5e13da1834dea21a50709ba21120815adbf5210ba89248fdeb4fe55df4670f0d

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4227b37a7d29cc98469f123570f080d0_NeikiAnalytics.exe
Size

243KB
MD5

4227b37a7d29cc98469f123570f080d0
SHA1

178ad38019b14082773cd8180879660d1b990453
SHA256

5e13da1834dea21a50709ba21120815adbf5210ba89248fdeb4fe55df4670f0d
SHA512

13dd2e4c9ed0c201da1385c9d58829de341490b3f2b6c173c230985cfc08fa6929a0e4a87dd6cb7ce81abfbe815a29b8827d44e11a2a98569138831ba720c55f
SSDEEP

3072:orAkNX8sK6JKz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62Q:okuX8sK6JKzwdlU2zlNgwTnAWtlhjQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbloglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdickcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efblbbqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijkdmhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oalipoiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clgbmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbbffdlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bllbaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoobdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhokljge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekmhejao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocefm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldglf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4227b37a7d29cc98469f123570f080d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cleegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofgpikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bochmn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geaepk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panhbfep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmlddqem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doaneiop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fngcmcfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdecgbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbfab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oloahhki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlgpod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhmqdemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gldglf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcngpjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlmkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahdged32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emmdom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aafemk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nclikl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Popbpqjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phigif32.exe

Executes dropped EXE 64 IoCs

pid	Process
5100	Mgaokl32.exe
3604	Mmnhcb32.exe
4992	Mgclpkac.exe
4628	Mjahlgpf.exe
4684	Mkadfj32.exe
2316	Nclikl32.exe
1284	Nlcalieg.exe
3060	Nelfeo32.exe
4584	Nndjndbh.exe
4960	Nenbjo32.exe
1080	Nmigoagp.exe
4016	Nhokljge.exe
4856	Nmlddqem.exe
440	Neclenfo.exe
4784	Nlmdbh32.exe
1040	Najmjokc.exe
2820	Oloahhki.exe
2476	Oalipoiq.exe
456	Omcjep32.exe
4752	Odmbaj32.exe
3092	Oobfob32.exe
2580	Ohkkhhmh.exe
1836	Oacoqnci.exe
1488	Olicnfco.exe
3820	Peahgl32.exe
2452	Pddhbipj.exe
4512	Pmlmkn32.exe
2152	Phaahggp.exe
516	Poliea32.exe
4556	Plpjoe32.exe
5008	Ponfka32.exe
4808	Palbgl32.exe
2244	Plbfdekd.exe
4896	Popbpqjh.exe
2784	Pejkmk32.exe
744	Phigif32.exe
2552	Pldcjeia.exe
4020	Qmepam32.exe
4880	Qemhbj32.exe
216	Qlgpod32.exe
4604	Qoelkp32.exe
4928	Qachgk32.exe
3328	Qhmqdemc.exe
2308	Aafemk32.exe
1716	Addaif32.exe
4296	Aojefobm.exe
4360	Aahbbkaq.exe
2760	Alnfpcag.exe
4376	Aolblopj.exe
3224	Aefjii32.exe
5028	Ahdged32.exe
3284	Aonoao32.exe
2044	Aehgnied.exe
2364	Ahgcjddh.exe
4300	Akepfpcl.exe
1076	Aekddhcb.exe
1984	Ahippdbe.exe
3056	Bochmn32.exe
2600	Baadiiif.exe
3584	Bhkmec32.exe
396	Bkjiao32.exe
5144	Bnhenj32.exe
5180	Bepmoh32.exe
5216	Bhnikc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oobfob32.exe	Odmbaj32.exe
File created	C:\Windows\SysWOW64\Cjafgpmo.dll	Flfkkhid.exe
File opened for modification	C:\Windows\SysWOW64\Kpmdfonj.exe	Knnhjcog.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Clgbmp32.exe	Cdpjlb32.exe
File created	C:\Windows\SysWOW64\Akcoajfm.dll	Hmmfmhll.exe
File opened for modification	C:\Windows\SysWOW64\Ogjdmbil.exe	Opclldhj.exe
File opened for modification	C:\Windows\SysWOW64\Mgloefco.exe	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Onkidm32.exe	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Ejphhm32.dll	Amlogfel.exe
File created	C:\Windows\SysWOW64\Ghkogl32.dll	Mcgiefen.exe
File opened for modification	C:\Windows\SysWOW64\Nclbpf32.exe	Nqmfdj32.exe
File created	C:\Windows\SysWOW64\Lnmodnoo.dll	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Dafppp32.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Bdfpkm32.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Phaahggp.exe	Pmlmkn32.exe
File created	C:\Windows\SysWOW64\Jcmdaljn.exe	Ilcldb32.exe
File opened for modification	C:\Windows\SysWOW64\Mmpmnl32.exe	Mjaabq32.exe
File opened for modification	C:\Windows\SysWOW64\Ebdcld32.exe	Eofgpikj.exe
File created	C:\Windows\SysWOW64\Gpnfge32.exe	Fbjena32.exe
File opened for modification	C:\Windows\SysWOW64\Hfhgkmpj.exe	Hffken32.exe
File created	C:\Windows\SysWOW64\Mhegobpi.dll	Iefgbh32.exe
File created	C:\Windows\SysWOW64\Ijikdfig.dll	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Bnoknihb.exe	Blnoga32.exe
File created	C:\Windows\SysWOW64\Bohgljdl.dll	Kgkfnh32.exe
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Akkffkhk.exe
File opened for modification	C:\Windows\SysWOW64\Bkphhgfc.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Nmigoagp.exe	Nenbjo32.exe
File created	C:\Windows\SysWOW64\Qofmkc32.dll	Nlmdbh32.exe
File opened for modification	C:\Windows\SysWOW64\Peahgl32.exe	Olicnfco.exe
File created	C:\Windows\SysWOW64\Ibingd32.dll	Fnipbc32.exe
File created	C:\Windows\SysWOW64\Giidol32.dll	Pmlfqh32.exe
File opened for modification	C:\Windows\SysWOW64\Ckebcg32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Mqpdko32.dll	Cofnik32.exe
File opened for modification	C:\Windows\SysWOW64\Dodjjimm.exe	Dijbno32.exe
File created	C:\Windows\SysWOW64\Enkdaepb.exe	Ekmhejao.exe
File created	C:\Windows\SysWOW64\Dnkdmlfj.dll	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Aokkahlo.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Pddhbipj.exe	Peahgl32.exe
File created	C:\Windows\SysWOW64\Ckjinf32.dll	Gldglf32.exe
File opened for modification	C:\Windows\SysWOW64\Holfoqcm.exe	Hmkigh32.exe
File created	C:\Windows\SysWOW64\Ioolkncg.exe	Iefgbh32.exe
File opened for modification	C:\Windows\SysWOW64\Plbfdekd.exe	Palbgl32.exe
File opened for modification	C:\Windows\SysWOW64\Eejeiocj.exe	Efgemb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Lhffmd32.dll	Nenbjo32.exe
File created	C:\Windows\SysWOW64\Plbfdekd.exe	Palbgl32.exe
File created	C:\Windows\SysWOW64\Bochmn32.exe	Ahippdbe.exe
File opened for modification	C:\Windows\SysWOW64\Jllokajf.exe	Jinboekc.exe
File opened for modification	C:\Windows\SysWOW64\Knnhjcog.exe	Kegpifod.exe
File created	C:\Windows\SysWOW64\Hffken32.exe	Hoobdp32.exe
File created	C:\Windows\SysWOW64\Iefgbh32.exe	Imkbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Kpcjgnhb.exe	Kjjbjd32.exe
File opened for modification	C:\Windows\SysWOW64\Mqimikfj.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Nqdmimbf.dll	Geaepk32.exe
File opened for modification	C:\Windows\SysWOW64\Onkidm32.exe	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Pnfiplog.exe	Pfoann32.exe
File opened for modification	C:\Windows\SysWOW64\Aaldccip.exe	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Micgbemj.dll	Clgbmp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8664	8932	WerFault.exe	409

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnhcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfookdli.dll"	Nmlddqem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pldcjeia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll"	Emoadlfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgloefco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdickcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjfee32.dll"	Ennqfenp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll"	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndfbikc.dll"	Blielbfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljeafb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgmeiqa.dll"	Mgclpkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plpjoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfeip32.dll"	Cbfgkffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fligqhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiloco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgibpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjinf32.dll"	Gldglf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjgaoqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmdbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Palbgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmepam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idllbp32.dll"	Aafemk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fflohaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdahdiml.dll"	Ibfnqmpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobkhf32.dll"	Ahdged32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfdpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnfge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjnfdhk.dll"	Hedafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmjjno.dll"	Kpmdfonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knqepc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnoiqdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllokajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clahmb32.dll"	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmigoagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmlddqem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdickcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnjoi32.dll"	Fmhdkknd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgpcliao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 5100	1296	4227b37a7d29cc98469f123570f080d0_NeikiAnalytics.exe	90
PID 1296 wrote to memory of 5100	1296	4227b37a7d29cc98469f123570f080d0_NeikiAnalytics.exe	90
PID 1296 wrote to memory of 5100	1296	4227b37a7d29cc98469f123570f080d0_NeikiAnalytics.exe	90
PID 5100 wrote to memory of 3604	5100	Mgaokl32.exe	91
PID 5100 wrote to memory of 3604	5100	Mgaokl32.exe	91
PID 5100 wrote to memory of 3604	5100	Mgaokl32.exe	91
PID 3604 wrote to memory of 4992	3604	Mmnhcb32.exe	92
PID 3604 wrote to memory of 4992	3604	Mmnhcb32.exe	92
PID 3604 wrote to memory of 4992	3604	Mmnhcb32.exe	92
PID 4992 wrote to memory of 4628	4992	Mgclpkac.exe	93
PID 4992 wrote to memory of 4628	4992	Mgclpkac.exe	93
PID 4992 wrote to memory of 4628	4992	Mgclpkac.exe	93
PID 4628 wrote to memory of 4684	4628	Mjahlgpf.exe	94
PID 4628 wrote to memory of 4684	4628	Mjahlgpf.exe	94
PID 4628 wrote to memory of 4684	4628	Mjahlgpf.exe	94
PID 4684 wrote to memory of 2316	4684	Mkadfj32.exe	95
PID 4684 wrote to memory of 2316	4684	Mkadfj32.exe	95
PID 4684 wrote to memory of 2316	4684	Mkadfj32.exe	95
PID 2316 wrote to memory of 1284	2316	Nclikl32.exe	96
PID 2316 wrote to memory of 1284	2316	Nclikl32.exe	96
PID 2316 wrote to memory of 1284	2316	Nclikl32.exe	96
PID 1284 wrote to memory of 3060	1284	Nlcalieg.exe	98
PID 1284 wrote to memory of 3060	1284	Nlcalieg.exe	98
PID 1284 wrote to memory of 3060	1284	Nlcalieg.exe	98
PID 3060 wrote to memory of 4584	3060	Nelfeo32.exe	99
PID 3060 wrote to memory of 4584	3060	Nelfeo32.exe	99
PID 3060 wrote to memory of 4584	3060	Nelfeo32.exe	99
PID 4584 wrote to memory of 4960	4584	Nndjndbh.exe	100
PID 4584 wrote to memory of 4960	4584	Nndjndbh.exe	100
PID 4584 wrote to memory of 4960	4584	Nndjndbh.exe	100
PID 4960 wrote to memory of 1080	4960	Nenbjo32.exe	102
PID 4960 wrote to memory of 1080	4960	Nenbjo32.exe	102
PID 4960 wrote to memory of 1080	4960	Nenbjo32.exe	102
PID 1080 wrote to memory of 4016	1080	Nmigoagp.exe	103
PID 1080 wrote to memory of 4016	1080	Nmigoagp.exe	103
PID 1080 wrote to memory of 4016	1080	Nmigoagp.exe	103
PID 4016 wrote to memory of 4856	4016	Nhokljge.exe	104
PID 4016 wrote to memory of 4856	4016	Nhokljge.exe	104
PID 4016 wrote to memory of 4856	4016	Nhokljge.exe	104
PID 4856 wrote to memory of 440	4856	Nmlddqem.exe	105
PID 4856 wrote to memory of 440	4856	Nmlddqem.exe	105
PID 4856 wrote to memory of 440	4856	Nmlddqem.exe	105
PID 440 wrote to memory of 4784	440	Neclenfo.exe	107
PID 440 wrote to memory of 4784	440	Neclenfo.exe	107
PID 440 wrote to memory of 4784	440	Neclenfo.exe	107
PID 4784 wrote to memory of 1040	4784	Nlmdbh32.exe	108
PID 4784 wrote to memory of 1040	4784	Nlmdbh32.exe	108
PID 4784 wrote to memory of 1040	4784	Nlmdbh32.exe	108
PID 1040 wrote to memory of 2820	1040	Najmjokc.exe	109
PID 1040 wrote to memory of 2820	1040	Najmjokc.exe	109
PID 1040 wrote to memory of 2820	1040	Najmjokc.exe	109
PID 2820 wrote to memory of 2476	2820	Oloahhki.exe	110
PID 2820 wrote to memory of 2476	2820	Oloahhki.exe	110
PID 2820 wrote to memory of 2476	2820	Oloahhki.exe	110
PID 2476 wrote to memory of 456	2476	Oalipoiq.exe	111
PID 2476 wrote to memory of 456	2476	Oalipoiq.exe	111
PID 2476 wrote to memory of 456	2476	Oalipoiq.exe	111
PID 456 wrote to memory of 4752	456	Omcjep32.exe	112
PID 456 wrote to memory of 4752	456	Omcjep32.exe	112
PID 456 wrote to memory of 4752	456	Omcjep32.exe	112
PID 4752 wrote to memory of 3092	4752	Odmbaj32.exe	113
PID 4752 wrote to memory of 3092	4752	Odmbaj32.exe	113
PID 4752 wrote to memory of 3092	4752	Odmbaj32.exe	113
PID 3092 wrote to memory of 2580	3092	Oobfob32.exe	114

C:\Users\Admin\AppData\Local\Temp\4227b37a7d29cc98469f123570f080d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4227b37a7d29cc98469f123570f080d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\Mgaokl32.exe
  C:\Windows\system32\Mgaokl32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\Mmnhcb32.exe
    C:\Windows\system32\Mmnhcb32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\Mgclpkac.exe
      C:\Windows\system32\Mgclpkac.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\SysWOW64\Mkadfj32.exe
        
        C:\Windows\system32\Mkadfj32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Nclikl32.exe
        
        C:\Windows\system32\Nclikl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Nelfeo32.exe
        
        C:\Windows\system32\Nelfeo32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Nenbjo32.exe
        
        C:\Windows\system32\Nenbjo32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Nmigoagp.exe
        
        C:\Windows\system32\Nmigoagp.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Nmlddqem.exe
        
        C:\Windows\system32\Nmlddqem.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Nlmdbh32.exe
        
        C:\Windows\system32\Nlmdbh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Najmjokc.exe
        
        C:\Windows\system32\Najmjokc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Oloahhki.exe
        
        C:\Windows\system32\Oloahhki.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Oalipoiq.exe
        
        C:\Windows\system32\Oalipoiq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Odmbaj32.exe
        
        C:\Windows\system32\Odmbaj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Oobfob32.exe
        
        C:\Windows\system32\Oobfob32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Ohkkhhmh.exe
        
        C:\Windows\system32\Ohkkhhmh.exe
        23⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        24⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Olicnfco.exe
        
        C:\Windows\system32\Olicnfco.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        27⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Pmlmkn32.exe
        
        C:\Windows\system32\Pmlmkn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        29⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Poliea32.exe
        
        C:\Windows\system32\Poliea32.exe
        30⤵
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ponfka32.exe
        
        C:\Windows\system32\Ponfka32.exe
        32⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Palbgl32.exe
        
        C:\Windows\system32\Palbgl32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        34⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Popbpqjh.exe
        
        C:\Windows\system32\Popbpqjh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Pejkmk32.exe
        
        C:\Windows\system32\Pejkmk32.exe
        36⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\Phigif32.exe
        
        C:\Windows\system32\Phigif32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Pldcjeia.exe
        
        C:\Windows\system32\Pldcjeia.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Qmepam32.exe
        
        C:\Windows\system32\Qmepam32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Qemhbj32.exe
        
        C:\Windows\system32\Qemhbj32.exe
        40⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        42⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Qachgk32.exe
        
        C:\Windows\system32\Qachgk32.exe
        43⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Qhmqdemc.exe
        
        C:\Windows\system32\Qhmqdemc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Addaif32.exe
        
        C:\Windows\system32\Addaif32.exe
        46⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Aojefobm.exe
        
        C:\Windows\system32\Aojefobm.exe
        47⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        48⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        49⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        50⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        51⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Aonoao32.exe
        
        C:\Windows\system32\Aonoao32.exe
        53⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\Aehgnied.exe
        
        C:\Windows\system32\Aehgnied.exe
        54⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Ahgcjddh.exe
        
        C:\Windows\system32\Ahgcjddh.exe
        55⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        56⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        57⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        60⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Bhkmec32.exe
        
        C:\Windows\system32\Bhkmec32.exe
        61⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        63⤵
        Executes dropped EXE
        
        PID:5144
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        64⤵
        Executes dropped EXE
        
        PID:5180
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        65⤵
        Executes dropped EXE
        
        PID:5216
        
        C:\Windows\SysWOW64\Blielbfi.exe
        
        C:\Windows\system32\Blielbfi.exe
        66⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        67⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        68⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        70⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        71⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        73⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        75⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        76⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        77⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        78⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        79⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        85⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        87⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        88⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        89⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        90⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        91⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        92⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        93⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        95⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Dodjjimm.exe
        
        C:\Windows\system32\Dodjjimm.exe
        97⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        99⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        100⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        102⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        103⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        105⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        107⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        109⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        110⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        111⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        112⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        113⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        114⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        115⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        117⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        118⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        119⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        120⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        121⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        122⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        123⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        124⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        125⤵
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        127⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        129⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        130⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        132⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        133⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        134⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        135⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        136⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        137⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        138⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        139⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        141⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        142⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        143⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        144⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        145⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        146⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7124
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        148⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        149⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        150⤵
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        151⤵
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        153⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        156⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        157⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        158⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        159⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        160⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        162⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        163⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        164⤵
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        165⤵
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        166⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        167⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        168⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        169⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        170⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        171⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6572
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        173⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        174⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        175⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        176⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        177⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        178⤵
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        179⤵
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        180⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        181⤵
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        182⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        183⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        184⤵
        Drops file in System32 directory
        
        PID:7024
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        185⤵
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        186⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        188⤵
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        190⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        192⤵
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        193⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        194⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        195⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        196⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        197⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7316
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        199⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7384
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        201⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        202⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        203⤵
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        204⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        205⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        206⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        207⤵
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        208⤵
        Modifies registry class
        
        PID:7700
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        209⤵
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        210⤵
        Drops file in System32 directory
        
        PID:7776
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        211⤵
        Modifies registry class
        
        PID:7816
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        212⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        213⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        214⤵
        Drops file in System32 directory
        
        PID:7948
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7992
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        216⤵
        Drops file in System32 directory
        
        PID:8036
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        217⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        218⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8112
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        219⤵
        Modifies registry class
        
        PID:8152
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        220⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7224
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        222⤵
        Drops file in System32 directory
        
        PID:7280
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        223⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        224⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7512
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        226⤵
        Modifies registry class
        
        PID:7588
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        227⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        228⤵
        Drops file in System32 directory
        
        PID:7724
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        229⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        230⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        231⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8028
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        233⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        234⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        235⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        236⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7448
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        238⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7692
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        240⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        241⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        242⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        243⤵
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        244⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        245⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7572
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7768
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        248⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        249⤵
        Modifies registry class
        
        PID:8064
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        250⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        251⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        252⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        253⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7492
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7884
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        256⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7212
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        258⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8212
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        260⤵
        Modifies registry class
        
        PID:8248
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        261⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        262⤵
        Modifies registry class
        
        PID:8320
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8356
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        264⤵
        Drops file in System32 directory
        
        PID:8392
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        265⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        266⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        267⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        268⤵
        Drops file in System32 directory
        
        PID:8536
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        269⤵
        Drops file in System32 directory
        
        PID:8572
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        270⤵
        Drops file in System32 directory
        
        PID:8608
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        271⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        272⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        273⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        274⤵
        Drops file in System32 directory
        
        PID:8752
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8788
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        276⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8864
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        278⤵
        Drops file in System32 directory
        
        PID:8900
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        279⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        280⤵
        Modifies registry class
        
        PID:8972
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        281⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        282⤵
        Drops file in System32 directory
        
        PID:9044
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        283⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        284⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        285⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        286⤵
        Modifies registry class
        
        PID:9192
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        287⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        288⤵
        Modifies registry class
        
        PID:8276
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        289⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8344
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8416
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        291⤵
        Drops file in System32 directory
        
        PID:8472
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        292⤵
        Drops file in System32 directory
        
        PID:8528
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        293⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8592
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        294⤵
        Modifies registry class
        
        PID:8676
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8736
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        296⤵
        Modifies registry class
        
        PID:8796
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8856
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8924
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        299⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        300⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        301⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        302⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        303⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        304⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        305⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        306⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        307⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        308⤵
        Drops file in System32 directory
        
        PID:8852
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        309⤵
        Drops file in System32 directory
        
        PID:8960
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        310⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        311⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        312⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        313⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        314⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8748
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        315⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8932 -s 400
        316⤵
        Program crash
        
        PID:8664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
1⤵
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8932 -ip 8932
1⤵
PID:8380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akdilipp.exe

Filesize
243KB

MD5
6fabde675009c6526832691713c9337e

SHA1
cae3862ba23e6042ebf71a089e05b58248e938db

SHA256
0ddafe629981e019bea19994ff30a5241577b7d6735024033f7497fde37192a6

SHA512
4b087372034be80eae9bdb69920c94b26bded7da16ceae115a60f62ce5b3df7c4ffcbbe2dc707cd1134bb490926af2a5c2483f6de178ffe49724fc986805de5e

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
243KB

MD5
66e7d9087276ffbf110931710970f838

SHA1
239ecb794c05e1c0fba672008d20acd0bd22279a

SHA256
665dbab29dfbd3ff6a70e4cbdddf743b4bee10fb6ec393fec1fdfac79e890e24

SHA512
f6ac74eed743a74bd0395dfb7182658e149d793f2eec626be09f6a05895d2b9b3b3f4c9810683e3b3971d4aaaa5014625a7f7e1f039798af2770ca25510b76bb

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
243KB

MD5
47a0e1d22b567583ab3c6ed14e2ebe6f

SHA1
8f189784f24e94c653af73cd127cfaa7e1dfcdcf

SHA256
e0533ce77f082a9a6db302dd369e31fb1333c4d4ed179fc196301cc4c9197002

SHA512
70d463b9c8a9e57a003b18acf1000655fa42d73f98c7fe42099a0c9ee41924f85c11a059912dd41517a3362e78bbc4767af6b2ebf1adcdcc67ddd8684e41522f

Download Submit
C:\Windows\SysWOW64\Aonoao32.exe

Filesize
243KB

MD5
1c3e63e52e0474b4136ca6659cff2b02

SHA1
dc6777eb203c5910e73cacb68502a4dd06c00727

SHA256
f9bec6654781a0ec49eb009ffd77a87047811af156c9279cbbb44e35829d73e0

SHA512
9d0b5e06662ee703bb6e9e79acc4eb389d897e2680d2d70b677165a98b6013c04c01a56d775e5477aa806f5f65d2acdbe792e01471f45dcf3e1225997971a0bf

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
243KB

MD5
3d2f678d5899074e953eb9cd131e1b76

SHA1
2f6ecf324add829ea8a3b5d936d03979aab8f9a9

SHA256
c7e055bc20e1af3e07b9240182a556a5e4c67fc063f89b3e81e7d7116a4fb297

SHA512
65abd518c438ab39e422c93c3c50dbbed2827881d2b826b9c7e4c5fe4b2db4e9fe2c57a6aea968bd0fd65a5c434602124cc2fd0e0f040d7a3a09d160af454355

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
243KB

MD5
a50c45914b79ce07a592f936baf5a0b7

SHA1
a0f3e991d78152e739ad06d16ce8934302ae57f8

SHA256
08b4ca3a6b0fbb21123d08644066add0c432b96a792972bfd87df5ca0aabb82c

SHA512
e804cd759b91be7630843b898a60366b0f06358722d44605c0eb52e1273adb3973dc8a4960b4a0232043737a1e995d8da31e87c2328f46120349033c11a93f71

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe

Filesize
243KB

MD5
da06e738b65a68017fc2d3f36011aea2

SHA1
0a6f9ee22f432e74902f95d48ea703dd3343eb3f

SHA256
e4fe1a4d26107b0a9c41362d0af778407b772a63d3df58869a783af7381bbf2a

SHA512
9de3b52f91757ae95a5cf04368a59e3b1560f75560f16c3943ee2d5d2b1969b55139c32593fe7618a403be0f51bc0514dae50604fe656addeb14cf64bc3308ff

Download Submit
C:\Windows\SysWOW64\Ckclhn32.exe

Filesize
243KB

MD5
90928754f7992bd01ca809921dbb90ff

SHA1
ede52e22860d48b708af54abe2ec41eae37d61e1

SHA256
3319a4d5c9d3ba4cedad30536c5103acaf91a58801982ca631f9fd89fee16f5a

SHA512
1a267f551c64213453f2589d7db4cb2b3dba3a0b1ecaefc021e28e56b5ba91217f076091e5cec00e9c0d5a9ff7044181fd321010a596b186738468872ef56667

Download Submit
C:\Windows\SysWOW64\Cpdgqmnb.exe

Filesize
243KB

MD5
7ac8a6539968e746d6aea63ee26f0283

SHA1
23f2902c1af527b28cc36976951bb6ba81014c81

SHA256
a73b91820b2fe1d4c55a3a57aee858650c1acf9af009078218d9e55fbf178c4e

SHA512
2ef64038f946fbbf04b2ccb83fff3acf172b73d5ec4a60c0e24544d5681d669d8e9782232f245f669ffda26142e18278d24c87301670ba8308a1024d99f3c52f

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
243KB

MD5
c8524f4c185807cb793ae31f23df3dd7

SHA1
c0dd1401601c6ca363e46367930fa069386d7fbe

SHA256
5ade414b976bad500251f05f87c5f08007976e4353135b942faaa04fc5bd18c7

SHA512
a9ea37f6835230c3fb49803b61b869102e294ed5cda1e306b69c7055fa18695353e14eedee374724e8c5fb898cdda5397a98ca864c171d471387da883db2531d

Download Submit
C:\Windows\SysWOW64\Fbjena32.exe

Filesize
243KB

MD5
9bd7880e7a64e28c1f1dd2fa743ad1a9

SHA1
0eace353a5aca02909c36789875aa1d72ec9965e

SHA256
5c0782cd468e19f4f78c7279fde12c8267e5c30c20c26fe9c4442bf54e4b1d95

SHA512
4f08ced2780ac16a2c5c49556ed945eb004108a2ec595089562444908faef591b430fe1772ec4785b35f550616a7d98683fc8ad390bb5a62d39cd1afe9778a66

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
243KB

MD5
f5ac67a3a893c77fbf99283b92685482

SHA1
7d19b209b0359163a356fb9066cc99e6f23f0e87

SHA256
57f3a672ad5bbe2377d996351bd38d8920f9338a95f1e46e5049c6b946754acd

SHA512
d3260bebb7ca331bc8cbbce9258e0cf28592b739cbbddd03d62962fb2c2f80a0859f3b263fc989d4dfa64752ec6d00cbdc1455f2cca7cf59d23e0d5730da060d

Download Submit
C:\Windows\SysWOW64\Gbalopbn.exe

Filesize
192KB

MD5
97ff0f386e051b5f954b70986c08e407

SHA1
d0d96260038b3cd5210f1ed416f3a15b6910b828

SHA256
3de5d05d47735552d9983b84bb768f1675d711a50239e2280ff24a3b187838d0

SHA512
5ef29d120acbc02875cac894d76f61c20cec84a0dade8db4222ce5a462b27c5891d15efcc4c62a44ee18a524dc2ae0f5c897aa3cd784bd144292e2b008a5b2c1

Download Submit
C:\Windows\SysWOW64\Glgcbf32.exe

Filesize
243KB

MD5
73a5344a24f15277a9b8395d7881c92d

SHA1
76c585a766de5adefa900aa0a8381f4563fad14c

SHA256
750d4e885fd0bb6313727e206307d5fcb616f9032a9e0433aba287e67acd0ca3

SHA512
c29f05c146fbed84cb6458e61743ee1e10d5577c96d8e59d63cc33c85c335c7dbb31db345f5510356edf4d4db1357d579c195dcd485d1a1b32e58a02356cf06d

Download Submit
C:\Windows\SysWOW64\Gmafajfi.exe

Filesize
243KB

MD5
3224c4f5e1a8c6d7abe2dab22e394934

SHA1
0df7d940cf9f89d538c1b51d5e3fe8bfe52d1e03

SHA256
42df1f3cbab7710a5985b7e6fdd1299a876fad5f1a21c81753a5b13ba8fac40c

SHA512
f27e949ac9c7186e6c4d19092ab94774f2434e8b475cbfed766742f6066349c70103fdb66121f625ef87fd3efc5ae9c6f8ab1680b7c3d1d01fdcd21c272a2048

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
243KB

MD5
e679e4de361b7abb1921a21f8c0e815b

SHA1
dd795b1452b95078ccdf2ba2b4c0dd39549fef6e

SHA256
a10dc07f6b948152f0ab745d53c5102e31c64c6f9d109c4284915832026d91ce

SHA512
8192c90d9bc2ab7896753c386d8307fd3bc5438c4cd2c3ac65f379243bc2b6bcf107a4a8aaa7f88d6c4d45ac36f6fba4d00cf4f07e81e26d92a005bd7ac0c0b3

Download Submit
C:\Windows\SysWOW64\Hiipmhmk.exe

Filesize
243KB

MD5
50e91d4ddce7f77b0f139c65375f560b

SHA1
f3a845137a9f65b42a51fd6d08f611274c03f9f7

SHA256
35dbe09a23fdd387b833042ef427350af97d4dd3c8bb480a6b287fd3fafadea9

SHA512
a168447d35cf468ee1b5f313de64e0997d1c7770d05012f1c3967f5a1ae4d3a0dad6cf612425f015dc51eb2e165df7bed45f74ce7fc9c3d0559f39647b410b91

Download Submit
C:\Windows\SysWOW64\Hmmfmhll.exe

Filesize
243KB

MD5
8763d43f380a527c0bd82fdf452f2226

SHA1
4840bcebd99f8225b940c0044d308f1848d3c39a

SHA256
c2ec929834b7d0f3a11e61f3724439cf34bab45b59b5799354d53206e92d2376

SHA512
33b798bdd9f1ad0f1ea169da5fb6c019dd4e28beadfad42d3e0ad7be00e6c357d3bedbbff22a63c6a4cf62dbd69a7fae62e2531b8e1b90e317af16d49ff664a6

Download Submit
C:\Windows\SysWOW64\Iefgbh32.exe

Filesize
243KB

MD5
4e57f861446fb47edfcafbcb99bc7353

SHA1
b580490187fbee3b5dccbe1e85a92d3b6681ae9f

SHA256
12213cfa2041f37191cdc15c712917df2983785d00df1c634bc99cf36e719278

SHA512
6a6d755ffab49f74c2239f00c409e7d1f7cbcd7b2d470df7814f1d288b90890cd0bfed19753943f5af540d45dc6b187b9706b745d937f28ec73fa172368fbf30

Download Submit
C:\Windows\SysWOW64\Igfclkdj.exe

Filesize
243KB

MD5
6c14df843b966b489c5d8ac387831cc9

SHA1
8bb3239314f6a9dd36cbdd0d772b5a06541d58ea

SHA256
a89839fbb041bb03737d7237f91b97e0ecd6e8b7c5e654f8590bd8f0592e1ee0

SHA512
c4749215dfed94e06b6308228cd16075f32447930852a6b139f5e629bc655856cf76549baab5c92dfdda3fdc6b308624f02b0929a2c7fd6175a05d7b16651706

Download Submit
C:\Windows\SysWOW64\Jgmjmjnb.exe

Filesize
243KB

MD5
38cf5caeccab6e00de65278b613f16dd

SHA1
0166a26411232857904df1b2c7633000e07b9793

SHA256
ab6f03d44b7c74a5b9c0e2f5f6d6660e855d65aa5ea2f4bf6939290bc6b25d17

SHA512
8041732a2e570bf22ca40065fbcd9ad8e82a269dbfcbc791efd124f6e6da43c68bebd22f5f0fb2719d1d1d663715a4dac7e0ce9c3e3bfc524803b919cda70b7a

Download Submit
C:\Windows\SysWOW64\Jokkgl32.exe

Filesize
243KB

MD5
e8f4e9fb2880b3a11a42577a30a6832e

SHA1
7f7c556891b442c015f45afab7056179b09fea0f

SHA256
4e2b12e6c615d5a38624c505eb7afb8ebe150f6c154ed8398699faa40fe49a22

SHA512
bacbe2244672a0095fe18b04398ccf291d7f2fe2316e17d4602f61a271cbc58776670f50f502447f3af1366981a52f5ba22d4872958a25e71ad9f990d45779b9

Download Submit
C:\Windows\SysWOW64\Knqepc32.exe

Filesize
243KB

MD5
43f62f573fa2a63493b07049668a83c9

SHA1
c07891dcaa0610e7053efc558c64fa5fd7a47901

SHA256
6ca8af77476461b9003b404d1ac89b779c93cd03e63b1a0f0811788d4d3a07fa

SHA512
a4020d9acb52cd049d999ac896ff28bd5b294f5a5007d32b8bbed8b5b2e29ea9094514147d875adb158d73e87b0add9cce58b73f2c2dc473babfe3e5a952d72b

Download Submit
C:\Windows\SysWOW64\Lfbped32.exe

Filesize
243KB

MD5
5aaabb568252e2eadf557d9f92b05ce5

SHA1
0d2b2cbed7877a34fee1fa3d723b5844b8d35190

SHA256
5d9f6cb09adf9e92c25ea2e7dc629aefd5471d97432ab3c0dbcca9d9e1cc0484

SHA512
eb71eb12106ac1321493162f8f4e11f7b2c2ec27ce5e2302cb65b13ce7ef1c0277233802fc14a5f2c9f176b6d3dff0dfa893c75d7e2f02cfdc59d2821808547f

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
243KB

MD5
05ed446ae21ddf054838f97bd7f1c58b

SHA1
fb7331c7b976344a5b00c36333604e6004fe3b93

SHA256
bff01d0eaf8d11f868efbb0fab81c0fd6e5f9f873c8a3be16114e37134cd840b

SHA512
135f6643d7c5866dcf1e7216a89fee4a055bf3a618245bd493ec14fe833b22433513cd8e95ce5ae750f5d3cfc4ed2359bf607581f4210f4ceac2dcad0770c7d5

Download Submit
C:\Windows\SysWOW64\Llodgnja.exe

Filesize
243KB

MD5
fd00648bdf11aa86b791044d58299c42

SHA1
f0dc5297322576627b0bbed7b4f23b4f09ef931e

SHA256
a97143b315d7b085cf34efa70eed527c958838e1413c2d36700cb77317539f2b

SHA512
1ab5e9f662f1a3a9632e72222c6e400d345aac4030ef6d00642068eca92d7ad0208ba3084e5fc7d5aa345d671da4e089c7a6c7e3574550605064f2a88626a788

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
243KB

MD5
21c07987597eb8d6bca3a10934e86478

SHA1
622156b5bb9f8aae4af56941ceee1385c19c0070

SHA256
d302136d6421b37a7c443c6d399f125c63359096b7c9cb3291c490bd264497ce

SHA512
4364fcf24c1cca5003f7acaf4a61927eb3dafd1bc8c7fa753eacd77133ffe103db13f477a1d1a77f11c6c85d8127ada19835b84b277abdc83959ee0f33ecae9b

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
243KB

MD5
e4b2b9f767e15e9b6ad7d79aa0367304

SHA1
b5405ccba8e45718d554ca0c33e0f0da50a6825f

SHA256
c2e1b1e1debe883af9d1b2d5bea1d1ac7a4dad6f578bc75e29318a3ef7e1030a

SHA512
173d60f4bc342807007ca052d4657d6ef85485980220db25945a601175221d3a5bf63ed22eac8e8523186f7ee29627bdf39fda4101702d7c32f79d325e4f469a

Download Submit
C:\Windows\SysWOW64\Mgaokl32.exe

Filesize
243KB

MD5
25f3359d6c592775497dc7f7bd9d30f8

SHA1
8553f0700fc2eb681e303043f283e13e32353650

SHA256
fa70ba38d63a3c7301676d2ad758f4a89334872cae8e6b6bcf6dad958766b09f

SHA512
d459ec98e88debae3fc6a01ac6c83efe66d6e0bf390c927fdf5d2b6f891d1c374a9c08c0e26b05051e8addead033a6bcff58e4013d7009fa201e7d666fd337d5

Download Submit
C:\Windows\SysWOW64\Mgclpkac.exe

Filesize
243KB

MD5
40dbffdf34d19899ef655e4c2ca39325

SHA1
46f0611bc97f81704af6c6a7fdaae1a440640fc4

SHA256
6fd0a6c69eba06a9f395178de0a3c775b12485c3ecedf3ccff0610b795d17b88

SHA512
bd628dd6c45992b738866c3f4ee3773bf0803f7e96f909e292c0e4c3f1376d71ac90e518b1177bb5ea34d0e7c0cdb58ffcd7e65970e220872f90b13fa4a63a4d

Download Submit
C:\Windows\SysWOW64\Mjahlgpf.exe

Filesize
243KB

MD5
80096b9f4b7442fa348c10710347f636

SHA1
da26c3e2f82864fbb7cbfef6bbca03762d37f1fe

SHA256
df5f0850e2a245429e040eff7004240790ac976b7fa8bbf4bcc87cf23e750ea3

SHA512
b162e08635e67d94dccaf651c78f90de61bb7e6e28b877be7262a429e3c3edebc0149af69fa13d4bef6f0000533cb1cd3e61983080b1ef478f95e4384c301554

Download Submit
C:\Windows\SysWOW64\Mkadfj32.exe

Filesize
243KB

MD5
ff65742729ee580c56821d9545dac683

SHA1
cb7947b43d97a4552bb542174a975a2fc89e9070

SHA256
0253f68c0f43092b31e13515073e42aa3c2151e2977e2c4b24b35d06584c3e52

SHA512
c86a9c9ea5a306b27ba21814dc638d5a9c09cd48b07a5f47ec997705156e88efec9f432b2c8c085ec5e737522073d536994cc27df981063fed093f48548a76d8

Download Submit
C:\Windows\SysWOW64\Mmnhcb32.exe

Filesize
243KB

MD5
48c8feaf51a0a12e77c66b8f5f4a7771

SHA1
b8a84fa85b0b501541b0e3561f0ac2f81b9e99c9

SHA256
575da12be2b2182b021a0a5d37c73b4058fea5e5f859692b438a5ed5a3af71e7

SHA512
0e5c54cea02c6fae528756628e864228c5fced878b672fe55f59faf675f5acd0c34a48796c172935d7ee65679a046041201b7b028e1661e6a288be5248c43f83

Download Submit
C:\Windows\SysWOW64\Mmpmnl32.exe

Filesize
243KB

MD5
c4f886765549a406149bbe0ed5fed5db

SHA1
a73ab7002d46291bad00261da1ae20b41bfb40f6

SHA256
040d8b9a5b85584474e5afcbdb196fab5cc338a6a444e9b62d1871f6da021296

SHA512
94c7e30c819115f11f58a7c259e6d6e40e003a0beb7a8e84af14f6e668b3aa88da9c6f522ca1545ea1d8261951d69bcf81292e14ba19d1f0a6c0b779718a69dd

Download Submit
C:\Windows\SysWOW64\Najmjokc.exe

Filesize
243KB

MD5
bc90679cb46d7c57fd03dd972659b860

SHA1
dd7939c3162232f7e33e4f11c23a185c91268a07

SHA256
1b6b1c3033eee6fc58d5c9f83425bb749adc51c120d758fa07f8093662ad1b33

SHA512
b092301969fb85c65c5e5ac73de5ae21c342796a6639c6f2aca06da6d7a65898086e352851c11a5656f8eebde9ebd56cabc493fad6f13618188ffa4fb0de5778

Download Submit
C:\Windows\SysWOW64\Nclikl32.exe

Filesize
243KB

MD5
f8dd1a224e3753ecf3a56ca0dbd99f6b

SHA1
35b3e43a8f070d3c22f05701549b2ff695465ba3

SHA256
93676efb08856a15b27c655fb86cda2a6b9d192a4bebab5686c3c2c3fb31bcda

SHA512
8cb20d8760039fa4620346e1e3ba58b46acb8ae7b0cf6e01b2907e5a71b679ea9dc7f9f48627a87a03fb8c6460988d1f195b1115aedc5e282489f912996051b0

Download Submit
C:\Windows\SysWOW64\Neclenfo.exe

Filesize
243KB

MD5
1cd0cd65c8949a27eecc1e65413dbac4

SHA1
e1b8858881459875ccbce7030d6c95c327f19350

SHA256
8b19890caacbd923f2bc5507b9fd2780190c2490209509e7dabae2dd753b3c3b

SHA512
18c5699c48551dcf3489a0c54b8a04bae9316813e18b249f1782767fb4edd203100ccc7594f55b33267435baa612c4806e465b2d4697308414736c2caf926b11

Download Submit
C:\Windows\SysWOW64\Nelfeo32.exe

Filesize
243KB

MD5
facefe748c76d780950b50f198087297

SHA1
e95a7cc1c4787d28aadb3f1989d7d1ad4de7fa03

SHA256
91ae667a5cf69080fd618d560f300b01df05af81549e4f8a973657026bb9855f

SHA512
340521c5e7c800dac1b558e458388f25ea19a7e82f4f0a8399e63067ae0b27d844a61554c14f1f4b7d905bd8e9a7ce00f1e1b05985f4ea7de8294dcf6a67eb01

Download Submit
C:\Windows\SysWOW64\Nenbjo32.exe

Filesize
243KB

MD5
48c12629cf37a3f7306bb4a9a0b978c3

SHA1
c203a35f0e492a3e71436beefda14418fcf73122

SHA256
9c9e66a0488320bbec569906d99a0ebc68a729f5b6b906f048c3a710008657e4

SHA512
371acae15cdf2f4f4b8e965e80341673711f6d08aca31f4d520cd902f50fca38eb9057ebd3e9ee8fe330d8c688c861986d0a3c28f5655a7a2f2799b36a0dee87

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
243KB

MD5
b24def36f28458802cef6ae6e1769cc0

SHA1
ad5808c530e30c583be328d06c4fdc1d9788f8ce

SHA256
20518b496a995bd2a7beffecfbc6d1f5c25cbf8f89bc2534103befd12e429525

SHA512
c44fa8efe9fb572e3d41bb1c58413be88ee29895bf1c624789e71026f3a3f4cef76fc5005650f49657279bac6294122480130c63116911aa25e8e398303b3331

Download Submit
C:\Windows\SysWOW64\Nhokljge.exe

Filesize
243KB

MD5
3ece4809d5b002ca7198605e4e1db781

SHA1
60070c5c1ce28358d43349cc99127ce66a67cc77

SHA256
0d6ed769ad15c65fb473671b5510bcbefd9b6b0648806fcfc264aad330642fb0

SHA512
ffac025a5ae91382d60cf9f3f6cbb0dfa898154fb7bb3ae32261d6ace9a7b2e63941b641ea6d17c86c5182fb7fb808b84bc16a9063b722c1ece4169bc54b17f9

Download Submit
C:\Windows\SysWOW64\Nlcalieg.exe

Filesize
243KB

MD5
37c39deb03eb633821a78e0d532a49eb

SHA1
0534c9f6b957790ee89f43304d0d628dd9abc911

SHA256
09ae8df84b7b3a4daa01f14a2470065876a7eb36f9351056199dd0c6acc428bc

SHA512
5335f62007cc223cb5e826c41917049572a0fe5e57dacdd8956e5ee641565da35a4fbe465fbee8f0408814a6f638a19aba8992297ce72021f763812825ab3745

Download Submit
C:\Windows\SysWOW64\Nlmdbh32.exe

Filesize
243KB

MD5
1c127cc5837678420086bd973a8df5a1

SHA1
45bfe43c7b22783ecadd0aea205b0c988f0d5d62

SHA256
394394d78b4c67e933d0f4d33aca39feec9b576bfc21a995c05ee24a0fcc8084

SHA512
e850b9c22d073eba27a5c503597c07252230762e71f77582ab55cd611e07bb4ce2486077881e85069350c14127e57c4b4a6fe11ad57d824bc973a2491700c4dc

Download Submit
C:\Windows\SysWOW64\Nmigoagp.exe

Filesize
243KB

MD5
05d195451b9642f895b97d01d3ecd0e2

SHA1
173602f996494e825b415eadf7498a2aed7ff616

SHA256
534a964a139dc4c09fb5ba5b7120cc55073ddc16ced3d9ea17a78aec97da5fa8

SHA512
6db74614f1cc3a82de8f49b78c1f30e391cfadcc255f180b1b8efab27c93f983f754c1dfeb784cf041a60589e286f14461547acab3908c58323685128034f614

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
243KB

MD5
28e50634de099717d331f9bbdd858263

SHA1
3df6f6b45efecb0448b4071a2fc17e903532fa27

SHA256
256e8f41d286d64268416f0f5c6da6be87d0402956af3831ff926f5e3392ebca

SHA512
73c899c48f10c9e8845792ee0d82e900f9d89fce602d422b89075c66ac129c8b0a43a98cff1823ab69e5f008307f79e8a74fe8fc5f1492b3ab37bf81fc7f2cec

Download Submit
C:\Windows\SysWOW64\Nmlddqem.exe

Filesize
243KB

MD5
c91b35bc94d509860801faeb490ef1ef

SHA1
216cec26c4e2bcc3c911560809e7fb30774ed5b5

SHA256
20c5f2dfbd3b1feb4ad8fb6ceff7c27f8546e357cdb40f2a6c41e7acb40beef0

SHA512
0bac15e0ff04b1c6c0cfb8e6e55a07df7251247efd4879010754888343f46fb3ea817eab4b9da2046992601714e2784418d21f587af55c21f937cacb99f225a8

Download Submit
C:\Windows\SysWOW64\Nndjndbh.exe

Filesize
243KB

MD5
e1641412fafbbd843c601e50b1b166d4

SHA1
d734446b79390ffee15a4684b7de0f21d76055e6

SHA256
919a32b210a8e8f2fb4680d68b2523100063a1167785c19f27831bc1a7849646

SHA512
e1cb30b7835e6b675717eb952bf3abb5cd811f5ac449400e236222aa82fd7bf62df156a9ec7545ab78849f84b2b5068a82c53f07997967c6a18851bded56185f

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
64KB

MD5
5859fe2fcd382130b21547b9999e8c43

SHA1
ea89c654719545d4fac59a682a5b375774d67d7f

SHA256
290a78de89e624fa61d05ad33f36c0ea7f1943296cbc4aeda995b23baafb5cf4

SHA512
79de999e22d81c0672f8aec044b42791692a75744d17d6173e88d0d58b4ebc71393cdadf3e78c58f12410d72f1bee876a565bd0847c48b8155f80355e1c62f98

Download Submit
C:\Windows\SysWOW64\Oacoqnci.exe

Filesize
243KB

MD5
c7c1994a6377ed20b3547445fb1603a8

SHA1
0d13904d2bd59f936957aff6b74332f5eec908d3

SHA256
7492e2273e037c59f4268529107e6ee777defe2dd5ea953707cc4e58f2d3fd63

SHA512
56e2260d03cb3fff78507d6052e721f7c32904ad5a85493743959f2b6c437ca2b719f04ea4f824eb99e7ce741bd26086d65902fe37f713f991bbd7274cd8a61f

Download Submit
C:\Windows\SysWOW64\Oalipoiq.exe

Filesize
243KB

MD5
7db6c7670e88165dcbfc4ba3e7490738

SHA1
2be5a0b3b5815b7e97089027ada05499f32e2d11

SHA256
5ae4737b1f03befd98f5140a99e08970aaf8f2edbf9719ab7eb1d3a7a32bce9f

SHA512
ba02f10003abcdf7ca726d46bfca0bf3aad12cac95711334ae3f516c1a879eba5fe62938935a8da5f805882a3213ebfba83fcad4bb8104cb89996535f414b2fd

Download Submit
C:\Windows\SysWOW64\Odmbaj32.exe

Filesize
243KB

MD5
002bc161bf315a5f6faf60e93c305d23

SHA1
b830571f76e6822103860b10a74fe69cdb364843

SHA256
753dc63468b3ffb20bf780832be8aba5c66706383c0df9bf1038fecd05de9e50

SHA512
5aa321d99919b4436ace028b50c37cbc73c1c2a95feed4ce777a8f4710e39314b2b40451759732df8313418cb7c3bb5029a883f465a0576af4befb0669015f24

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
243KB

MD5
58a51610b68d3d9af22a2dc11da41db9

SHA1
557188099f927e89e4ca90a45052a71df7c1ffbf

SHA256
848148068204635851d43b433fb8e3e2c36c0115b71d2e98500786c80c04e026

SHA512
7382bdeb6783d2e18592ba8ada39e58f7071ba7ec5deb8ad69ba84c9d399ee774cc74acc63913078517b8269b79ab5b693ef070dd1dfb0ca6214aaffb6abf6f5

Download Submit
C:\Windows\SysWOW64\Ohkkhhmh.exe

Filesize
243KB

MD5
0ca6ba95243384e03211ce29924b0b91

SHA1
0527fd55fc1a3bf727d2b5e09fae716dcdf2e19b

SHA256
f14b0a1c6b1f2f8e830b19b8fba57cbd0369c38f6fbc2d41e564f3e23306fa45

SHA512
85ae66229723f3485ace1bff76daf38600e5aa7eb73c06f679b21ae1857f4bef0b32314c52ddc2251981eaaba7bdf8f6d982a538db76279d9623b3479566e170

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
243KB

MD5
36b89ced2e97e0f6b7524eeda59e0038

SHA1
8df6fa084c22bbb040c5eddbc76b37561987b648

SHA256
202d269aa3942cd5f49ca86ac97d2c65b0f08aa4ed2d29e4196d4989a678275f

SHA512
94b62089f58080cd8d14c2335256b168bf6eae4c0376af3b7e07ad6b24f5e7308c1dc559b689993e67c692c7b731b0f2d0d59f22e027b1150a331621c4ddc805

Download Submit
C:\Windows\SysWOW64\Olicnfco.exe

Filesize
243KB

MD5
32323316728c400c5740aedaca9f131f

SHA1
ef28977ea3db897f4cc4fb02dd2c74d95d7e3e09

SHA256
2cfdc0f07e1cdb5b3b2105d955acb12a5f4e30d85ac72693ff1807b90f3d3200

SHA512
25334311b92a5bd8ae442569584b2c06b74736c6dbb6b9002be711f3146f75e34a48ba0c3e2f17bc7a67735b69ee845772bcc985097fdf3e6c7792f9028d506f

Download Submit
C:\Windows\SysWOW64\Oloahhki.exe

Filesize
243KB

MD5
32e9d97ae2dce3e80022d47b6fe6ae2e

SHA1
32d7515978ddf391febc945b6084ba8b32020ad2

SHA256
7c76dc149581fb57c1c5be9e8f68d566b94852ca88e1a7ed63d784d548a3f860

SHA512
486d936f36a109a2bdb5353f2ffb5bb56bfdb716ac863b9818a1f21b810f64c88c85885768f03f0d90816d0b58f47cf47c3c07152391e366d58227b1315e67bf

Download Submit
C:\Windows\SysWOW64\Omcjep32.exe

Filesize
243KB

MD5
e678f0e2db24d7182aed7f9f468fd892

SHA1
eb8810c0b58e3ae67e8bd6e41c90c6e94618744e

SHA256
43596bde78b1af52ef97d43d48a57cf4a89441f6449ae2cb56ee6054d7e0cd6d

SHA512
c4d860a342334c025d31b37382e11204bb0918c36e5bbd92d27862c09b6f9c40f6af48b2d34abe482a69b65ffac364c18549420f85b1aaa30c1625a2611877a6

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
243KB

MD5
b5eb941718f864818319779e32141f82

SHA1
295eb16a4260d8866817af45160625de75697ce5

SHA256
61a556a1915097f070df55a52bdfb084d6b6c8da4bde56e22ed43b32c8434598

SHA512
c6f9695b71f051d1a622674adec00a7a5ea0bd521e6836e38e6b670c9b7c8dbd161ca84a0274a6ce48a4d44084baf9f3076c4dbf74a39b66e52e302968a3db1a

Download Submit
C:\Windows\SysWOW64\Oobfob32.exe

Filesize
243KB

MD5
6b4583ecd0c3cb07976094e2689be43e

SHA1
e0c60153fcf6c7f7977388b0761cf512daa2a7ee

SHA256
56a71cbcf6b58a03b88352125a9ee69e73015a5a7904edfd0a0d8c469efc5f73

SHA512
32b983694f7156bf230b3f70feeeb682b1787d834a7597f5c580077c24ac1965d2548ffee2f3926d215d54b0ce1725ac2005b484385c9c6b3b5035eed1929ed2

Download Submit
C:\Windows\SysWOW64\Palbgl32.exe

Filesize
243KB

MD5
4fbc55b6771cdd9e4092ff8fbf98fff6

SHA1
e3845a7dd6d39690a43123c1870e2c73688a8fc2

SHA256
177647b4380dc2f6581d1e9c42b7cc23253313cd1633f38541c95995d0dfa97a

SHA512
ce1b0b1f2a308aac1ecad26abe38df08b70305b6dbc032ec3443228ed2ed867af3d6263f2ffbb7684a67494d4bc99534114535b97a716bf3b7de5511509fdf0f

Download Submit
C:\Windows\SysWOW64\Pddhbipj.exe

Filesize
243KB

MD5
608e56a509b94676ef7b5edd594fece0

SHA1
0e5c7d4491b20705b53cd886696505a2effba62b

SHA256
94d440d55cbb431f940c1256acecb26eed1fc2ec0c2448dae02b1c02dadbafe4

SHA512
d786b3d56b23a401fbfdca320c14bbd91623fe439c460aa6f25d82b454e55ad64cdafa2da54cb075a989a7c4ccb4b5419cc127ce285e64f3793138a78ca02b61

Download Submit
C:\Windows\SysWOW64\Peahgl32.exe

Filesize
243KB

MD5
ef89c38cd00a4a39ebb81f3168ba396a

SHA1
15c7781c469380ced50abb39d5209e3fa2bed766

SHA256
59d140ceac259466ba294031b963b83b2e46fc6ace9c33814bd4a933d25baec5

SHA512
34739361a0e1fa3f037dc5cbb584979a1e210d7c0d31630aa02c4e7d99cdbc91b9178ea5777924e9d451444bc8e68ab37eecfe39388247cea760cc9ae4de0f2f

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
243KB

MD5
52df16e3ef8d059a3212a468c5ac053a

SHA1
f019c7c48e03d65af973a310f5a940bbaa27c911

SHA256
880dfc280db547d3c59ede2b5ef17246e53cc4d49c23dbebc9216a02ef6b93ec

SHA512
8095bb3ba812920e0d47ac0d0ab886709920af81bb60774e198d568b60d7a667c73993cf7f41db598963ea22a7485bb333318bdec64adf337c6939425ff49442

Download Submit
C:\Windows\SysWOW64\Phaahggp.exe

Filesize
243KB

MD5
96a3fb23dbedeffd523100cdda0b773a

SHA1
0662fb2d379d86b4da3c50ca70f26bac54fc9cc2

SHA256
6f17bc222ec2a7b205cf30a818d68e57712ab0facbf074e8c86f8ffc53096e42

SHA512
2744bbd4cdb8d40035271071280f70277c3de8fa6cdb2f89097605609b439d3483a6b12fd9c2917de8b0bbaad180fbb7b51fcc66592cb9976516b6550764cc18

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe

Filesize
243KB

MD5
32904f549d0550db066e48c923814513

SHA1
def76a7ad61d156b9a151ee4695f94e42a582f76

SHA256
17ce0463992b563c84d7061787ed73ff71ffbeac10f3e68145b76919e95cca95

SHA512
347b67b2863f24b9b58f582a532f499dd85aea576121b5dc7326dd0e53bab57ab49f766525ad4511a154c81026193adca0714c84df3a11962836f3e3ac522eb0

Download Submit
C:\Windows\SysWOW64\Plpjoe32.exe

Filesize
243KB

MD5
fd279671b2c0e3422b6e7855dad66694

SHA1
8f27d57fe7954ddca7f1f0d812aa4e6e46a4abeb

SHA256
59f84e8420d8867cdfa63426c60409c588de5825a973f55d4812ba39785f2480

SHA512
b9e32005d396a4b64ea0c26f90e412cdbcb30709bba62361752d2963bc4f54cb7f6d535d89db9443d31cce35f1d3fa265f026a404d930ef9acd782bdb6a545cb

Download Submit
C:\Windows\SysWOW64\Pmlmkn32.exe

Filesize
243KB

MD5
463ae62d56a2afeacb1eaa5532e64345

SHA1
06450528d169326434535ac762ea861c9222460c

SHA256
809d0a8d6a001dce2f981a1b657989ff78d4b6cc22102b8b73e169b9cb2dccd9

SHA512
b683298e8ef76a2dd5e1c19e30e279008684367c5b8551ee283eea00678c53a8805e9662914deab7727ce1ece48cdd66791edb66ed4d30c13b58231611773306

Download Submit
C:\Windows\SysWOW64\Poliea32.exe

Filesize
243KB

MD5
0f56d673d91bb27417299b01d5d27e0d

SHA1
744468c23fe56488d8c714285a0360581f3d522d

SHA256
e11d39784ad34c1f013662f8abb91c1f15fe95b59f054222420895320cef8133

SHA512
09406381748173dcb262ded5cd6c3dde0b0395889b5404e767603ed362da696f6f71ea688c813f185b88bdf4a22b1d9b09cfd4c049b036d4a92a8ba6fd759bb3

Download Submit
C:\Windows\SysWOW64\Ponfka32.exe

Filesize
243KB

MD5
248e432e34b112befe66c51651785edc

SHA1
a67c0d7bdfdfe574f1866320da9bca2cf591374e

SHA256
8fdd46b0d4a1e45d1d145d83796e3bc2c861d7716ec99c8becf4e8055b80b833

SHA512
f71155fefb53d4804c896418ddc206d60a4f2b8b035ef099502388a58fabed615eacf4edb8a9328de9e4a070a0037c0549c9bed6d9ee07dd0cfce57473444be7

Download Submit
C:\Windows\SysWOW64\Qhmqdemc.exe

Filesize
243KB

MD5
c5d8a1297492fd8c804b8d7d54bd2fc1

SHA1
f14e91b992241f647576d981a77615e124312d22

SHA256
baa1b5423b00ce29d68cf378542446adb1eff40c96007f44160f56237dabf816

SHA512
9b04803c5f68a5508f6dd6fbc7595f24c0e1118f39b88a870ed2a0f331bd3425b8fba5b212f2f0806b0ac423be8a2b97a8fefd11e6c2b268cb5a9642320161df

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
243KB

MD5
057c73eb8ce9fd71b5408b6588568be7

SHA1
1e1a20cf23b29acee2322ba4e536de56312079af

SHA256
71b759880dfe467fe38b2d40fe28d385010daa215ad3c627e919a60947578da4

SHA512
940aa83fcd4dff048ab2f7f2fcef854066ebcf442a91708783254d6e5d5d37dc737bcb340d88be331a9ab8225eeb88a28c754d8e01961bf206e721f982e2fbc2

Download Submit
memory/216-302-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/396-425-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/440-628-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/440-112-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/456-153-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/516-233-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1040-134-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1076-398-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1080-89-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1080-610-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1284-589-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1284-61-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1296-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1296-531-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1296-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1488-192-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1716-331-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1836-185-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1984-402-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2044-378-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2152-225-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2244-261-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2316-577-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2316-49-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2364-384-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2452-209-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2476-145-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2552-284-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2580-177-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2600-413-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2612-578-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2760-351-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2784-2426-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2784-273-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2820-137-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3056-2380-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3060-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3060-591-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3092-168-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3224-2395-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3284-372-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3328-320-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3584-424-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3604-551-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3604-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3820-201-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4016-97-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4016-619-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4020-292-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4020-2420-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4296-337-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4300-390-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4360-343-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4376-355-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4512-217-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4584-597-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4584-73-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4604-312-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4628-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4628-564-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4684-41-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4684-571-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4752-161-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4784-121-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4856-626-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4856-105-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4880-296-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4896-272-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4928-314-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4960-81-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4960-605-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4992-557-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4992-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5008-252-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5028-366-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5100-546-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5100-9-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5180-441-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5216-442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5228-590-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5260-448-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5300-454-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5348-465-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5372-598-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5384-470-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5428-472-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5472-478-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5504-2316-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5552-489-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5552-2352-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5592-495-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5640-505-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5676-507-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5720-514-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5760-519-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5772-629-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5804-525-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5848-532-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5892-538-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5936-550-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6020-558-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6064-2254-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6068-565-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6068-2326-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6180-2125-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6224-2110-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6232-2243-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6332-2124-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6544-2229-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6564-2128-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7212-1990-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7280-2053-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7492-1993-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7692-2020-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7724-2042-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7884-1992-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7900-2072-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7948-2070-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/8556-1934-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/8608-1977-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/8676-1953-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/9080-1964-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/9120-1963-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/9176-1936-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads