

SHA256
5556b76118835bd71b42c67cd13d8bcc807f3514af297336c3fd0af9859110f1

SHA512
f0d64c0a04a413190d65e048813537543cb629b7d6d392ae1fb93ccc6626582808307ee1fbfe05520a739f43ceaf480ccadd587113b960fcae4e5ba06cb9f952

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
79KB

MD5
e72683e5ce88945a095bcb0547653144

SHA1
5d979751eaa3cc3602a2b035e6497be793d111c0

SHA256
d6b94896805ac35fa8840e77afa9ec1542419b2db850373fbc00b396ad3dafc3

SHA512
6466787d78a9ed764e56769d9dab32fb114f94e1170afc1a0ef0f4e73dad2bef22633f9a39827070e3aabf47520fb8565ad868f16fb3fb8fbf4a8542da313272

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
79KB

MD5
8c2092f77e5ec89f9ecdc32e89854f05

SHA1
2517a4f69ad61594d80b3f1dd30173df54cd0cb5

SHA256
498d5ee415b92e4816678a250c31c75cd9e4e480224b56b0ab8ec5965e9cc8af

SHA512
98545805da44d9304f9c183a3c18aa2deb61076efedd56cea087967cd6a30095e253852c22f255c83aab55c256eb13622c63957311ca62107f7dd9d7f80587bf

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
79KB

MD5
791a0d9c008d92881f0da073a54ebd31

SHA1
197d2337310affab1b14f8d1e8ece6da25ca3d02

SHA256
ea35525316c664356fb31304fd06c7f2f3541192c252fc264e1118b93f195906

SHA512
b0727e3f787ca9a1b4b4535046984c51f6c71a10175fd9ce435b3491c4d5d26f4964e9f87e762cd5ca74806ea47f9fb74f7a1ccd5a057cd89f4598a543769c98

Download Submit
C:\Windows\SysWOW64\Bldgdago.exe

Filesize
79KB

MD5
2f821eb60b899b1dd1bf0f2ace50e416

SHA1
b97b8876150c8e8f137ca63f163e30eec26f2ae4

SHA256
8647f2165bdb010bfd6897153f24962c097a30281ef7f2efd0a71b2ccc55a258

SHA512
901eaa932952b27fadc86a1f744b201649f941be5a866fe90301167a64c795f9b43065fbbc2e09375071f9a497c15ef79d1d9648e544b42a2d74be41a4896342

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
79KB

MD5
f887785e25da088a5e8a416351bef83b

SHA1
1417d65c1d0747f6106661c9f7e5dc30d3eaff9e

SHA256
52c3253c4e27baa7df65738ee1aea7dedc722fbee77a72c54d1c477fa9153f20

SHA512
e940c8f89f2840fd3e85fe9545d63d12801875501d332afb04ca827500873062c74831c05f5aa6cc7da70ff543d0eface48bc490e28b080457faf20a1c0a1ea9

Download Submit
C:\Windows\SysWOW64\Daolnf32.exe

Filesize
79KB

MD5
21a5bcf3e97e73e30a0114e5564700ad

SHA1
22add7010f025648af0bd234c7e943710d9e9209

SHA256
f737f7e1795452a7fa372c9f9b8f7a825fb9677b753d8adfc1343a2e5fa77c21

SHA512
3d128b645e6b89c7f595a4a12394a61eb6de262fb96a36a034266da37d7c55437c18a3438ff79c32af28385c9d8189477243f3da996a0c3e8832cfbefbaa73e0

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
79KB

MD5
9fb863fffec5fa05f65a7a7faafe6593

SHA1
b220070a660338b37a49cee46718cdf6ca179469

SHA256
d02e09247989be382eb27d6066a266cc865002fd1f452fb8fbc987c6a63b510f

SHA512
2188934494325ea8b11ab1278878028e83151ecf0d34b68cadb2eea7689da1631bc98638b8bb98573c339a16b26281b5b88e476d9f1d9a912a20de3387169a02

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
4154ba90e1642b2d977590ae75128c37

SHA1
d8d089fcde1cda457d9559acd14ebc8e29192eba

SHA256
3420ab3c7a763550d9dce7f46236156cb2603dba9f39d6892526132c50509736

SHA512
7cf72d620d3376b07df08eec3b4ad23584d009e73980d909df843f19358aeaf2706f1da6dd2bb93e20862ae57297ba1a0d10ded4de808af6fe693162698051ef

Download Submit
C:\Windows\SysWOW64\Eeidoc32.exe

Filesize
79KB

MD5
db141486ec971eff7eef57763140ddb7

SHA1
4bb5a5df23cd59322fba5f8d1283e1be6959336b

SHA256
6fcb9c758421f4add4f194e43d8c4931849a626d6531e8a395ae742e1fa1a325

SHA512
b8dd8e86f375d52e6e2562df52a588204257039c46c5b5b63797608eeb9c6dd2dc63579c574f898b507ed7049438e0a71e918c1e13234ae62456da94fc1f735d

Download Submit
C:\Windows\SysWOW64\Gmjlcj32.exe

Filesize
79KB

MD5
1d162487cfee7bb852db4b658dc3cbe4

SHA1
3d1c47b18d99d3e3cc96a7459385f38efacc6476

SHA256
6021fce327d740d882e220b7a92c8ed9d24c313be0aa6e8691fc6381aa2c1afc

SHA512
2fd48db71d64f902dea1818500bcc7d47fc601584358c292693ccc44caf73c99a65c8ac9519e6650de1d7936845eb199c0c08671865588ae981bafe8a9118843

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
79KB

MD5
58039022e01bee9144a5f4e600a3f786

SHA1
54850955784d497640e7382d5b39e847764eb71b

SHA256
888a69f74125a2ad89449359efd76dc6950f6952d484434136f97987937d8f3b

SHA512
dc7a945c95df510ff3f2b44ef47cc548fa147e57f8f5228794f1c80ab392bbdfe025316865905ba7def20df7da9019348cfd8b11f74c21cd235d2f805c6980e0

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
79KB

MD5
3c9d2babdff7df2c0a3658ce3118e715

SHA1
bf239d61230f8ea96932e20de864d9640d32840f

SHA256
7b8c64b82c9a35d40c2348413c3d16dbfb46bf60084566f608234114cc72d907

SHA512
e72136007884c8d5cdc5f2eaa23a397aa9bd3a30188ca43d83f66e1faabb9f27f729448bded45ecee46c42c83c024eecd149623bbaa2ab9c7b2a709b11ba783a

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
79KB

MD5
7c03adba93d3221022b4cb0cfde070fd

SHA1
65d02012459a2b275d0946b39a9ed30b894fbc5f

SHA256
d9c21f38c12c7a981c2d36409eee06b336c8510e37458320de353062546cd38e

SHA512
0601dc17b0761fa23ba80d4d8cd4225ca27320b8d305d8d16629bfad2a4956505e8a8902d3fb2f64e0c7036fb0ed3db7b6662b7ccc7c9390a464173ffab6d6fd

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
79KB

MD5
e2f103d7f578af7d247a8df766b4fad9

SHA1
d1c222312c29c7a0ee8ea397e27593f326b46e72

SHA256
1d4bf0f8de311170ae0c0bf1d51bd2981c9c7fde1234c806a392fbe2803afd05

SHA512
75a67da87ca73a7e4786b3b57fc00e83625367690235fa6c11372ecd8f05791a91d5c44f9217c6fe814e67a6ef9f0c3b0f9b42d80d314292ecfcf77099fb9b1d

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
79KB

MD5
3b514b820607794eeadf06528897d342

SHA1
d17242abbc19d701a8b6844b46d34b182591efe0

SHA256
e0a2f69926187d8c9339010de9a8f1f5eac75aa5fb6dd62b6dc44dae41634628

SHA512
9262d140cd770b48626de8d60ba61ff7075c3258c2c90fbb4d14d63c0b0e70c6c2b7fd693ebb133f0e076154733e318b264d54e837149663e4eff2848c5e0076

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
79KB

MD5
a9ce6ed0b2d1faf5f7e4276bded0b8fc

SHA1
5404b4ddab41bac7f28563deaccd71d938935289

SHA256
de803614fd4ba2164b59a5e38459a3008e9bb8802ec26fbfde99cece438b6dc2

SHA512
70972ab0a1f457695bc3ca2c563b0d875654035074c989a2c3175e24622eb1026066e6eb36d0da56151009ffe8e3c1f5dee9e044649cd94f17f42e6fd14cace0

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
79KB

MD5
7ee778248435547e9c8e29d386745f5c

SHA1
b659fa08dac77e062428651231fb7f591e1be6e1

SHA256
3e11a0c08c540d4ea3dcd0595432557a17a0264f01d64f68d4bd3cd44fc349e6

SHA512
c487892c7b0909fc5bbdf22721f504b7eb37e14cfb4d0b724108c40ef031ad1ab72809915965e1fb3bcd2e1cf33fa413589c4436b42ec065753c04385594fe41

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
79KB

MD5
d72038bd27543a661622a78b1d144dbf

SHA1
61d21e5f047044df9fa44303f052bb4bb061be6f

SHA256
3e7fcc3421f27a79cf9333942398f1b24a92e32e506e64200a3387a2fbec34bb

SHA512
96a6cfacb50e908aa767f8de7d7634281e1ca4e4e42df621a556661d1492587fc4612c26584247404751966c955032f22ed1b46d593e35e3d731ee3c57d1ed7e

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
79KB

MD5
0e9161c690efdeeeb69f553b6035c99a

SHA1
757a02bbdd48fc6f59d1bd72c444836d56deffd0

SHA256
df762dff0cef949e293b61e0b8f50893f17f941dc999e3611e9a594b3eb0a7aa

SHA512
f4980970d3cf72e67a84c33abf83f8cb1ab24da23647c0d86ee195a9f33944f0ae980b6abde7f6a9b599fdc247ff37213e4743803c9ca1d69a1f1451c5715503

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
79KB

MD5
8414812ea59572311f58745552d83302

SHA1
6ab7ca5a1330852c54a4c4fab0114c9c1bbbef89

SHA256
e7bddec87ff33ba95437fd13e3fae82f567bb5a15229745fdfa6cab3ae4470a4

SHA512
bcec33252791c9eec9b60f17c80f2605fa15d4a3ec79210cce341bb9a75ffb312379ff5eb339d8d9a4d3bd1fd11171c9da9184aa672e92d0591f503160b1d2de

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
79KB

MD5
d839916c46d9d82505c7fd6823805402

SHA1
a70119f92bf6c4972f598299e9d7b0453b1d857b

SHA256
b3d84a075b6ece57f3b169b84b192ed31dfa015d7d9799573dc26ae56de5d0a4

SHA512
5f7911ddecab62af357f247abe5d0c94fb365cecff0a3634cdbecf8265df87a2714973a6d0700d6c19451271d8311eff62eea535f1c1e9565b0893c1b0e817bf

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
79KB

MD5
c1f93772a5297a4c02534d38096307bf

SHA1
8236aa724c58b1950b51e68f8f1aa7692cf3a735

SHA256
3c813183803962fd2a733313a7947ac2dade30e8f9e0022b7ddca0963e1d9197

SHA512
6ff15070349d71d6a82b1f95fdcc78eda6804f082539e18f4c3eef75f12efaa7cf47b84cf2d6a9e7e55e25cc9be34d2403836ba30c03feb8575f72489b031dbe

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
79KB

MD5
d2fe0b2adead05359e85c91f42225fc2

SHA1
7aece725e8aea0a1ed9ff607b6173690dfb42085

SHA256
09fd10b5c5d11b3d06d6b630d0b180441f4e9b2a70198617401a4f1f8a2d4ccb

SHA512
e316ddca89672ce3551ef7578dcdb37b8063b2a97b4340662b5e6076f6f7ddeb1737d495502d8d6f28ba74f03dea49f2079204eb60e264e83684e5731c81f5c4

Download Submit
C:\Windows\SysWOW64\Ncnadk32.exe

Filesize
79KB

MD5
601cef68612238f72e06d1d52c7a0c63

SHA1
45f809a7ea7863b5c8d6d6d1a4617888180d589f

SHA256
08947c58cb0eb08d6bd22a65fa8c529810e759f95feedae2fadfaccf34239b38

SHA512
7bb0475cfbb00b8193b9f2b5eb97a9cb7982082bc737cd3da8aad7f2d9ec460f2778b100eee87a5a23ade9a2feaa236db94a177100a3a91febaeaf45c4b9ffb6

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
79KB

MD5
236956af95ea469e5d3b7d268614fee3

SHA1
8aa009d91d661b5c9173e1dabc7dcb456cda0d0e

SHA256
f25964bebfc31544e1ead78d4259fadfaa9be97500ab22d290585d36528e1f65

SHA512
181ca98803dfa94f70313894f6335af5e968e9cd3b2a1d02cbd9f6dd05c081e6efd81bcc58dc2a3e808fd9c291adc9b88828c3d55b48858dd44a54a57759d77a

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
79KB

MD5
ea2033e7a34cc71476e0c0ac0528bb5a

SHA1
eaf87dd09ea6b37ffc66a8585ef2e16c4f9cfffa

SHA256
26c937bac03d1ac2b8ad665c4fd2d2be3f8a041c803814eade930f0f363baf99

SHA512
eb6fc789f766c5821e22bcce2534cb2563e0ca0747ca7f6ad3b51c74f4b16180b8dae60b171d2dba5bb1605f830271c9b0e725e931d5afe4fff4253220299412

Download Submit
C:\Windows\SysWOW64\Ndkahnhh.exe

Filesize
79KB

MD5
a2c5fc4305f418708d23ebd765f68374

SHA1
3ddbc3e050ca40f4ef61a7040b2eca6113262611

SHA256
6977b202f1ce19ebad619077981da17bac4e90621178add96bde8b71d1992943

SHA512
ceac8daf551beb935503ccaecbff41a404b120b98d02a3985db113a4185aa67358c51174a1d5e026dc848503977b79095bf81ad3d1bfd73575b7c8aad5bd30ee

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
79KB

MD5
dc87b3515865c64e7bed21cb7d6241f9

SHA1
e28ce913217ecd9a24b8c943dd6308e90b34656c

SHA256
620935b4587a9d3697cd3c7fd8fef2dd617068987c585ab5159db3c216ba8134

SHA512
008dfb2805c84e8ea3901f99d07ded951820d96cf1c8a11e827b6c4c0139af8c4f60246804347ec0c9ccc94de6c8641f9c2d1a35db74c0fc1bdbc8477312af90

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
79KB

MD5
168c61d3050c18f483c737f2b662573e

SHA1
af61fdfcde73fa14f02da5942a16f1f011b62bdf

SHA256
68e06d4a4d9e653d75939a326a920a1f1a85c30d293d3bf22a0e6ac81ceeb575

SHA512
14b00a3212873bd0901e16cd64098abee89eba504d0a45cc8d4defbecd0a620d25a5ad7588e54ad914f1a0328f6af9be352f3155b4a8660164b82f44fea1e24d

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
79KB

MD5
57fce8299fb14609da50d14142c480f5

SHA1
d50a7e9adaabaf0ef452549fd9d9a1b0b34d3ec5

SHA256
755f3e73fff6c2af500aaf5e1c78640a8ad854745fc74a38e094023c9ee030c1

SHA512
7ce40fd322b63e43cc37d00ed5712159a98071da48d4299869dfb05d8ce8061664211b2dd20051d6f7e85655b1bcaad2c9732921cbabd1c02cf33bc78620caad

Download Submit
C:\Windows\SysWOW64\Nnaikd32.exe

Filesize
79KB

MD5
dc1732455015a5913260f02dc68b70e8

SHA1
8459031f15f5c5dcba8ff90831e3f3469dcbd148

SHA256
932fb602c2a57edcebe8de1243ccb992785e7b08dfe32eee8461c00c45bc8f3c

SHA512
671bfa6a1b0a32f5d23fea67672beb79a355741f7a69b5aabf2a8209ee0e899b836161902a182ee0f7a7640d8aa49064db8b80f9332cc09c87d6a2b8738478a9

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
79KB

MD5
fed98727ba586b4777194750acadffa6

SHA1
fc744bbdc477e648538d362a8a70072c967e466a

SHA256
47dc7c68a8ccc6188a813d78e292bd5f2111c8c0436284e929ee6939774f8461

SHA512
9e43b4655697919768225f245af6b92168b5cba36fef7811f0419656449884fe5cfc0ee715603e1e97515730ac66df6f4c69680e6c786d2cc2b67514f6bc268a

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
79KB

MD5
26b83ad3cf3fbb18821f682cc9e20341

SHA1
50031638b4157977e5efd2baee17404ca86d486a

SHA256
eb2bec10c700606fc4758790acf2c38afb6712eaf20b2a66fad1d348bbf69422

SHA512
ff57c3e274baa1f52b083a8d9e8a79e9d30283f59af9567d7aeb0495f13f020382578c97932700c26c8c70f6326f6a79e44777f04125bd2b0861c5a737333e64

Download Submit
C:\Windows\SysWOW64\Obangb32.exe

Filesize
79KB

MD5
7e776e3b249efd610a93f14a3479ccdb

SHA1
a2395764b946c228dd82f182f602c84830dd3975

SHA256
cc4c0d6c663dde4522bc710dec8866ffa8cd51130a83df4fcfb193806373af9a

SHA512
79a69e2c0159bac3d1f2fbeaed8607303f0763240aa3126bcc0af34430df694267360dec7f64396af4fb5167607795c8d574efa9f0cdcd434ffae0a52ada4785

Download Submit
C:\Windows\SysWOW64\Obidhaog.exe

Filesize
79KB

MD5
56f3b4dc948bae513fbdcb9b2a5d1b80

SHA1
e0037dfd0c0f40235cf1ac45b0bc8956186f0e13

SHA256
6db59e24861471e434d8ea5394c0178cbadea2ea6cb4a5ff6f13f064b5d07588

SHA512
2c8c8e7326d87c1f75b955eae249f3b22b25593fc9cca888ec1a103ca8fbb8118d72b0b5b2e6881b4031645be2713d8098e815bf65578a0a8ea8e4ae97e15b7f

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
79KB

MD5
692933435986af47fc0389069563a884

SHA1
f8d275acdbc6317927d37a63fba60505eb450721

SHA256
b381f712ed4c1ccf46b7c33584abe509cd72d4b1f2f7165a98e3342ceb83b4bb

SHA512
49d3607338dbe647f63503235768b0cc1a27b65df6ac14cacc3ab8bcc3d794e75ac1129e931e0d13567033e6f1629399378f1982e90269372fd76253490cc686

Download Submit
C:\Windows\SysWOW64\Occkojkm.exe

Filesize
79KB

MD5
51c4be8e656438957e0558d6f1e56995

SHA1
0e1ab4e804da1c5f4a2c6e2a2faaa1e256bebb3b

SHA256
40670ad7db8ce0b64c58f071e2192c703fa02a5b5a7b64d7124ca7183ff83e20

SHA512
3b80e6d29d4027f996d92d813fd223592ea301ac00011486bb383cd6b82fead0df440e91647fc008dcc84b2fdba57a5286fa32ac14b461470953183ebb0c7ec1

Download Submit
C:\Windows\SysWOW64\Ocegdjij.exe

Filesize
79KB

MD5
9598066fa49346a88eac692139236528

SHA1
e57d442b5bc065e3e9ce7dfda60377eddd207cc5

SHA256
7904abd1f67f02a4a69ac219b8abf70deec21b5ff77fabca418d249933f6a09e

SHA512
42745586ee4d5ff6361bc4d66cac4a16e4600174ff4ed168f8ee7ed6eec58d5c9ca3bd6c199a3fd9ba97d8b88f068f20d98cad03199e05570e3d48e6522658f3

Download Submit
C:\Windows\SysWOW64\Ocqnij32.exe

Filesize
79KB

MD5
88dff966b0672cc514af78e5a5743235

SHA1
9fe6b710fab9b9e111417e57fb5aa767b375893d

SHA256
f33172ac246a7f5c2228478dcc1851997d547a2cbbed6c1e58d89560620145fb

SHA512
9ede333112a8b31306e4977243fce7f3f3395fea5db093ad3fdca5941bf34b6b7b3bcd14b9f6c609d5eff739f16001dee81aff211bfac2d20d94df04df72e87e

Download Submit
C:\Windows\SysWOW64\Ogcpjhoq.exe

Filesize
79KB

MD5
d84376f6e1ae7f09d290e5d9d7fab10a

SHA1
f15665e25b765618efb094b7333ac74b115c825e

SHA256
7a930df7414f59b3b7e699caf3125f8091ca2c23577c18304cc6e79408744886

SHA512
ea5941dc70301bd054ccc2affcd4aa4306b4189ee27eeb75e6ad0bdee5c41fc990329bff7801084cc9749dfaccbe5061b0456d722bb53292c3b7fa7be5a51a52

Download Submit
C:\Windows\SysWOW64\Ojhiqefo.exe

Filesize
79KB

MD5
65f0b2a967b61b9ab7ff3f72baab9c08

SHA1
790be16255454560ee4dc33b89580dd15fbba694

SHA256
4d02777fa69ddc7f85df1e4d3d0b1b174deefe94a2885ab52a62777276258fcf

SHA512
3186cf593d0c0327cfdf374e3e02925f93ccf3c48644b9d6708b79beb09c7aa6576980c69e91e0438a296acdeb9c33fff54de8bcf01b56be267b1b25ee743314

Download Submit
C:\Windows\SysWOW64\Ojopad32.exe

Filesize
79KB

MD5
944be68f9698495579215bd721a8f565

SHA1
27af8a11c4b8a8bbaf03362445305d6f16f6238f

SHA256
08543689f402c56f04cd941cf6a9fc654d09399d1e182345dd82bbcb0c6dddda

SHA512
17f18387234b945e0bf505551e73b53a7d06d8606a54fe767c2d9c4f12ca2f0258c7149b2d63010ffeeaa86614eb9e07e8fb3fdee0487bb1c055354901063954

Download Submit
C:\Windows\SysWOW64\Okhfjh32.exe

Filesize
79KB

MD5
d511bbd0cfcf1fadd83c43eb3486aeb4

SHA1
5e9b773ed11b942c4d0d87a6ac2c94c4296d374f

SHA256
539e432f2e271dbc33e213cd828b07bf357c9c64d7225a62e58499efe5b32b56

SHA512
132e3032a610ae733224da7cd174bf346041a034041af78f05c32bac1d65246a98674a5bbf6faa52f465df21e06323df37dc40dd3d7b30af6cde6ebd8abda7c8

Download Submit
C:\Windows\SysWOW64\Okjbpglo.exe

Filesize
79KB

MD5
9c13b61787b81f6634c3db9197a6ce69

SHA1
5767c3f5530f46208b6fc630e75ea97b98ab99a5

SHA256
e3a26d4d282a115663cf4c8f61262f403e907046fa7f0e08eb87b03ce3b8f8ee

SHA512
8e1629a438af0d8b2f4fc0df6a531e5f08be4534db93bbecbf17abdc57e85eff69a959193fa1f379537f02fa9a5e139867353e9b3b9f22ad00b152b3dbbff81e

Download Submit
C:\Windows\SysWOW64\Oqbamo32.exe

Filesize
79KB

MD5
d6114bfa55b909acc6a4930a6c3f1a16

SHA1
3c2b29a464e0b35020a1fe7911809d0b8ee1c9ff

SHA256
57c879a5230b8e82a6cd31c7bff9032465d03c7c6b123e62e793b54bdf29f033

SHA512
a983138e19116896eae5cc65d30553bbe0fd6063ef16a6b871f8322deacfc0c18381e6d5b683600e51557333a54a6eb9e9a50621a49b883bcd0a3684224ad0bc

Download Submit
C:\Windows\SysWOW64\Oqgkhnjf.exe

Filesize
79KB

MD5
3ef2864b0b72e8d9ceb6d00b2fa163f1

SHA1
e3fc6f70940869290ebe7a50cf961e6a839d8c6b

SHA256
d9776097aeeaeb1a03fbbfaaa85178aab01904dabf68d28269a32048c6db4e37

SHA512
e8e49d71550f11c25868ef157f0352a2e9699f1fef9d3c4699ed859c1fb189e76b22a226dde26a3becf7b395ca92c9889e4e2d8eb3375b591569b488543dc56b

Download Submit
C:\Windows\SysWOW64\Oqihnn32.exe

Filesize
79KB

MD5
bf038aad8e287784cde117f23615b4a6

SHA1
45361cf7068cb5262b6864532118fa7731a4699d

SHA256
7294f644ff074509336ff58b805b38a4af4edc961135b8f4e2c6128675110d8c

SHA512
64cd8c74511d36ff007e665a548cc71fa8edb9677dd2be0b31962575a38331666c9cf6a64f1d8ad7668870568427647766a1e636f853f2e11956c885d09e8b14

Download Submit
C:\Windows\SysWOW64\Pabkdmpi.exe

Filesize
79KB

MD5
77966dc1a4a227a5337d058cfb1fe38e

SHA1
4a28c3c0cd182b400c98b235c7a500c64a9c0656

SHA256
5d52c4ec1a7843f29e7c626f26b9b21e895affd64a8533bc673b50e274eccad1

SHA512
493afd5db362981a8f6a529007ac0855ed183180be8e4c0e9d8d8d40a1632a05bebabdcc844d50542b7ab23665436cd7b21c2eec169233d4618979ab9e4816f5

Download Submit
C:\Windows\SysWOW64\Pbkamqmd.exe

Filesize
79KB

MD5
d6a66addb0b0dcb7556a46cc8df9e60f

SHA1
02f6b7410e2ac7739ad1cd19543d5f1e8a1d9eb6

SHA256
2e587532a4fdcf21a12c4b45ae98826d62844e7b48b44753d8dafbd32df9dc44

SHA512
7bcc75a276e0dd3e7e45cfa1ed21ad990d78793ea9fa28cc20c4866ca3b0e96236fe764b439ac37a56c20abbb89590d8817c8fee5cc5f56b71ec33bcead0ccad

Download Submit
C:\Windows\SysWOW64\Pcjapi32.exe

Filesize
79KB

MD5
34f6679c6d35a20c7d63a4c046da13e5

SHA1
ee8232364ce27b7a84cf19c94b8d9076fbb303e8

SHA256
a74fd1df6d3b55ecad888ea0f38c43cb87de3b0118fae1e159d4a5c0c0aa3eb2

SHA512
9338428f0f7494c4a9c9007a27b3352e85bf98c033ad1c014d4424d35a6edcc0aabafe95d355fe99bbf65e74695036f88807e3a3fed1f1bd98bd33cf69eb0bde

Download Submit
C:\Windows\SysWOW64\Pcojkhap.exe

Filesize
79KB

MD5
58ff47fbac103288c353eb07320d5f9e

SHA1
d1b304779abd24d91fc7e3ccb476d213bb3b802c

SHA256
2ef0b250570c36694d63c3e9404ee72cd01e552426946ac48e06ee4f68d9d103

SHA512
b998f95b94a178e73047454f6c1ca0fbed39b4324775b9ca9375dde8df9de84e40d91419695b1870614f32802928d8af7880ace105115de295bc9ece20deef90

Download Submit
C:\Windows\SysWOW64\Pghieg32.exe

Filesize
79KB

MD5
ebd15eed2a0b8802be87224d0c0120d4

SHA1
96ff3b7d3b671f412810e9ac3f6107c6381f1ee8

SHA256
0917b906cdbb4f5b0729bbe8499be627abe59840fe5ad8b06707accd073d9337

SHA512
dd5886d7a69ef9d82581434f1e684b0bf93ca9d6b32640a2ae6131a996809152f3ec0f982ff1ac661feda22664490cf90e138b852f0f636d5167ca216f139b6e

Download Submit
C:\Windows\SysWOW64\Pjffbc32.exe

Filesize
79KB

MD5
63af3222868b2ff179c319857dff718f

SHA1
022f53af888065f9d68a952e04a2a279dadb3ca8

SHA256
634996bc71fb863f3af0d26965c54b1e0a0adacc5c9921fea0096b8ac4602acf

SHA512
2497fff8a613663527d8f7236e243f667ed4bd1621f4b0bdbc25708329682f781dd5eb8d6a814ff47d6ae896872004883e20131b1a90c0ba13914df15f990400

Download Submit
C:\Windows\SysWOW64\Pjhbgb32.exe

Filesize
79KB

MD5
c7f1499fa27d728f35dc6ff378a88756

SHA1
745206ee201d5a5cea1f6ba52fd67ae3e02363e8

SHA256
b406c79f1cd3634b357f3b016e171960bc1f0fcfc5088d057bd2b220ffd243b7

SHA512
e0a65be5c2fb8ef201bfe1076b5ed6500cc2582b597bf4451466cabc4a74e622b3a8ffc929368ec57ba5af5c51e23a411f1a3ea4c025d5a5e6488248cc19a303

Download Submit
C:\Windows\SysWOW64\Pkaiqf32.exe

Filesize
79KB

MD5
11b7643f42b1e8e80b425b68e736999a

SHA1
e66a66e0c57308f7815a374b302169e627911d80

SHA256
58fb9c5ac21716dcfa0e977718baef05cca6e86b82a98f4d1f5d8f634514a951

SHA512
77e68cbfad1f2d9765b3cbd40f88b568b69ef6f9d46eeeac8e057e721aa3a86b55a2b6cc217918bdacfe1ec1dd32b6ad456c55af49ebc285171fc7f240b39dc5

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
79KB

MD5
f815346066c30066fba298250dfb90cc

SHA1
9b14c69671e07310bdb29ef514b8a256e60b725e

SHA256
5d2fc69fd5321947b26a78ccc8efcaaf6c40ef609a1430d9fece7dcd6107065e

SHA512
1faf7d3a1021b268baa6c5708b5c0c5202d35b20acde8c0d14037188d756430e53e05ee717594074a3f6e45db8f1a602d53a5bdccc8c8c4a7de6fd74ce041508

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
79KB

MD5
15f475abd8733e5c621f8a37c9ea7190

SHA1
93621cd8c85bb8737ce436f03baf3653c203ef8c

SHA256
3b50e03750ded1eb2200093840cbefaadff1ca27c52fa55f3c7a635cc8ca7d16

SHA512
2c03467c23cd4e84e90b65788fd2bd1d8de80bfab84b529cccf82ac67fefbc9d4abe285376c576b8603a73aaee787b26a6d77a55e86b319a83f01f61eea0e1e7

Download Submit
C:\Windows\SysWOW64\Pndohaqe.exe

Filesize
79KB

MD5
9a3dec47c13299f4682c28efb04ad3d2

SHA1
790885058964f06abdd589076dfd261feec8b9af

SHA256
03f1c2913fa3aaaf9baebd7093f66d4901a777d39cce89f883253f59112a8f3b

SHA512
804794e3e9d480a09aaaa7de0473b037fe4df658ae9eca9259cbeda6c8630eef6143a76e73b519fa4936f29e97b34b2a3936ef828c51a3cd75c8dfd4f2dacf87

Download Submit
C:\Windows\SysWOW64\Pnfkma32.exe

Filesize
79KB

MD5
cf1d5ef3122c12db18d1dc17b8f75f82

SHA1
67f710aaa1017d3171f67a88c53b0ba3effb1774

SHA256
f41131f488c2df5a4670a2b31bffdf884753b3159b2271056a6997131d2cb9c3

SHA512
31d920f4c72d1a6db0d66b9afa3ba52359c1cb906ab3f4ef9566b4a5de8e308244bd51fb1b65bfe4c409c97293baef9f7624eb56b0a139ec2fd2f41e3623efaa

Download Submit
C:\Windows\SysWOW64\Pqpnombl.exe

Filesize
79KB

MD5
2af2b5f7372ac144ef019f07809d7232

SHA1
44661a057ec1f9cdee2ebcb9f463b958e3dfdf0a

SHA256
7a248c8b01e298d03d29fb2d92afd991e7f6b23a55562748d577a6fd124301a2

SHA512
dac83e8825cb3b087128defd84c702f1bc4a98b82eeda50590bceee534d4a3449a6ba13a9a947893e698f849bc1d658ae5e38e024ab4a7cd946b4e040b9c1102

Download Submit
C:\Windows\SysWOW64\Qalnjkgo.exe

Filesize
79KB

MD5
48c8f919bb238f077ad1c7491fba3ed3

SHA1
ddabc5546162bc017878436c9874c8eb3967b19d

SHA256
7e611c44095c1cbb30e2420e512920acfcf458e508baf4086f536de972b17618

SHA512
8a2a786d3be7aa20e921ecb9ba084b82fb2d63defceb36cd106d442242c6c13d6097e91f16c630be2d9e1d2051445c7caf1c617983d7b5d31c265025b9d0a87f

Download Submit
C:\Windows\SysWOW64\Qcepkg32.exe

Filesize
79KB

MD5
48522ffd699bf843ded707ac1491a8d8

SHA1
1fe06c0116c5a792f174f007b7f0104710024986

SHA256
aa5a74be1ac4dbdf47cb23d4632e62560e85809860dca11217b8238636edc91f

SHA512
9fe6af1bca2b5cc0fc44c7dd0159612b93e87b5be5f9b1c34c925a909a166b1cb1910f3a289b8f4c1d3d54f1e4408325dd45e989d437f21084dd2b616ca749c5

Download Submit
memory/60-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/60-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/64-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/608-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/752-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/752-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1372-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3152-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3160-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3204-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3220-535-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3276-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3756-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3860-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3912-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3996-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4584-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4968-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads