bdcf434137f29605d91852294e62642a23d77dd975b16cc2184f2f7f86c7a718

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e188c99b6df2b5bb86a8e339cece7b0_NeikiAnalytics.exe
Size

336KB
MD5

5e188c99b6df2b5bb86a8e339cece7b0
SHA1

e84e07bc9e91ac3a2d0bd103fff17ca2f486ecca
SHA256

bdcf434137f29605d91852294e62642a23d77dd975b16cc2184f2f7f86c7a718
SHA512

5bfa7a0aa3e94c84a843e14f2ffcf367bd10015fe553c202d63cc1d5dc6c3a7363095dd97a5a3b6e2989aa84409a503a6366651458919d109e89bbc6815b1459
SSDEEP

6144:I8MctxGHMENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05W:DMNTwcMpV6yYP4rbpV6yYPg05W

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bajjli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlijfneg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fohoigfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajneip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elbmlmml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flqimk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gblngpbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobcpmfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fojlngce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foabofnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbifelba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfgjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbqlfkmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehnglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkfblfab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbefaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbjoljdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camphf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfgjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdiooblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iblfnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aegikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bopgjmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjghpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckpjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iejcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceaehfjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkljak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednaqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceaehfjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Faihkbci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffddka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blbknaib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dedkdcie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcmgfbhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcdmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dafbne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doqpak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkikkeeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe

Executes dropped EXE 64 IoCs

pid	Process
1488	Pkfblfab.exe
4136	Pbpjhp32.exe
1824	Pengdk32.exe
1852	Paegjl32.exe
3536	Pjmlbbdg.exe
3784	Pnihcq32.exe
2388	Qecppkdm.exe
544	Qbgqio32.exe
2000	Qchmagie.exe
3540	Aegikj32.exe
1596	Anpncp32.exe
840	Ahhblemi.exe
1484	Aaqgek32.exe
3240	Ahkobekf.exe
3668	Ajiknpjj.exe
4656	Aaepqjpd.exe
3936	Ajneip32.exe
5080	Abemjmgg.exe
1576	Bajjli32.exe
632	Bjbndobo.exe
2456	Bbifelba.exe
2492	Bdkcmdhp.exe
3164	Bhfonc32.exe
412	Blbknaib.exe
4736	Bopgjmhe.exe
752	Baocghgi.exe
2328	Bejogg32.exe
4884	Bdmpcdfm.exe
4140	Bldgdago.exe
2556	Bjghpn32.exe
2152	Bobcpmfc.exe
2360	Baaplhef.exe
4064	Bemlmgnp.exe
1756	Bhkhibmc.exe
4400	Blfdia32.exe
4552	Boepel32.exe
444	Cbqlfkmi.exe
3888	Cacmah32.exe
2672	Cdainc32.exe
3588	Cliaoq32.exe
2452	Cklaknjd.exe
1612	Cogmkl32.exe
4560	Cafigg32.exe
5024	Ceaehfjj.exe
2384	Cddecc32.exe
2112	Clkndpag.exe
5072	Cknnpm32.exe
3720	Cbefaj32.exe
4556	Cecbmf32.exe
2700	Chbnia32.exe
3256	Ckpjfm32.exe
2752	Cbgbgj32.exe
4692	Cefoce32.exe
3592	Cdiooblp.exe
1116	Chdkoa32.exe
4976	Ckcgkldl.exe
1580	Conclk32.exe
1860	Cbjoljdo.exe
2812	Camphf32.exe
4208	Cdkldb32.exe
4300	Chghdqbf.exe
4496	Clbceo32.exe
3076	Doqpak32.exe
1228	Dbllbibl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eeanii32.dll	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Pnihcq32.exe	Pjmlbbdg.exe
File opened for modification	C:\Windows\SysWOW64\Abemjmgg.exe	Ajneip32.exe
File opened for modification	C:\Windows\SysWOW64\Cklaknjd.exe	Cliaoq32.exe
File opened for modification	C:\Windows\SysWOW64\Ekcpbj32.exe	Eefhjc32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Fdgdgnbm.exe	Ffddka32.exe
File opened for modification	C:\Windows\SysWOW64\Flnlhk32.exe	Fdgdgnbm.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Hiefcj32.exe	Gfgjgo32.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Blfdia32.exe	Bhkhibmc.exe
File created	C:\Windows\SysWOW64\Cbgbgj32.exe	Ckpjfm32.exe
File created	C:\Windows\SysWOW64\Elgfgl32.exe	Eemnjbaj.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Flnakb32.dll	Echknh32.exe
File opened for modification	C:\Windows\SysWOW64\Ecjhcg32.exe	Ekcpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Baaplhef.exe	Bobcpmfc.exe
File opened for modification	C:\Windows\SysWOW64\Hkdbpe32.exe	Hiefcj32.exe
File created	C:\Windows\SysWOW64\Lejfpelg.dll	Hkdbpe32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndobo.exe	Bajjli32.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Gomakdcp.exe	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Hkdbpe32.exe	Hiefcj32.exe
File created	C:\Windows\SysWOW64\Pacghh32.dll	Ilghlc32.exe
File created	C:\Windows\SysWOW64\Bgempgqo.dll	Baaplhef.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Gcagkdba.exe	Gofkje32.exe
File opened for modification	C:\Windows\SysWOW64\Helfik32.exe	Hfifmnij.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Keoakjca.dll	Clkndpag.exe
File created	C:\Windows\SysWOW64\Doqpak32.exe	Clbceo32.exe
File created	C:\Windows\SysWOW64\Deoaid32.exe	Dbaemi32.exe
File created	C:\Windows\SysWOW64\Agkbbg32.dll	Ddmhja32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ehnglm32.exe	Eadopc32.exe
File created	C:\Windows\SysWOW64\Lhclbphg.dll	Fooeif32.exe
File created	C:\Windows\SysWOW64\Gcagkdba.exe	Gofkje32.exe
File opened for modification	C:\Windows\SysWOW64\Ahhblemi.exe	Anpncp32.exe
File created	C:\Windows\SysWOW64\Bbifelba.exe	Bjbndobo.exe
File created	C:\Windows\SysWOW64\Aecqac32.dll	Cklaknjd.exe
File opened for modification	C:\Windows\SysWOW64\Cefoce32.exe	Cbgbgj32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Dbaemi32.exe	Dkjmlk32.exe
File opened for modification	C:\Windows\SysWOW64\Fooeif32.exe	Flqimk32.exe
File created	C:\Windows\SysWOW64\Gdqgmmjb.exe	Gbbkaako.exe
File created	C:\Windows\SysWOW64\Anmnemcc.dll	Anpncp32.exe
File created	C:\Windows\SysWOW64\Ilabfj32.dll	Blfdia32.exe
File created	C:\Windows\SysWOW64\Fpaeonmc.dll	Cbqlfkmi.exe
File created	C:\Windows\SysWOW64\Gbiaapdf.exe	Gcfqfc32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Ahhblemi.exe	Anpncp32.exe
File created	C:\Windows\SysWOW64\Kmipecpd.dll	Fllpbldb.exe
File created	C:\Windows\SysWOW64\Ijcoimpn.dll	Gcagkdba.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Kbaipkbi.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Echknh32.exe	Dhbgqohi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7864	7640	WerFault.exe	380

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qchmagie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhbgqohi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmlbfod.dll"	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhkhibmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciglpe32.dll"	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhkhibmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clbceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfgjgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbcpl32.dll"	Chbnia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Glebhjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakmgga.dll"	Ipdqba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anphnl32.dll"	Glebhjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjmlbbdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klohppck.dll"	Cliaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjfkm32.dll"	Ekhjmiad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Helfik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cecbmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkgldj32.dll"	Bhfonc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Flnlhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghlcnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbaemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhclbphg.dll"	Fooeif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghopckpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjqkei32.dll"	Icifbang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbdco32.dll"	Cecbmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dedkdcie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkikkeeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkffog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glebhjlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfqlnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbgbgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll"	Eeidoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Ndhmhh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1488	4448	5e188c99b6df2b5bb86a8e339cece7b0_NeikiAnalytics.exe	81
PID 4448 wrote to memory of 1488	4448	5e188c99b6df2b5bb86a8e339cece7b0_NeikiAnalytics.exe	81
PID 4448 wrote to memory of 1488	4448	5e188c99b6df2b5bb86a8e339cece7b0_NeikiAnalytics.exe	81
PID 1488 wrote to memory of 4136	1488	Pkfblfab.exe	82
PID 1488 wrote to memory of 4136	1488	Pkfblfab.exe	82
PID 1488 wrote to memory of 4136	1488	Pkfblfab.exe	82
PID 4136 wrote to memory of 1824	4136	Pbpjhp32.exe	83
PID 4136 wrote to memory of 1824	4136	Pbpjhp32.exe	83
PID 4136 wrote to memory of 1824	4136	Pbpjhp32.exe	83
PID 1824 wrote to memory of 1852	1824	Pengdk32.exe	84
PID 1824 wrote to memory of 1852	1824	Pengdk32.exe	84
PID 1824 wrote to memory of 1852	1824	Pengdk32.exe	84
PID 1852 wrote to memory of 3536	1852	Paegjl32.exe	85
PID 1852 wrote to memory of 3536	1852	Paegjl32.exe	85
PID 1852 wrote to memory of 3536	1852	Paegjl32.exe	85
PID 3536 wrote to memory of 3784	3536	Pjmlbbdg.exe	86
PID 3536 wrote to memory of 3784	3536	Pjmlbbdg.exe	86
PID 3536 wrote to memory of 3784	3536	Pjmlbbdg.exe	86
PID 3784 wrote to memory of 2388	3784	Pnihcq32.exe	87
PID 3784 wrote to memory of 2388	3784	Pnihcq32.exe	87
PID 3784 wrote to memory of 2388	3784	Pnihcq32.exe	87
PID 2388 wrote to memory of 544	2388	Qecppkdm.exe	88
PID 2388 wrote to memory of 544	2388	Qecppkdm.exe	88
PID 2388 wrote to memory of 544	2388	Qecppkdm.exe	88
PID 544 wrote to memory of 2000	544	Qbgqio32.exe	90
PID 544 wrote to memory of 2000	544	Qbgqio32.exe	90
PID 544 wrote to memory of 2000	544	Qbgqio32.exe	90
PID 2000 wrote to memory of 3540	2000	Qchmagie.exe	92
PID 2000 wrote to memory of 3540	2000	Qchmagie.exe	92
PID 2000 wrote to memory of 3540	2000	Qchmagie.exe	92
PID 3540 wrote to memory of 1596	3540	Aegikj32.exe	93
PID 3540 wrote to memory of 1596	3540	Aegikj32.exe	93
PID 3540 wrote to memory of 1596	3540	Aegikj32.exe	93
PID 1596 wrote to memory of 840	1596	Anpncp32.exe	94
PID 1596 wrote to memory of 840	1596	Anpncp32.exe	94
PID 1596 wrote to memory of 840	1596	Anpncp32.exe	94
PID 840 wrote to memory of 1484	840	Ahhblemi.exe	95
PID 840 wrote to memory of 1484	840	Ahhblemi.exe	95
PID 840 wrote to memory of 1484	840	Ahhblemi.exe	95
PID 1484 wrote to memory of 3240	1484	Aaqgek32.exe	97
PID 1484 wrote to memory of 3240	1484	Aaqgek32.exe	97
PID 1484 wrote to memory of 3240	1484	Aaqgek32.exe	97
PID 3240 wrote to memory of 3668	3240	Ahkobekf.exe	98
PID 3240 wrote to memory of 3668	3240	Ahkobekf.exe	98
PID 3240 wrote to memory of 3668	3240	Ahkobekf.exe	98
PID 3668 wrote to memory of 4656	3668	Ajiknpjj.exe	99
PID 3668 wrote to memory of 4656	3668	Ajiknpjj.exe	99
PID 3668 wrote to memory of 4656	3668	Ajiknpjj.exe	99
PID 4656 wrote to memory of 3936	4656	Aaepqjpd.exe	100
PID 4656 wrote to memory of 3936	4656	Aaepqjpd.exe	100
PID 4656 wrote to memory of 3936	4656	Aaepqjpd.exe	100
PID 3936 wrote to memory of 5080	3936	Ajneip32.exe	101
PID 3936 wrote to memory of 5080	3936	Ajneip32.exe	101
PID 3936 wrote to memory of 5080	3936	Ajneip32.exe	101
PID 5080 wrote to memory of 1576	5080	Abemjmgg.exe	102
PID 5080 wrote to memory of 1576	5080	Abemjmgg.exe	102
PID 5080 wrote to memory of 1576	5080	Abemjmgg.exe	102
PID 1576 wrote to memory of 632	1576	Bajjli32.exe	103
PID 1576 wrote to memory of 632	1576	Bajjli32.exe	103
PID 1576 wrote to memory of 632	1576	Bajjli32.exe	103
PID 632 wrote to memory of 2456	632	Bjbndobo.exe	104
PID 632 wrote to memory of 2456	632	Bjbndobo.exe	104
PID 632 wrote to memory of 2456	632	Bjbndobo.exe	104
PID 2456 wrote to memory of 2492	2456	Bbifelba.exe	105

C:\Users\Admin\AppData\Local\Temp\5e188c99b6df2b5bb86a8e339cece7b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e188c99b6df2b5bb86a8e339cece7b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\Pkfblfab.exe
  C:\Windows\system32\Pkfblfab.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\Pbpjhp32.exe
    C:\Windows\system32\Pbpjhp32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\Pengdk32.exe
      C:\Windows\system32\Pengdk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\SysWOW64\Paegjl32.exe
        
        C:\Windows\system32\Paegjl32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\SysWOW64\Pjmlbbdg.exe
        
        C:\Windows\system32\Pjmlbbdg.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Qecppkdm.exe
        
        C:\Windows\system32\Qecppkdm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Qbgqio32.exe
        
        C:\Windows\system32\Qbgqio32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Anpncp32.exe
        
        C:\Windows\system32\Anpncp32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Ahhblemi.exe
        
        C:\Windows\system32\Ahhblemi.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Aaqgek32.exe
        
        C:\Windows\system32\Aaqgek32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ahkobekf.exe
        
        C:\Windows\system32\Ahkobekf.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Bbifelba.exe
        
        C:\Windows\system32\Bbifelba.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        23⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Bhfonc32.exe
        
        C:\Windows\system32\Bhfonc32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Bopgjmhe.exe
        
        C:\Windows\system32\Bopgjmhe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        27⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\Bejogg32.exe
        
        C:\Windows\system32\Bejogg32.exe
        28⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        29⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        30⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Bjghpn32.exe
        
        C:\Windows\system32\Bjghpn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        34⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        37⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        39⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        40⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Cklaknjd.exe
        
        C:\Windows\system32\Cklaknjd.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        43⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        44⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        46⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        48⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        54⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        56⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        57⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        58⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        61⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        62⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        65⤵
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        66⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        67⤵
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        68⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        69⤵
        
        PID:912
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        70⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        71⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        72⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        73⤵
        
        PID:372
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        76⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        77⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1412
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:924
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        80⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4936
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        84⤵
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        85⤵
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        86⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        87⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        88⤵
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        89⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4596
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        91⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2564
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        93⤵
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        94⤵
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        95⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        96⤵
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2816
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:532
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        99⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        100⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        101⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3800
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4076
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        105⤵
        Drops file in System32 directory
        
        PID:552
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        106⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        107⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        108⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        109⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        112⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        113⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        114⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        115⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        117⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        118⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        119⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        120⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        121⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        122⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        123⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        124⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        125⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        126⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        127⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        128⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        129⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        131⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        132⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        134⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        135⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        136⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        138⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        144⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        145⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        146⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        148⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        149⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        151⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        152⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        153⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        154⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        155⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        156⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        157⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        158⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        159⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        160⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        162⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        163⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        164⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        165⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        166⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        167⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        168⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        169⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        170⤵
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6268
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        173⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        174⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        175⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        176⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        177⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        178⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        179⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        180⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        181⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        182⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        183⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        185⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        186⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        187⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        188⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        189⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        190⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        191⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        193⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        194⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        195⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        196⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        197⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        200⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        201⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        202⤵
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        204⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        205⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        207⤵
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        208⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        209⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        211⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        212⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        213⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        215⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        216⤵
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        217⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        218⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        219⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        220⤵
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        221⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        222⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        225⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        226⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        227⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        228⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        229⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        231⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        232⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        233⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        234⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        235⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        236⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        237⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7220
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        238⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        239⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        240⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        241⤵
        Modifies registry class
        
        PID:7392
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        242⤵
        Drops file in System32 directory
        
        PID:7436
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        243⤵
        Modifies registry class
        
        PID:7480
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7524
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        245⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        246⤵
        Modifies registry class
        
        PID:7612
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7656
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        248⤵
        Modifies registry class
        
        PID:7700
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        249⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        250⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        251⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7876
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7920
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        254⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        255⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        256⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        257⤵
        Modifies registry class
        
        PID:8096
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        258⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        259⤵
        Drops file in System32 directory
        
        PID:8176
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        260⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        261⤵
        Drops file in System32 directory
        
        PID:7284
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        262⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7412
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7496
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        265⤵
        Modifies registry class
        
        PID:7560
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        266⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        267⤵
        Modifies registry class
        
        PID:7676
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        268⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        269⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        270⤵
        Modifies registry class
        
        PID:7904
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        271⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7972
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8040
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        273⤵
        Drops file in System32 directory
        
        PID:8116
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8188
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        275⤵
        Drops file in System32 directory
        
        PID:7260
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        276⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7468
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        278⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        279⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        280⤵
        Drops file in System32 directory
        
        PID:7788
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        281⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        282⤵
        Modifies registry class
        
        PID:8028
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        283⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        284⤵
        Modifies registry class
        
        PID:7228
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7428
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        286⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        287⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7884
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        289⤵
        Modifies registry class
        
        PID:8060
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        290⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        291⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        292⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        293⤵
        Drops file in System32 directory
        
        PID:8036
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        294⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        295⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7640 -s 416
        296⤵
        Program crash
        
        PID:7864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7640 -ip 7640
1⤵
PID:7476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaepqjpd.exe

Filesize
336KB

MD5
a3b4d59ed7a5c3c7f257fd11ac07621b

SHA1
3a6137769899ad46d7ab1aeb273d4330aae0a91d

SHA256
f7439529bf720f4bae33267cf1cf2b9fa09754dee17afcbfba4f4ab4af5ec97a

SHA512
ff616bfc47b5c7db1ab55fd004475844782595e2d199615f51f2e2cb47a22675c2242500891769c6ebe416f1b559e58f746b5fdd08f82329665a00a46f0c06f3

Download Submit
C:\Windows\SysWOW64\Aaqgek32.exe

Filesize
336KB

MD5
6f5fea960e4fed59d6c477b38b222207

SHA1
63a11e6d1f57169ea5917e1d428c7a27d753bb33

SHA256
d9054e0891218de2ccea8b1269480d7dde63e330acbd7474efd44a906edde217

SHA512
258064fe9805eef399b01cb837e500e6188589b6f277ad5109d68ece00a068cf0e178f72823e07860632d96fe234701739466160d8bf0fc8cafaf15ce735a180

Download Submit
C:\Windows\SysWOW64\Abemjmgg.exe

Filesize
336KB

MD5
ba17778c0507f6ec3ebfa2a04596aaf2

SHA1
bb5ca745a6acbb085e1f72c5ef3dddd5a716af36

SHA256
7cd4c6a6a1c2ab13a803f8b0ed8e039924c18fa7f15d3b376b021a5333968c23

SHA512
cd414838e2c997d63e3d2607dd139f97d2ca726915850526a73a4c2e330b1c7dc63e2334e40e018a4062e5825112ac389bef9021ffdb6363cc8dc133f3e1e44d

Download Submit
C:\Windows\SysWOW64\Aegikj32.exe

Filesize
336KB

MD5
0280cbd776e2e11a647697fd96fba6ea

SHA1
4c2cfb796ffb1ad64566487da0c23f2533a7b5c6

SHA256
8b76c068c07d152c349b21176fd9fcb9927845923169e7bb3b631af3ed8220bb

SHA512
e91eff42c5f19c004a184652b704e41226fc0824fa161db03a50305f0bd3114508943900708c55d5bb2e43368d4f24eb0cd53efbd2bf511ede7fb94af1063a80

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
336KB

MD5
384f2d732e62d4bf97de3909f4b6d3b6

SHA1
4dfbc5d2047f2c0648f84f4ddb2125fac32727b5

SHA256
3d50aa436de400c8de653372a8c68b3d135d91783da88641bef98f69745bd025

SHA512
11a6bb4d29e5db3d7bcdc940cf2e03f64c87cbf81c50fa3f9612e983491785f452c6c25f8b1d74b3026cc09cd5725bac1102d65082e14583bf1cb80d98cb832d

Download Submit
C:\Windows\SysWOW64\Ahhblemi.exe

Filesize
336KB

MD5
4eb6c69bc15e3876ba6d6f7cb480e08d

SHA1
f5c59e7b195f1eb1f9d609860ff24cc30709152b

SHA256
fcabca60134af505ec299be9c1f730f072dc1138a9c82329f74dfdb974ca039e

SHA512
8efae15621a66ed607a4b5c1f63e43550ee3686326050fdc0ea126bf00f54acd11b1640cca583045bf29af08c6a448df4624437c323c761959c1960735b48f45

Download Submit
C:\Windows\SysWOW64\Ahkobekf.exe

Filesize
336KB

MD5
0bf71908fb91f1d245ff9ddffc612846

SHA1
da46141c0f2787b9c573d74d2b240cd9e9b27f5a

SHA256
3d8a02627f7f2930526634c854d7e1b3f36f34eed0b0d74c15076dddfeabf807

SHA512
3fb19fb78599307d5d2645b8e097c24c8ec8ca3f999e1e0bd9e515662bed6270c3d9807c6b1f9b84d8d9b0a88748d0a6033a2832607793ea01357853f7c177d5

Download Submit
C:\Windows\SysWOW64\Ajiknpjj.exe

Filesize
336KB

MD5
066e726329975582590d8694af84957c

SHA1
a8e1b8b80a5674637520def8d5a010b7bd924b12

SHA256
3a6b99f4c24c923d253f36f17b00e5c5f8e557ac10ff48cfb5195fdfc085a36a

SHA512
8b22c72a0927b8ee6542aeae30cc3a71e2239eda57e494867eb202299c8f599fdb4ccde8c9ffc29bb0c4a40600076b8436dced1d16881da6c1dbffe094d14b6a

Download Submit
C:\Windows\SysWOW64\Ajneip32.exe

Filesize
336KB

MD5
24cfe4bee4fc60d0b039b5c2a9ea4fa4

SHA1
b23d1ae37376efeea9c3914c3517edd04ebd936a

SHA256
5650d155c41a02782b373b92bf976a9301f6c73b7f63cae67853a9a5368833e8

SHA512
e470724f7307723918a1cec7baffa12f79b68ed444e9038f62119fa6560fd534789ab837aa6580c5ef8bdfc77043c6205bda8d896b74ab3e078ea5872554838d

Download Submit
C:\Windows\SysWOW64\Anpncp32.exe

Filesize
336KB

MD5
de5c3082a93c317236f3bf7d30aad9dc

SHA1
52b5088624638ccd77b19dbead1f5fe60d6beaa2

SHA256
6781d9ad4e58125b10bad47211ecdafcaeb924a362dcd4721c545d5800bf42a6

SHA512
ee624236ae23fab547c925ab4a6ddb20a3cda2adff3d16c7776c8a418de1868fa1a176b7e7b1c16ead57049e26d5027f9c1b23f50c024161f4a87d323fe9855c

Download Submit
C:\Windows\SysWOW64\Baaplhef.exe

Filesize
336KB

MD5
ee28a018a7d9b1b4734c9e0dc61b9151

SHA1
91191f2af238561c7ccb722c96997d4e74e9db30

SHA256
2e7df6900f167eeb72ffc2d7ee2565caf4a9273ba0296bc9c576883d84ddfc6b

SHA512
70ff59da6121d7a3d4879492a77a80dd17953f8f142abeb1dc2ae63236f7fb3545fedafa4dfd9a3f9a64b4876adf6ba556b30ffea78830993017c8ca140588b5

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
336KB

MD5
561a5c0a70d976412b29ba9fae37ae4d

SHA1
7a6739abf6656296693f8bb479c577a500852069

SHA256
f077c0e848e0e02a6293e49d5414f1aeccd9b6b1764db0075bc29bc1bc546dc7

SHA512
f56ec7d86c77de829aed746841b6fd3b6a3d01067a9dfdef39cfca3aa77ef11633dfdb954ce14246c2777896b3e5abcb07b309f96bf7ae00eb45a3cfaf60109c

Download Submit
C:\Windows\SysWOW64\Bajjli32.exe

Filesize
336KB

MD5
22d71d67fae8ab82bb29bea511ffc291

SHA1
2aa1421b1fbbe68e0504cbdb3016993dfc367933

SHA256
aa86697e6da81b5479b606fd12433f0bd4ddf615de411a6f84d6a978f49c6dc6

SHA512
c1ce71fd39b333a1bb428c90f4394f12838965fda54d50038cedc15b6ed15bfbce5c41c609cd324bed0a3d0a698c54cd2f2c93029ee9ee811ff262604df1004a

Download Submit
C:\Windows\SysWOW64\Baocghgi.exe

Filesize
336KB

MD5
a7b8c4415469397df712aeb1b585eda3

SHA1
cf258e0eb10406fade356fd754aa691481c94bcc

SHA256
33b1a373ceae1639df8bb09bc5478d599630b7cb5b34efb740841051ed481bd4

SHA512
ca5eaf1df037cee287a8694550b737c73be51bfdb8d59724361660fda65e9bc7411ed0ea2a72797ef4c6ba347c267bd4055c2cf45757493cf28c736c212290b9

Download Submit
C:\Windows\SysWOW64\Bbifelba.exe

Filesize
336KB

MD5
61efb4805a10c0bc4e016eaa8202b451

SHA1
2fdeee6460aa9a05642693fb357da6828acdab17

SHA256
cc0707b05896a430ce03134e2b0a8a7923e00f0a8a8fc1971c3494b5d226231b

SHA512
a30679890ecc83ba0152d36d07d07882a370059e2f5e287d5abd1a0004eab5e155edb12b056c6ca173046e8e792ea71029eab59ac18c81fbbcade50d60770d36

Download Submit
C:\Windows\SysWOW64\Bdkcmdhp.exe

Filesize
336KB

MD5
0d4bbafe6d86e8cfc138aa1f55f481c6

SHA1
f2517da1094e9038d2a1c01d7f9706aedccc2cc0

SHA256
26bc3957c9a174a3b3adcc8bd1dd872e3db3032bf3ad42972d68a1bd28972e5e

SHA512
ecc91f7520d8df9f6dbbfb199fca7ec93e9bc695dfbbf18e2e6def5bd30dad1c4264d372041b8201e20a65377367ef174bfcd2d04dd77db43038304d035e7969

Download Submit
C:\Windows\SysWOW64\Bdmpcdfm.exe

Filesize
336KB

MD5
ac214758900931e2a92137f008e041e4

SHA1
68fd7d611ecfa7d8e10ef7563e225310ceb2b1ef

SHA256
fc0f3b27475bf7da259048544a7ac23e453df7e47bce4b7b737c1c61f5ef613a

SHA512
90bd7f249497be3debaa47022e6ce60f090e70a76aee4f5b51cb981133a929253fecff087fbf7ce2b105b53aca95d86f351d75fd394f312cfe8285aa6425b1fe

Download Submit
C:\Windows\SysWOW64\Bejogg32.exe

Filesize
336KB

MD5
5e19024ba385b5ec24027c9ffb122fea

SHA1
80f5118cea52204b6d52f71f69518f19161cc3d7

SHA256
dacd83393d544ac42bbb00e3d4230f3b0dc83c75a96454c3c8a06ea3036e4071

SHA512
08cd80f2cd6d701d7f4e7e886f12e0262dd685d3ddbdd38007b99ae3976daaf177782d4e6640fbda2aa63285dff66e82435f3bb8e9a64969da6af3c0757f5e5e

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
336KB

MD5
2f8c0307e70d5529436a24f0305d8940

SHA1
1a11324ea145881df74290f85d837a46cfd52bef

SHA256
e9e75607ee8de18dd971b70765c46b393249828e0c13b469254effbabf7caf6c

SHA512
4e2c4c00861c9fa9c6f9b2212fcec533e3f1bffaec0af4ae2b396c55e7ca8140bf99e16efdaa54d189dd74fbaf1d81592b86b7afeae4ab89833dc4dfc6be6ecb

Download Submit
C:\Windows\SysWOW64\Bhfonc32.exe

Filesize
336KB

MD5
9d84cbdb10188767f4313d1016a23681

SHA1
f29584e2e0e49525f321a67bd6cff9c1f07c8e22

SHA256
6c227959ef5cf6ee671e4a36c18ff4620c0d491b832dc47978f57628069c6372

SHA512
b79b1f7d8d94d1f1ffc31c3dafd9da02775799f78e3975ad20570ea632d703cce18b107019c0cb00bb14e3cf4332c01f2733ce26e4143ee3948de1de54925cfb

Download Submit
C:\Windows\SysWOW64\Bjbndobo.exe

Filesize
336KB

MD5
bde0bbe4a1a74838e7c01f3671bb5071

SHA1
ac8a165b0cfa8b7ca645d8ce169bab7cbe250b43

SHA256
10e91ad2e4a5e4fb06231be3487abe39789b3fc139645ab338e7d9918d25fd93

SHA512
9845b86236453d0aee4012496739346ec928d1ad1872f1cb6846f8fa226a0e0e62a298a56f17fb7212935ac82d70521a0ce8ebba54c19fd5705f90f2b3175f07

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
336KB

MD5
ae05e1ed65f1e47a899fe1aee4ca44d7

SHA1
6f51c0cd5c765f7712802c8bda514f55ec9c2299

SHA256
54cc856ebcba16723a7096839663944e2ac8bc19637b8bf25f269c5f4a20df31

SHA512
3f55a4573ac1cf359f2a88f0a6d0b33af4034abc2b57d26d6465e2b43bcb09935ed22b55871fd50bcda40b6b8492bbcbed78dd22ad8ba64783d8c3201571020d

Download Submit
C:\Windows\SysWOW64\Bjghpn32.exe

Filesize
336KB

MD5
74de39a0a1f9c31f44ab3dc63792f7f1

SHA1
c80a8435002a1844ca4efd7d4dc2cb4ea22e8bca

SHA256
c9899e6d4762cdb1196b7d644ec0ae29e4fa51024b3213780307d4c8d3da6b0f

SHA512
e5e5986ec56fdbecde0694df00b8ee0ebb9a00752298f7e3ab30b76ec8a5b08a7248fcebad70948a926634f119417c41616705ccdf3ab38f00615a78bbfb57bc

Download Submit
C:\Windows\SysWOW64\Blbknaib.exe

Filesize
336KB

MD5
d46efb9e8443ce225d1036b9a86dfd46

SHA1
1c75b0b522992005f02952a32eae2c996b3dad53

SHA256
893bf5217305b54ae5ab8780061c095dffc3bd185fec0d029a4e162738ec626b

SHA512
0aedff6c8140158c6e1cb83942b5287c7d070b32a378ff58ecc872c9a1f5475a8b41509165d87fc9b89a3a9b2acb66b3ddcdfa7ff5e710b0bb1008ff739a0e55

Download Submit
C:\Windows\SysWOW64\Bldgdago.exe

Filesize
336KB

MD5
ff29c77f4a6e5bed0c4aff5cf93aac2c

SHA1
a35b1913b0cd46c019e35c86e740b1544c25ba90

SHA256
108c4c5ae6c5395f831ba7adf53d0fdb34d6865f989576c4f4c22b7509fadbdb

SHA512
c53f603c92d9797c7aae683cd936f39eb5f31023df769a0b84535a3892bd651ee8614b602dc29296ea304d42bd720ecdbdba56c233067fcb11de676b24ca6084

Download Submit
C:\Windows\SysWOW64\Bobcpmfc.exe

Filesize
336KB

MD5
3533ca95f9b5031585cccbb83fa6f7c5

SHA1
0ffcea40f69c5898792ded929a66861ead2db204

SHA256
9cb3c29c97b7423e2941bf23aa2e1ce9363e0ea15e2f93e887ad1c83e0bb652b

SHA512
bad9582953dfcdda4129f237c4eb0627ed7390c663db543608eaaf4a02fea274ed4b2bf8993cad8b955725ae20803b9b970cf80de84ae5af11904c0a30fa227a

Download Submit
C:\Windows\SysWOW64\Bopgjmhe.exe

Filesize
336KB

MD5
66aef013ec397d3dda954beec840e138

SHA1
e4f6b7e1f30bdc510bf323664e0d532c6ab862fd

SHA256
d82b052d164accbe6f1f7e3d9e953a84e560f5f094c15d7d4e7bfa09005f41e3

SHA512
298d2432d619c2632adf620edd68d0a4e0e12f5f71a19e73c30576fbd892a75d7ec061f256a480c1bbc52b3dcc559e8b0e925c7eef927c0e630b628840767a4c

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
336KB

MD5
b06701617cf75769169400192191f6f5

SHA1
8c385160105417ec78499962b0d86764197f9b26

SHA256
a5d555afb9f8304cd962d5e1a15eb922d8ce9072b3c9fcf5ee389f4e39e48d59

SHA512
282e0191991c724f77a859d80c15987ede56f8262a7a8da626d6d8f56de3a777919460dc4e750e8f869a00eef82ac1cfc5208fdd592e2f9ee47c7a5192d375fd

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
336KB

MD5
183d48336fb011017113bc516a5ed9eb

SHA1
3251ce2430648bdfe84e51082b4cbbd1d95fe60c

SHA256
df2c4018cb2b9b83410de867dbf406cecb4659b12729443e0b78e1ecb780894c

SHA512
b6fff6dd1e8abdd5ea740979eaa73f2b63ae3ff451d817eca7276fc51364a56b2efc6c1f93af90ed301fb741e87c794612aa0e65ed82a257c4b1642b1b052bf2

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
336KB

MD5
2ab30ede069f06cae75a07ad55363107

SHA1
635b27cb7cabe0dcbb38978fd759b993d69d59ba

SHA256
0729ac68396e9c8fa496f2dd034461274bae1033d72a0c3ff00e807129e97f62

SHA512
a262ae228fd4131c3e0de6d1e2aaebdc5b7bb8f54769a6e70e7c44f8e8a036e2f4dcfa803b1b3b60a5ec0e841f88d36b9a24d48d1e3123c5438f0d93f8153c4f

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
336KB

MD5
dd135dc34dcb1a072bbee582c4ea42f5

SHA1
272357ff2cedd948b14de54ddbe5fb5ac6602efb

SHA256
b0809f0241ca6bc399dc06437c01fbd3ff9b2ba324aaa1da1cac6eb62f6828f3

SHA512
7536c38e4ac606dbf85a488868603bdc7a19f8e53db4a2d0926c0e239f3a8706a604d6a331e069dd360ae90719836cff078a644def9a4d3e3f2749c55fbbd8fd

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
336KB

MD5
87d4f908c8948d9eb71001b87a11a6c7

SHA1
dcb152d684f39c0b28684ea83063b6bb9530464f

SHA256
2ac308d547959f49b7bfee3f5ca56d4f1569be2c3e6e1fe656df9b8afc2788b0

SHA512
ac8a4c710c247520958cced86626965627b6b76b783f1754dc5cd1077893322e6923d7743c3ad6eb27acca3351eb7fc96dfbafb89473474358eab5582e3095a6

Download Submit
C:\Windows\SysWOW64\Eefhjc32.exe

Filesize
336KB

MD5
5bd17305097d586180d62465854fde6f

SHA1
8fa71360dab9d16f385f6bf7051fb77ac9df3170

SHA256
f5a956e76c6675820fefe658c9884f94121649881c5744521b2e337049fa3e93

SHA512
bf91b1f27b99b9993abf60c138f9f5523b46585ca937fd620d7b613cdcb3f4ff47036fa41ff6f4d28b1d98ecf0a62454c7d758464cad7d3ad3f2349b08fcef4d

Download Submit
C:\Windows\SysWOW64\Eoaihhlp.exe

Filesize
336KB

MD5
e31ac59d61a6eb78e2b99226dea0b50b

SHA1
49340ae56b30bfcba155d93019e9ae0978a7bdfd

SHA256
30bff26af090556e3ee151027db18c64ff0a19a26ffe3c81417ed7b92adee305

SHA512
4c3db48a4a9b4006a38010e91199637abad7c9dba637e1265f1aa8ee3b664b37aa84de56859b40765f029a70925bf31445182edb459b55d682f360a64ff5c7b6

Download Submit
C:\Windows\SysWOW64\Ffkjlp32.exe

Filesize
336KB

MD5
d1cbcab293db478a4a033810ad44b441

SHA1
31ef23e4f0e050411e452ba89a2e58971ab3320d

SHA256
c2b77eeccb852e8b95be66820bff39b7ccd21374a44e229e206aece4d477ad1c

SHA512
3003160d3833524f0e93d9bfcab70dd768b4dd58ee1e7a7e037acb1f6181aaef9d583b9fdaec94f60c35c394c1b0ba104d24186a33dfe7f7c502502c8e9152ed

Download Submit
C:\Windows\SysWOW64\Fohoigfh.exe

Filesize
336KB

MD5
db106f3447b107015664ce086b8af4e1

SHA1
5c38d94c711f98ab7876b67fbd4a24d7777bf642

SHA256
f13bfa86e2e0c038e2675b1e878e2a855ab5f0182ac4a950777ca295b74af393

SHA512
7a685d7176e130d6a6e07500444d634baf957bad647d214fdeb3de779fc294e377962f0b4b1e1708c0e180e181981dfd64bc79e269e121588bf75152c13a923d

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
336KB

MD5
c78d360d3e64c8f552274b737dd83cc0

SHA1
b4cedeb808767137cd3763b2eb094141ea05e106

SHA256
0a4c2ec686cf5cab45dd37bf2652d42a18821ccfd2930aa4e2272aa8b4cc8319

SHA512
811da2f29c38e2e05f778026f60b1494db9e4c4a72a7f1aadd771ba2430c1e7a9a47687cdb0ab35c81ffb6d34b598f1c3892dc45a2880a9c2e649a7132c148a1

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
336KB

MD5
7d77209933f75f9a3cd8485f63d41246

SHA1
adf131333802e77d18060ebf0ccaf8292609c0ed

SHA256
4f5134655dd8c8d2c7036bfc7ccacee48106e6d5b44db816c625bdbf8e99289a

SHA512
6d81844336c638a364bdd674a0c0a073eb56398e398d31658c834e79bdd50e3e4006d45b2a2bbd099ee0cfd44e4048ca9ca1a2773ae244522f9a192dfeef0324

Download Submit
C:\Windows\SysWOW64\Hcbpab32.exe

Filesize
336KB

MD5
9644fef79bbdb733d9de2ff46e947e40

SHA1
9450e993abfb311096087e504927b1f7c06aa81d

SHA256
c0ce8cc9b057009721394f464313fc34e414e258f103a7dd44c2d31b781604cf

SHA512
50541658eec6445277a179e27bfc589e86a563bf94335ff82e152c425b9037b958863126a7e435e7b14c65d715ad710789b8b07d1eec715e6f21f0eda58f5f3b

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
336KB

MD5
a8edec54c69e12b159e201278687530a

SHA1
ed376f9d1b11e786111d71813ba3722916af328e

SHA256
51b62213ce3a07c4b2c14ef89117aa058eb200bd2882e9a3f540361377f11c86

SHA512
c8f36733ffc341905fb184d303b52869970a40cd741d5f22ad57dc44d71ee8eae30b3b741dbe4d3f2efebe8920465a60eb081e3aecbea8f7784ec014d4f1d771

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
336KB

MD5
fbdc0699ed4b3ab1994add62146c4189

SHA1
5d846322eb2dec8775e5310f77e3fbf90ed9d63c

SHA256
7f558360dcb9ef84d7e912db1b1dcc93c2845297088aebeeff193b29f653df42

SHA512
0120c738d137cc26ff1d9365625e1002884d77b782415a015337959d2c44c003fb926667f7543b6b8d024e0d9bc35d5e743a1b3c60528e732404cf76d53c3e68

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
336KB

MD5
3a36e2b2c191c1bcc956e1cd72257f69

SHA1
6662fd4d95e3a85069f58acbbf88c008b06a4b54

SHA256
b7b2ddf46c328a40be196e9f04f1e83da93adabe132679945e1a3d0bcdbabdaf

SHA512
41fc17cdcdf7c79aa93929e1ac7aef8c577b2ce8545d05c0c1d818ad7a732a8a51ee0aad5c36e8f2c7337521271730551aa2aae83dbbb092cd2c28233878d615

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
336KB

MD5
fc9c119aea7fecf11f6c94e1a474cccc

SHA1
31f306d1f0f4926fba8b7c45d578752aaa620491

SHA256
1bbd29e977eed040fffd8b5ed0bfa2c56fc83b8cd4c81475b9262f5a9888a377

SHA512
402e1aac4bd4d22e08869c6338856624cc3a395df411dbe7353798150e5fd068f3c6fe2355d0cc35d79195517a2c4926b576556c755083e11fb0f2462a656913

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
336KB

MD5
8e4132168798e1afc9e1fce79451b38b

SHA1
9e3c6f7d905662df940927da4637c00e45f23929

SHA256
f92ada6f9a8db02927cbe66c230200d00deb0e1e4925a5fa6698daab44da2e0d

SHA512
7b04301c0af0f40b6c43145e12a99841d4fa172538566f8918b0d580a85616775d47840480c2be5dd739a82f57b8898e986e77edf4f7beabb15874050df5ff8d

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
336KB

MD5
292e6e554bd03dd3159e41e02864b893

SHA1
98ff2d7da612a5834db023b765d152a48757e9ef

SHA256
17b9f5e8df3b0a456f3fbc077a54a41fcfe8f6572f60856e8c183da5349900db

SHA512
1dc8bd7ef58f6209e1e2fd41c0a62d897f1721b64acb3062583d2d8b2483619f1e6f7338cd4b4f414b659e3025ac96ce3e5998f33c62d808f92d467574ee0751

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
336KB

MD5
dc2de913e6b3c1f404bb57a7c03141b3

SHA1
ba027a8082bf7276320e9e12618bd67f76b45e6e

SHA256
a4091c81ca3c968ae2f835a81e5b2f749823f8ad36ad0b16cd8d0c2485baff8a

SHA512
16622f329f1f505d8108d422d74ea8d854fd058baa8c29bf0a3bb0ebb2819dd5eba32ce6e6dc0e886fac4cf70669f35458f8e7801e42b0d279fd5e2edc5d25de

Download Submit
C:\Windows\SysWOW64\Klqmnp32.dll

Filesize
7KB

MD5
1df635789c94981fe9ce14788502cd7b

SHA1
f46c5c9225ebcf3328450ee98d032c6f7da31776

SHA256
3f076e1b220bf707d595c6bca5713280023effe479dbca73c3bf3c581bec4a78

SHA512
bf07468f6ae9de3df18a45a59ef21037bb375ad07aa212012707195ba26c4568131f83cfc64fb995c2aff30e9a6603697cff6848e8e7c93c1223cc00dde331dc

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
336KB

MD5
51fc70ba834bc861276f7cea4e03c25a

SHA1
06ecfefc70b0dcee3d3d4135fca10e96143dda67

SHA256
411a7e89dcf2657847216c908e7781c0db73a42911d892e9b9f37c171d4660a5

SHA512
7d04bcb142910e57c5b32c38d9f59189f5a05033b926e98853e2c71909c8b6b8ffa4512990f70fa45af6b7137b56a7860182501c3acbb61171fe9bbee8a3ab29

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
336KB

MD5
477bab36ac6dc3d599f7148ccdd249f4

SHA1
a2d2d7f0218350bf86481a2aa138044680cbf52e

SHA256
013e2bc90b0a084a58df506b7426d85ed556f6932f0881cc8eee4d106dcb4417

SHA512
39fb5339ca7b608aa3e9dfaf7b79f08f7aec1b59102c36d0a757d3321bb00a4af2c5e65a25f0ed444bc6e3c11fd92b343a4ed05579971ed3fb8d07c12cc6af65

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
336KB

MD5
fc62885152ece86b97e8011a535c4330

SHA1
884431c448274a76ee844995b41ccd559e25fc99

SHA256
5c9ab037465b723f4940460cc6d9e2c75573a9cf485df15bd72876609272e0af

SHA512
ab2704455b735adb7f1f1386429cc06f98feee9530d08173adb062b56a89bf8cca62663a0432dd0ec088ee3555e988c2b2de793302d523f9ff8fa72698f77137

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
336KB

MD5
e432efa531d16a0837ddf80b4934fe6f

SHA1
3fa572b1360b81733dac772a8d17a2ca85f05fda

SHA256
b233f78b0e392d21796ea807041ac4528e7dd6ebd7a5b8222949edac086a1268

SHA512
f9b1e9d7de69628747c633f4295c5f0557f6af7c91074697acdc991123846aaeae70d7faa2bee4c5a814ebec32049178f7e5b246b81798716d50780b9ec0e9ef

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
336KB

MD5
6ed4c9bb63c79d8f160099b123d257c4

SHA1
4067869cdbe947a9f6d4fb05a1b75a7158f59828

SHA256
e60f5e328fc7d37253745ebd0fdf1c6819ac1a14e269b5338215451030e23c5a

SHA512
0d3c7418254a17b9a81e33ccc9654eaaed52b424e7c226f21507182ef79fab534726b044828109227c6b454f4a7b6a9f069eac5e4852fbcaaeafb766afdf313e

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
336KB

MD5
b4d48ad2f155239d3190ecacf80b788f

SHA1
68b8c5cbba60c08d5400ee4852e5765067963143

SHA256
f1717f69f95be67eddeada2801a424f5c2fe2fec39fece88ea6fcca1b0c799c0

SHA512
898ae436977a6458f7af60663a7c5839efe0e4c292eb23f195ec7a93c34c0e930e52ccf12571cecaf3126acf5ddbaeeca1f5750fd67416ebec09a93bab293369

Download Submit
C:\Windows\SysWOW64\Paegjl32.exe

Filesize
336KB

MD5
59da92aa2c5e92d49ec83b21e8613eda

SHA1
d5daed3adf02faa0636d5112496743a3e732b4ed

SHA256
5bf9289ed177e4a913053be9dcf35e51a6b0e98820a952cd43d82c7de4824967

SHA512
d24e1d4e014ebfede954d29131c32f62b52ccd6e02940dba8fe9fde5dba6aecfa8201a62df560ca17064eadc328cbd90bca0d0bb5e22822248f3e9b316964fe0

Download Submit
C:\Windows\SysWOW64\Pbpjhp32.exe

Filesize
336KB

MD5
0c833af5571a5173f71ec14c475cc676

SHA1
720f11874c5dca56a810f57520ad4fbd402de1e5

SHA256
f3273a8c2f144bde33e77a8ff2573327837e6e38342411aa43e1279b21c22f66

SHA512
76e3222f4b68015f26748c433c08cff4b946f0eddedae7f9b97f5c47450b173b7ae3128d1c82ccb88e4fbda85334a85c83058b94517c2a0ab4e48e25e3c1ce4a

Download Submit
C:\Windows\SysWOW64\Pengdk32.exe

Filesize
336KB

MD5
b9ac81d0fa30eac2023a1f2dafedb34d

SHA1
03b7d281026eca34d7352facad49c816824433d2

SHA256
4e9ea55dcbf64be222ef345b65347007237ab04c4103961279450ae2a557ab41

SHA512
73f912b3362a11c27ba9c41aa03f4ba05d3b60b931c5a98afc136134025ecfba8a3776ca6909945520fdfa9c4d79822f9280f8dde32ff2b92abcf3994529d17b

Download Submit
C:\Windows\SysWOW64\Pjmlbbdg.exe

Filesize
336KB

MD5
9af54ceb3c171176d4727c9f3d65438f

SHA1
d0e53008c2be69b510135dc28067b4809c1e4637

SHA256
5a72f0cb06da981dc36f3fe0ba47dc595144d094d0b36975d84a0528402baeef

SHA512
09c512c12827eff68f353d97193d87e009204496bd0d10798b304001f94e0b2eb2763d865e1a64602f8f8222d8223fcce136ac043ab84012b8a80091b047acdf

Download Submit
C:\Windows\SysWOW64\Pkfblfab.exe

Filesize
336KB

MD5
02c73d93faa45bea5220db76f9f5b3e3

SHA1
ce159d76e193e62f52221dcfa6b633f9f0a70e8b

SHA256
86f84b810338d3e186115039317d1da782209ad5d0e922b9f021cf9512a1971c

SHA512
837680e315d531755298dd81ce294138dcd4149556c82084738835555322bb9e03e87a682331b7ac722e5f40c173779dd13977602e9af07d04fd48d19f7d4f8c

Download Submit
C:\Windows\SysWOW64\Pnihcq32.exe

Filesize
336KB

MD5
d3f9304c965bd4029f54987f1af663bf

SHA1
045408b578f0503153677014cec569c471d0fb16

SHA256
9ca5e3e37d282b55a400a0bf20a23dc7b43d1885d413bc0e8bfc6980fc99de2c

SHA512
32cb678bd60a0e7205d4494a638b9a90861d477ed28ba26a17bb4f9bcd05d506cfab004d2335a99d7f76f8efb3f742e2c5dd1de97bd16c45f599f3366d326568

Download Submit
C:\Windows\SysWOW64\Qbgqio32.exe

Filesize
336KB

MD5
a5b01c44a20c85321478af30496374c4

SHA1
306d41950bb6ea4ff39347e526858986d2b96a0d

SHA256
62f26e00a0f3b96138574e13dc91be7334d03035dd1cf9e6af3f2badef9cea2f

SHA512
7379e849c5a4f41772ce8b62f06b7a0a58c9d0f18a848a3ae8b7f80db82189adbd40ac916a096c731d497f0e90556c5d2e2e0666bab307aaf0f429eb09b4407c

Download Submit
C:\Windows\SysWOW64\Qchmagie.exe

Filesize
336KB

MD5
5281ad258cf549127aeb003608ae9196

SHA1
02efec365a4e0b8d28eb01bd3a906b3ac7fa9d63

SHA256
93feb593ba29b62a8d070637c14612f0543cb7d3355fc53b70c36f1c631f5028

SHA512
ccace9e0ac35808637df94558d67ecc03ae99f5954749d504ed5ef2682992c0c9ad94f94fe7571bb6429a601bd6ede9ee314ae6ef079ee0294b6bf60f3c1f0ac

Download Submit
C:\Windows\SysWOW64\Qecppkdm.exe

Filesize
336KB

MD5
03adef8894927418bc63258ee032b322

SHA1
41b2e8531c445a3d5c044d77a5010ba3d7af33d6

SHA256
81773807f2b32169fbe2ed2db6252dbbd6dd817d96968c487c6ea056e03406b7

SHA512
fa1454de625916066247a4fac2f4d132371ead7be308b017948dd8a031b43d2a1c92106a25b0b4e6c2e14c791ece6522196937ec1cfcaf01d596e8febdc6e52e

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
336KB

MD5
3294064f2297e48fee5468eaa31a9598

SHA1
1fef66f751c368580b0bbb86e5a02fcf624ffa13

SHA256
09f9fc7ae59240306dda540c1faba5b262ceba27a44737fe3fc57811c4a12db5

SHA512
6c0b2aac002e9a0e7c8289f19e5a44a33cf44c69835571cf08b73bec232bc1db27cdcc993c78844fcdcfe47948fa9fde90aaaacec5a814744236fd98b35cbf18

Download Submit
memory/372-551-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/412-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/444-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/544-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/544-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/752-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/912-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/924-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1412-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-549-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-550-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2360-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-555-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-482-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4136-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4136-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4140-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4208-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-481-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-542-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads