3a1a397929d4d0354ae14339056a486994f352e42a8b93259a9c6f5a94773ed3

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fa082ee44bc371074689dd74aed20a0_NeikiAnalytics.exe
Size

77KB
MD5

5fa082ee44bc371074689dd74aed20a0
SHA1

3e8ecc4e155ebc75d3a275ec94af4a0fa7a30dfd
SHA256

3a1a397929d4d0354ae14339056a486994f352e42a8b93259a9c6f5a94773ed3
SHA512

9c8ae43299a2a29603833d7e7b5bf927eaccaed1a6746da34a761d767b1b325e957eb2d5221f70f8ed7a1faff46073069f24b7a89415327589fbf36893322caf
SSDEEP

768:RoDRQq6L096vLz9zZQZZy7zveScOPxCyfFcS6u2p/1H5pVWXdnh2F4g85+0ii3br:R9ff3zQvy77txrdcfu2LtUwfi+TjRC/D

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doeiljfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddojq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckedalaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdhmnlcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhqcam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfgjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogmkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkidenlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhemmlhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogmkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlncan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eocenh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnjjpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgmpogj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doeiljfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Demecd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe

Executes dropped EXE 64 IoCs

pid	Process
2864	Balfaiil.exe
2632	Bhfonc32.exe
1468	Bjdkjo32.exe
2964	Bejogg32.exe
1256	Bhikcb32.exe
624	Bldgdago.exe
4784	Bbnpqk32.exe
3640	Bhkhibmc.exe
3180	Bkidenlg.exe
3176	Cacmah32.exe
4476	Cdainc32.exe
5020	Cliaoq32.exe
3572	Cogmkl32.exe
4000	Ceaehfjj.exe
2824	Chpada32.exe
2444	Cknnpm32.exe
3696	Cbefaj32.exe
4552	Cecbmf32.exe
2552	Clnjjpod.exe
3960	Cbgbgj32.exe
1284	Cefoce32.exe
1628	Chdkoa32.exe
4388	Conclk32.exe
4896	Cehkhecb.exe
4280	Ckedalaj.exe
3228	Doqpak32.exe
860	Ddmhja32.exe
3528	Dkgqfl32.exe
2120	Dboigi32.exe
1732	Demecd32.exe
3240	Dhkapp32.exe
4568	Dlgmpogj.exe
3224	Doeiljfn.exe
1436	Dadeieea.exe
2988	Ddbbeade.exe
4844	Dhnnep32.exe
2624	Dohfbj32.exe
1772	Dddojq32.exe
2960	Dllfkn32.exe
3340	Dojcgi32.exe
5052	Dahode32.exe
2424	Dhbgqohi.exe
3288	Dlncan32.exe
4212	Echknh32.exe
2040	Eaklidoi.exe
2640	Ehedfo32.exe
4948	Elppfmoo.exe
3048	Ecjhcg32.exe
2252	Eamhodmf.exe
3556	Ehgqln32.exe
5016	Elbmlmml.exe
5116	Ecmeig32.exe
632	Ehimanbq.exe
408	Eocenh32.exe
5032	Eabbjc32.exe
4632	Ehljfnpn.exe
4584	Ekjfcipa.exe
3924	Eepjpb32.exe
4752	Ehnglm32.exe
3344	Fkmchi32.exe
2240	Fafkecel.exe
4564	Fhqcam32.exe
4984	Fojlngce.exe
2952	Ffddka32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hbpgbo32.exe	Hobkfd32.exe
File created	C:\Windows\SysWOW64\Balfaiil.exe	5fa082ee44bc371074689dd74aed20a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hcbpab32.exe	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Hioiji32.exe	Hfqlnm32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ffimfqgm.exe	Fbnafb32.exe
File opened for modification	C:\Windows\SysWOW64\Liddbc32.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Ddmhja32.exe	Doqpak32.exe
File opened for modification	C:\Windows\SysWOW64\Helfik32.exe	Hfifmnij.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Fobdihjo.dll	Ckedalaj.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Clnjjpod.exe	Cecbmf32.exe
File created	C:\Windows\SysWOW64\Gjihje32.dll	Dhbgqohi.exe
File created	C:\Windows\SysWOW64\Mgdjapoo.dll	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Eocenh32.exe	Ehimanbq.exe
File created	C:\Windows\SysWOW64\Fpeohm32.dll	Hfqlnm32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Jcllonma.exe	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Kbfbkj32.exe	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Dnqmalhn.dll	Doqpak32.exe
File created	C:\Windows\SysWOW64\Elbmlmml.exe	Ehgqln32.exe
File opened for modification	C:\Windows\SysWOW64\Gcfqfc32.exe	Gkoiefmj.exe
File created	C:\Windows\SysWOW64\Ooajidfn.dll	Jeaikh32.exe
File opened for modification	C:\Windows\SysWOW64\Iiaephpc.exe	Hfcicmqp.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Cecbmf32.exe	Cbefaj32.exe
File created	C:\Windows\SysWOW64\Nngndc32.dll	Gcfqfc32.exe
File created	C:\Windows\SysWOW64\Dbfmkjoa.dll	Gfgjgo32.exe
File opened for modification	C:\Windows\SysWOW64\Hmjdjgjo.exe	Hioiji32.exe
File opened for modification	C:\Windows\SysWOW64\Bbnpqk32.exe	Bldgdago.exe
File created	C:\Windows\SysWOW64\Imhkcaln.dll	Hfifmnij.exe
File opened for modification	C:\Windows\SysWOW64\Heapdjlp.exe	Hfnphn32.exe
File opened for modification	C:\Windows\SysWOW64\Jlkagbej.exe	Jimekgff.exe
File created	C:\Windows\SysWOW64\Cajolcjk.dll	Ekjfcipa.exe
File created	C:\Windows\SysWOW64\Inpocg32.dll	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Gcimkc32.exe	Gomakdcp.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Kcdgbkil.dll	Liimncmf.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bhikcb32.exe	Bejogg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkgqfl32.exe	Ddmhja32.exe
File created	C:\Windows\SysWOW64\Eelcja32.dll	Ehgqln32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Gkoiefmj.exe	Gmlhii32.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Hhkephlb.dll	Ffddka32.exe
File created	C:\Windows\SysWOW64\Ainpbi32.dll	Gicinj32.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nngokoej.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8524	9160	WerFault.exe	414

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elppfmoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fojlngce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjfkopm.dll"	Ffimfqgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnipd32.dll"	Dddojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcdmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehgqln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbmpm32.dll"	Ecmeig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmipecpd.dll"	Fhqcam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhindhb.dll"	Fcmnpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghlcnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnjafgo.dll"	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjqaij32.dll"	Dllfkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhikcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iifokh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicinj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bncfnnbj.dll"	Ifjodl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mpjlklok.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 2864	3788	5fa082ee44bc371074689dd74aed20a0_NeikiAnalytics.exe	82
PID 3788 wrote to memory of 2864	3788	5fa082ee44bc371074689dd74aed20a0_NeikiAnalytics.exe	82
PID 3788 wrote to memory of 2864	3788	5fa082ee44bc371074689dd74aed20a0_NeikiAnalytics.exe	82
PID 2864 wrote to memory of 2632	2864	Balfaiil.exe	83
PID 2864 wrote to memory of 2632	2864	Balfaiil.exe	83
PID 2864 wrote to memory of 2632	2864	Balfaiil.exe	83
PID 2632 wrote to memory of 1468	2632	Bhfonc32.exe	84
PID 2632 wrote to memory of 1468	2632	Bhfonc32.exe	84
PID 2632 wrote to memory of 1468	2632	Bhfonc32.exe	84
PID 1468 wrote to memory of 2964	1468	Bjdkjo32.exe	85
PID 1468 wrote to memory of 2964	1468	Bjdkjo32.exe	85
PID 1468 wrote to memory of 2964	1468	Bjdkjo32.exe	85
PID 2964 wrote to memory of 1256	2964	Bejogg32.exe	86
PID 2964 wrote to memory of 1256	2964	Bejogg32.exe	86
PID 2964 wrote to memory of 1256	2964	Bejogg32.exe	86
PID 1256 wrote to memory of 624	1256	Bhikcb32.exe	87
PID 1256 wrote to memory of 624	1256	Bhikcb32.exe	87
PID 1256 wrote to memory of 624	1256	Bhikcb32.exe	87
PID 624 wrote to memory of 4784	624	Bldgdago.exe	88
PID 624 wrote to memory of 4784	624	Bldgdago.exe	88
PID 624 wrote to memory of 4784	624	Bldgdago.exe	88
PID 4784 wrote to memory of 3640	4784	Bbnpqk32.exe	89
PID 4784 wrote to memory of 3640	4784	Bbnpqk32.exe	89
PID 4784 wrote to memory of 3640	4784	Bbnpqk32.exe	89
PID 3640 wrote to memory of 3180	3640	Bhkhibmc.exe	90
PID 3640 wrote to memory of 3180	3640	Bhkhibmc.exe	90
PID 3640 wrote to memory of 3180	3640	Bhkhibmc.exe	90
PID 3180 wrote to memory of 3176	3180	Bkidenlg.exe	91
PID 3180 wrote to memory of 3176	3180	Bkidenlg.exe	91
PID 3180 wrote to memory of 3176	3180	Bkidenlg.exe	91
PID 3176 wrote to memory of 4476	3176	Cacmah32.exe	92
PID 3176 wrote to memory of 4476	3176	Cacmah32.exe	92
PID 3176 wrote to memory of 4476	3176	Cacmah32.exe	92
PID 4476 wrote to memory of 5020	4476	Cdainc32.exe	93
PID 4476 wrote to memory of 5020	4476	Cdainc32.exe	93
PID 4476 wrote to memory of 5020	4476	Cdainc32.exe	93
PID 5020 wrote to memory of 3572	5020	Cliaoq32.exe	94
PID 5020 wrote to memory of 3572	5020	Cliaoq32.exe	94
PID 5020 wrote to memory of 3572	5020	Cliaoq32.exe	94
PID 3572 wrote to memory of 4000	3572	Cogmkl32.exe	95
PID 3572 wrote to memory of 4000	3572	Cogmkl32.exe	95
PID 3572 wrote to memory of 4000	3572	Cogmkl32.exe	95
PID 4000 wrote to memory of 2824	4000	Ceaehfjj.exe	96
PID 4000 wrote to memory of 2824	4000	Ceaehfjj.exe	96
PID 4000 wrote to memory of 2824	4000	Ceaehfjj.exe	96
PID 2824 wrote to memory of 2444	2824	Chpada32.exe	97
PID 2824 wrote to memory of 2444	2824	Chpada32.exe	97
PID 2824 wrote to memory of 2444	2824	Chpada32.exe	97
PID 2444 wrote to memory of 3696	2444	Cknnpm32.exe	98
PID 2444 wrote to memory of 3696	2444	Cknnpm32.exe	98
PID 2444 wrote to memory of 3696	2444	Cknnpm32.exe	98
PID 3696 wrote to memory of 4552	3696	Cbefaj32.exe	100
PID 3696 wrote to memory of 4552	3696	Cbefaj32.exe	100
PID 3696 wrote to memory of 4552	3696	Cbefaj32.exe	100
PID 4552 wrote to memory of 2552	4552	Cecbmf32.exe	101
PID 4552 wrote to memory of 2552	4552	Cecbmf32.exe	101
PID 4552 wrote to memory of 2552	4552	Cecbmf32.exe	101
PID 2552 wrote to memory of 3960	2552	Clnjjpod.exe	102
PID 2552 wrote to memory of 3960	2552	Clnjjpod.exe	102
PID 2552 wrote to memory of 3960	2552	Clnjjpod.exe	102
PID 3960 wrote to memory of 1284	3960	Cbgbgj32.exe	104
PID 3960 wrote to memory of 1284	3960	Cbgbgj32.exe	104
PID 3960 wrote to memory of 1284	3960	Cbgbgj32.exe	104
PID 1284 wrote to memory of 1628	1284	Cefoce32.exe	105

C:\Users\Admin\AppData\Local\Temp\5fa082ee44bc371074689dd74aed20a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5fa082ee44bc371074689dd74aed20a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\Balfaiil.exe
  C:\Windows\system32\Balfaiil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\Bhfonc32.exe
    C:\Windows\system32\Bhfonc32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\Bjdkjo32.exe
      C:\Windows\system32\Bjdkjo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\SysWOW64\Bejogg32.exe
        
        C:\Windows\system32\Bejogg32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        23⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        24⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        25⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        29⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        30⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        32⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        35⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        36⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        37⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        38⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        41⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        42⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        45⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        46⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        47⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        49⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        50⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        52⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        56⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        57⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        59⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        60⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        61⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        62⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        66⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        67⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4192
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        69⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        71⤵
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        72⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        73⤵
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        74⤵
        
        PID:212
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        75⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        76⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        77⤵
        
        PID:440
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        78⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        79⤵
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        80⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        81⤵
        
        PID:528
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        82⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        83⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        84⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        85⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        86⤵
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        87⤵
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1336
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        91⤵
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        92⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        94⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        95⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        96⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        97⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        98⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        99⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        101⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        102⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        103⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        104⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        106⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        107⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        110⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        111⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        112⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        113⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        114⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        115⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        116⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        117⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        118⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        120⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        121⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        122⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        123⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        124⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        125⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        126⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        127⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        128⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        129⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        130⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        131⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        134⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        135⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        136⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        137⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        139⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        140⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        141⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        142⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        144⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        145⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        147⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        148⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        150⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        151⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        153⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        154⤵
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        155⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        156⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        157⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        158⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        159⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        160⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        161⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        163⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        164⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        166⤵
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        168⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        169⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        170⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        171⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        172⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        174⤵
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        176⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        177⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        179⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        180⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        181⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        182⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        183⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        184⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        185⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        187⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        188⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        189⤵
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        190⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        191⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        192⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        194⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        195⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7120
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        197⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        199⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        200⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        201⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        202⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        203⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        204⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        205⤵
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        206⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        207⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7024
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        209⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        210⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        211⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        212⤵
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        213⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7340
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        214⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7424
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7468
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        217⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        218⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        219⤵
        Modifies registry class
        
        PID:7604
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        220⤵
        Drops file in System32 directory
        
        PID:7644
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        221⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        222⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        223⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7772
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        224⤵
        Modifies registry class
        
        PID:7816
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7860
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        226⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        227⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7988
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        229⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        230⤵
        Drops file in System32 directory
        
        PID:8072
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8116
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        232⤵
        Modifies registry class
        
        PID:8156
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        233⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        235⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7336
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        237⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        238⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        239⤵
        Drops file in System32 directory
        
        PID:7540
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        240⤵
        Modifies registry class
        
        PID:7588
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7672
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7760
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        243⤵
        Modifies registry class
        
        PID:7824
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        244⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        245⤵
        Modifies registry class
        
        PID:7952
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        246⤵
        Modifies registry class
        
        PID:8000
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        247⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        248⤵
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        249⤵
        Modifies registry class
        
        PID:8080
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        250⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        251⤵
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        252⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        253⤵
        Drops file in System32 directory
        
        PID:7444
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        254⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        255⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        256⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        257⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        258⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        259⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        260⤵
        Modifies registry class
        
        PID:8140
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        261⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        262⤵
        Modifies registry class
        
        PID:7456
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7668
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        264⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        265⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8112
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        267⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        268⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        269⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        270⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        271⤵
        Drops file in System32 directory
        
        PID:7392
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        272⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        273⤵
        Drops file in System32 directory
        
        PID:7260
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        274⤵
        Drops file in System32 directory
        
        PID:7680
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        275⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        276⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        277⤵
        Drops file in System32 directory
        
        PID:8208
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        278⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        279⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        280⤵
        Modifies registry class
        
        PID:8336
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        281⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        282⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        283⤵
        Modifies registry class
        
        PID:8464
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        284⤵
        Modifies registry class
        
        PID:8508
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        285⤵
        Modifies registry class
        
        PID:8540
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8592
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        287⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8676
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        289⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        290⤵
        Modifies registry class
        
        PID:8756
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        291⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8796
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        292⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        293⤵
        Modifies registry class
        
        PID:8884
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        294⤵
        Modifies registry class
        
        PID:8928
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        295⤵
        Drops file in System32 directory
        
        PID:8972
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9012
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        297⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9096
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        299⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        300⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        301⤵
        Modifies registry class
        
        PID:8196
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8276
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        303⤵
        Modifies registry class
        
        PID:8348
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        304⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8412
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        305⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        306⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        307⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8712
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        309⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        310⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8848
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        311⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        312⤵
        Modifies registry class
        
        PID:8988
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        313⤵
        Modifies registry class
        
        PID:9048
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        314⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        315⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        316⤵
        Modifies registry class
        
        PID:8244
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        317⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8376
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        318⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        319⤵
        Drops file in System32 directory
        
        PID:8684
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        320⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8832
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        321⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        322⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9064
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        323⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9160 -s 396
        324⤵
        Program crash
        
        PID:8524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9160 -ip 9160
1⤵
PID:8304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
77KB

MD5
c96736d8366860387ec82550c97b3ac8

SHA1
d0dd6e08c76fdaa9f0708885565652654953dd5b

SHA256
ce60c8a1658aed9b814b9516c640040fdb394a303fc10c6b77db77a75db4333f

SHA512
29f0e1ce36e163a1e907a38bb1c06cecde5ef418bf35cc322c95922864159874fad1de3e8df3401db90f4ac586d1f921b081f5606f701eed06b268f015564c29

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
77KB

MD5
d45ba6af57483a3506e4d559456fa85a

SHA1
57e2ca80f6f75be2f9523ae4be60a8939e5ffce3

SHA256
b34e9c05236220ba264aea266b888484b985baedde611e76c143c76a66385cb4

SHA512
f0d76d63fe3af23a6e51cced53d8d1c6aad041f877b84ed184d9e4871ad5cf2b1180c7986abee88385455fb2c2d71dd719c1569a567a4b0de60b9cc0be946d41

Download Submit
C:\Windows\SysWOW64\Balfaiil.exe

Filesize
77KB

MD5
d2b693705835b28b5b8502db78e6c30f

SHA1
627e21ff589735349265dd906d272565c5d8a1c4

SHA256
b89c29d596e1784bf23f0be0e1c05723bdae627d5d66c97fc65e64e58f70ed82

SHA512
1c8ef54ee5d28518670dc9ed1cb3436d44e5cb09fc957f3fb6b128c2fd4240b236695a3f238f1d72150b234d6d196221ccbc9cf5fe6789dfd0d7424d4c918b0f

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
77KB

MD5
d243bae9c11a332fcf74e6cd0818271a

SHA1
7605eed8eda74d3d0074f29b4965cf71b72efe13

SHA256
e8292341357c414b87db866a4be7b8d880faa43318ed87fe021e4fe00f5d4c5b

SHA512
42529a43a251ca0c90d2d8d94819a8d8a265e5d8c315fc3d853154e3ea26bdd63d856641b6b246657df62674eec8ee8804a2557f138f7f248371e6c816a446d6

Download Submit
C:\Windows\SysWOW64\Bbnpqk32.exe

Filesize
77KB

MD5
6d38f87417216ede09384ddc6f3dc6e7

SHA1
43c9f5617624712d1e7b9bafb5d9e9a569ee944a

SHA256
3c2ded6f0936a08bed0bd15f62d4a380b2abe0ca55f1142f50e49366d9f0d4fa

SHA512
af623da7fbb7f1a496b9e7fe2f32fdc8ab777692e460816d559ba8cd300893796485264cbefa0c6bd3386c4ef3cf44371f653754aa0e022bb98515899d8f3a3c

Download Submit
C:\Windows\SysWOW64\Bejogg32.exe

Filesize
77KB

MD5
fcd6e122a165f2ac686ac56ccfea8bcd

SHA1
3d5872e66962e469fb1936fac43b406d4be4385b

SHA256
a76e32efea478cc167b27f2c766f077822a46a9241941fbca556a64d7cad324f

SHA512
91ed09d1325189a11e68c8ea30fc73b348728816ad7f909cf1d98804fcd9e1230e1f28613c9232b78f1cf3805ef5e898cfb64957f0a9cb629acc1ed7f867f7ed

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
77KB

MD5
0b11613fc636404a118b5b77fe63300d

SHA1
916223130ba8f584eb479c783aabd311ab00f8e9

SHA256
c8d547a969ab56cc74abb020975ae253e94925df350ba11a37613687ac925f17

SHA512
51b2c9bba023925bda487d51dddec7f7746bbc21b4fed79c1d4287089d712b5f212f2d5896612bdb9b6341b19b913bf5ca8666ac902f5f6630de5b627b02d0da

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
77KB

MD5
c63813640d3adbe1aaa0ac292d92bf8c

SHA1
9faa2cdb25bff4156503774a7b9e03c59ea3c497

SHA256
c24b1a675b9b91442b765075377cf17b94a02ae4dc3168a15d26c9b7e7e39e6a

SHA512
13f812bf659ae0b3d33802f20d634013fbf83d130ae99f8831dedeb7f185af0b48147bc9030d3643d833b603d782d4f95bfb1f602cfbef269d23e264e6e56f0f

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
77KB

MD5
fecfb5499e63fd414163d2e75825913a

SHA1
3fd94e8f1e189c5a6bc981935f7406bcfd31472a

SHA256
9e1f00363f09939938267421cfc72dfebf3373427c50acafc86ffd4eab0cfd5a

SHA512
f2ac85d67545d50cd09f3236bf794a07c4a6e75672126364084a83ed02f4c1d33331b9a06a0e73ee944eb0ae11e99be80c56e188545a3a368327a57c42f1cc68

Download Submit
C:\Windows\SysWOW64\Bhfonc32.exe

Filesize
77KB

MD5
251fedae4a6450d30f2b98576efc478c

SHA1
f0755abc11283074d64b7754c66931581c30d0a3

SHA256
44a3e28b846a374443fec1641645363bd233f267c9dcbf8621bd992b10570603

SHA512
9ec7b398a55919222eedbac8c235d6d62cfe848396a826e8a0c1c6dfb94ea6e0baa833845332b89b13a1f96ae69d254c850d245a19f4a188fe497c351722c5fe

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
77KB

MD5
439673fcbb5e51bc3293ed183a000601

SHA1
389028def951cfed6af1954b7021a509b48ad887

SHA256
5fd3040e2f74e6d65b45b37a90a2e79e974276e7e34267bf148c8f530a74bb6d

SHA512
0292e420c34c0c990c181d78b0215ac6ed39cdea83047ace2244832a1c7e8e5db38d7ad7c4b6328f8895199b01dbbf7adf3620f999c295a6d5138527f5a6213d

Download Submit
C:\Windows\SysWOW64\Bhikcb32.exe

Filesize
77KB

MD5
70e6b4f2379d4899a3b12d0dbb1f0841

SHA1
32671834d08ceea2fed186154d22d206d92122b7

SHA256
57cf8351d71ce8fe9f6e80c8f0dcc8c65cf78f9d7595a56ff181b2697188da81

SHA512
58469a765318253a37a33b77ee80cda609cc3c90cbef617b2f1e1a5176308e758d38fde09987a5ec56640a7bf6935cb7d9264ea560188065e82d90a8cd5b2b53

Download Submit
C:\Windows\SysWOW64\Bhkhibmc.exe

Filesize
77KB

MD5
c749aefde86ea30c29bf47db2f0b70e9

SHA1
0f1511adfb694993a20bbd31783e4c910a341057

SHA256
39f3dd205796af98ad52aa64759a4f6bebd7336f14d0f39695ef06166384306c

SHA512
be686ac66dbc67724b53def3f75adc22f49560e03318c4aa7f773908da5ccc9a7d8a35e3a50f9ad4192e91676ff90ed23e4e3104057d280fd8b53f860001f51e

Download Submit
C:\Windows\SysWOW64\Bjdkjo32.exe

Filesize
77KB

MD5
8bd0370d66e545536bb0b3ddeb506408

SHA1
9de892032117030708cbbed2300f0d9d3318c355

SHA256
c16ea11b89e766625392e43ff6597bf77dd638df8a5574d40327d0fc825dc3e4

SHA512
83125d55efed89ba5c6f9356ea9564e2343dfc9845d62d57db9f95a00e4f58fe361625c46f38fc463c5bebbb1c8e6840e34422c28b6e9dc7455cab012acd8cf8

Download Submit
C:\Windows\SysWOW64\Bkidenlg.exe

Filesize
77KB

MD5
51dd085bf8a11b9c8a4e9e69a66c38d2

SHA1
317e19fff8573dd5614259a06b505945f1c11d12

SHA256
51b537db4b43219a1ce00ba411fb997210cff6d7775cb7d78da5674847ddcee9

SHA512
0c4209bf84f1b11a765c1a8a7d67dd46015c8a6fcc98169a17a41a22b1b4a2ffd830b9c234643a3f0fa8d0b96b9788f2dd79f7b13f8fd6655cb515adae240534

Download Submit
C:\Windows\SysWOW64\Bldgdago.exe

Filesize
77KB

MD5
87dfe4dde24c450fdb2d8f1e8f89e2d0

SHA1
57ba34cb019ceeaa71e63cc61ebaafa04b1cf771

SHA256
e5a8b02f0a9b9292a795673e8dbfed6de444005dd993dc7528008a6b045d5bd6

SHA512
45d2d9c43d4a6b5f5776fdf0d395acce59b6426989035c7f5a26d843d6b788f3107e4996be471b10b8251d37d69a1f16325daa0ce44b2f56d6e00c9a74adf61b

Download Submit
C:\Windows\SysWOW64\Cacmah32.exe

Filesize
77KB

MD5
8fb02871bd3ae783fb186a4f322a20c3

SHA1
98b723b1090f173091bf33b8331f8c627f59139a

SHA256
0c18a243b19f8ccd1386a2f5d5bf47d64e6547244ef5dd7f45a966066958325b

SHA512
b0924397767db8a49129667f31d76f6628fbe3e51a5af4ccdb432c7ca79747ded2f08d727427f64df4e13e4dda85fb2b44039573e5b4e8da7e03d35f6ca59958

Download Submit
C:\Windows\SysWOW64\Cbefaj32.exe

Filesize
77KB

MD5
a4ef4901964458065e6baadc4e993ccf

SHA1
9a9e0739483cde9224d0fbffb4d15a75d9c7e953

SHA256
40e2f7ca397fdbe17cc2b2303f1a6e34856d5c3038beb795f9a5cd70f80a49d0

SHA512
a3262e0fd018989623b03641ec96c8e446680b3ce1b1e82528d81289441312258a36299b8f772301488e85a6b9c878df62434128023cae346f5031af861154c4

Download Submit
C:\Windows\SysWOW64\Cbgbgj32.exe

Filesize
77KB

MD5
2c0da959789f5215a5483003c72984f7

SHA1
abd13d170a13423a6f623c7eb0f4ffae73b2c5cc

SHA256
1ca27c0e590d140d6b3775dc72c96bb45cdb0df24044e26eea209e0854866903

SHA512
00eef116a5d0049e9c064532ce1a79f3700a0091682639621c0cb95d537cff5f67982f9f3062f044b44470439274070ebd6cacabdf7f0a9b0f6cfa46170a80c8

Download Submit
C:\Windows\SysWOW64\Cdainc32.exe

Filesize
77KB

MD5
a332c893d96499b700e24d10e3071709

SHA1
d272d6d76bc47274705af85d714825b82ec1546d

SHA256
e5f8206362742de9561537258a302365952f4fbdd1438d24e846d4473de06658

SHA512
9cf9032c8111e332af0031521a83b755bf513b3cdf34d0ae01dfd5d44d3724960a67bf95aff7ec5b9d75beac1ff1e002e622b239c1a1f06a711140e73fe36902

Download Submit
C:\Windows\SysWOW64\Ceaehfjj.exe

Filesize
77KB

MD5
a3e276569935abd0ec32c24d8f0b889c

SHA1
8e8bdae4a213ef09929527c144c52c749bfb19ae

SHA256
558f575f9800cc1ec2a6b07e8bdc59653a3cfab2e079ed1f512531cb28936061

SHA512
49c0e49598762876054c685c0b4958d5912615db2cea6c5094d903d068f438298fde597361f752fbefa1fd0795b4bd5ea6df70a6130d336ef4364284c22c9a35

Download Submit
C:\Windows\SysWOW64\Cecbmf32.exe

Filesize
77KB

MD5
c5f25b6d1d5ec6c45aeb7cdaefb1c348

SHA1
afc3a104dcd83da74f4682d7e089526ec19fb3f6

SHA256
403199d123de2b65e343721de81cbd126866a49463d6044e88ae321724822a89

SHA512
3c29bcd330b6f48429f73edf053ebe454e930401f968bb024d8b805270fef4a42602e07fef0fe338d703ea75c48b48e18b25e4a60c92dc3a45eaf83d5879d68b

Download Submit
C:\Windows\SysWOW64\Cefoce32.exe

Filesize
77KB

MD5
051aee04b5ab3343b688dcb8dae2c234

SHA1
6a51f013868eb164191d9245b56a90c5fe091b7d

SHA256
38386f0f2657641c6c59b38ef72042b5ed19d434c940f172a5964de99b029dbc

SHA512
b61e8a61bc77a28ea9a582cf6fe265736d50b1c31e4b77a989ca6290f2259dceab8d1d3550edb11578bdca38b697e62b8bdfa48514029550f16fd21799f87d14

Download Submit
C:\Windows\SysWOW64\Cehkhecb.exe

Filesize
77KB

MD5
d7485a3de4a9de00cd392f926e997109

SHA1
0aa80422303e8e441a9697b67c6861acd95a59ff

SHA256
a6d0efbb20598ae429814d00312c7544ceef0b23c4c99f5921a5cafb542fa500

SHA512
56a9f57f818433c5bdbc0d8f75aca8e89cf1f50bd19d209140c2899764243478f01f9c59b6f0ce94b159bb88a457b3c7aabd1035b02b3a77ff271973eb4401dd

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
77KB

MD5
e6d5c48034d1de65cb4c32b1c7aaaeb9

SHA1
d6a3c41d93737321963bc830e4ce0f328ba8f3ca

SHA256
543b75e04ea5a1e66ad946957384b9fb66d0739cb3a73941d66698bfbff9cd06

SHA512
b341a29151ac7fc472a9429ed3f58e8d7397d31ff9bbe8b2e563211dd545050828c270ab9f7d987df059c5d1efc8a27ffddda60d9a940bc05eb37fb324effbe4

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
77KB

MD5
edcf1bf1f96249859343c75c8f7eaab0

SHA1
9bfb6c8aaa43a5356991e0d6f17210397d1d157c

SHA256
cd8a2efa43a6799c95778d3725b8678279f8996a01fb4d36d07a5f6d13f71a00

SHA512
dd361ebadb5bc6a46d56b083a2e4636b328eef9929189c433027924e476108c6a4cc49d41858d849926dc6304ffb24205d31fe791c5711ac4ab2d555727f1661

Download Submit
C:\Windows\SysWOW64\Chdkoa32.exe

Filesize
77KB

MD5
8e5052ce86b93e08527caba4db5cbf29

SHA1
27f653fe2ecf72aa43c228f81b44077c9c4f4040

SHA256
3c9b20cab48b41502930927f958353dd2e43ecbd132be262e25d8591c0ed481b

SHA512
8cb11902db178f6bb9ee5d85d1ed2371691598a22db3a0357b4f09edb585d2b3c58eae6d54dd195f6fa137ab644423a2551538793b13cb6b69233f216963894d

Download Submit
C:\Windows\SysWOW64\Chpada32.exe

Filesize
77KB

MD5
a77e21fc38a21156a95a990dff01f2e9

SHA1
a6bdc8f2135fed48597f9cb7c1ea2c6efa0883a3

SHA256
69ca4bcc6f65935797b0eb974ff650701d87db77d186a41a2a9aff4657d1ba82

SHA512
dbbc0ee33bc63c61458c1995bacf52130eeb3e66f0477aeeb54c221906aec92027dc67693db60307a41c68f4dade4d1a441f70e38903d37c96a967a0627b1de3

Download Submit
C:\Windows\SysWOW64\Ckedalaj.exe

Filesize
77KB

MD5
526c42344ff9f830cb09c4e70f9996cc

SHA1
1b8d3a5d877e956d6fdd23ec1eeb85ab769c2356

SHA256
221d693b0d3df5fe37d2cca5f55784be01872bfc79b1b01ad9ea995f149fb020

SHA512
b65e27f32ddb38c6a7eef8a0164cefb0200c6995e4144130bcb38398bda76bba8d3258983412d32a92b1ffe1c1410c3eefa639763080ec240ea9e95927b553dc

Download Submit
C:\Windows\SysWOW64\Cknnpm32.exe

Filesize
77KB

MD5
a13d6de4f999451231069bcdb7ac5c96

SHA1
12bd90855af56c0d77d4f5b338794e57cc180c52

SHA256
459fc78ea6de07c9c056ef2913a1fb4c68ec45680c63b1f20a82bc1ca9ac3369

SHA512
02c2ed26c04bb2c5f2fceb8468d6b3fc4654891b402db1e692aaba3918e1734f9b33b4406b471bce6ff599941fd7a01b6b607bf19942810fcf80340ca4474e51

Download Submit
C:\Windows\SysWOW64\Cliaoq32.exe

Filesize
77KB

MD5
04546853ca1bea5aa1bdc71a85abff1d

SHA1
8549d170ede38e4fdaad9a0ca14e472e84b5f11d

SHA256
8772eab327b270f1236f4b0c724373935ed9e831868616cb017c14e0d5a8f338

SHA512
ef3c76ae361403f4726473e1bb982a45a23e89d163e11a6e45e6a9c6aa9d79bd5084d1686799ec239b47e436f669a9f3ab283983085d951940680676bf38348c

Download Submit
C:\Windows\SysWOW64\Clnjjpod.exe

Filesize
77KB

MD5
1f01e9130c81a65360e0ec6b25f5f6a2

SHA1
175df09de875ca2e9934e543318b926ab28e2aa4

SHA256
7431c5cb26736c3f55071f0e8024218a5b6fc245498935eb4a6820ab873ed4d1

SHA512
086255ab8be9f253bb6172777bba6cd2cc2040958068bd1fa5f6d3febf28736a23f4e7349eef1b43f265e39f4e600d1b47b1622aa493e89ec1b1c111f28b0886

Download Submit
C:\Windows\SysWOW64\Cogmkl32.exe

Filesize
77KB

MD5
73b74e7112b5684477013a0d68f34c8f

SHA1
8b8f90b4df11ff3ac5249025a787a10030b21253

SHA256
2f167669332e85d554b7f14f8d133c7ca6b9a4cff027ebe57c91dd7c56c2c2d6

SHA512
9a3342fcab0902b172cfe49a2558b07e0954a2668f5e80eb031ddf3c6cdf88c80e5665d087e63b74f2a838f4293ac3a8c6d96c6ff72ac73267fbf18785918edb

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
77KB

MD5
4159d9e39299694d4c6b7febf563bf0b

SHA1
f6596da8a874bc421f455c65ba372913927bdaa3

SHA256
83ca3881850c449d904f569d22967e0b4cea7571d7986ed1f9619ddf13dd2d82

SHA512
1823e509ef3cf5a63ad212e65ed7725c13629395595d2eab7a0d7089020a2622c1347d4f482add595386ef40510aef36d8800b5b9cdb75a718432b3c5fd46cef

Download Submit
C:\Windows\SysWOW64\Dboigi32.exe

Filesize
77KB

MD5
d3ad938aabf1174b90dc67be5ed85ce9

SHA1
e70da9d717bf0032d292880a7bf732e30b01597d

SHA256
a7a1c4d5b1e1615b9700e44cb8e98ded26494a946f9ff4b43c47015aef6e427e

SHA512
5a1d384ea012627e11301a9d7fa38f878097a17592f554d7b7b936373f3f35fefa66ca65f28bd316631b9587fc5cb2ef2b51263325480559e41e4df7b31ba351

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
77KB

MD5
4158f15be6b236799ee4f86c34c31724

SHA1
ebeb8cae417cf05c4fc7c1bc700411b0734dd736

SHA256
1f6a7604d8170238062803233391f6d98f0c5944bf35ed48122ff863b988f75b

SHA512
2a7a293b80c6b8ef8a6fae8704ef198b694a6598792660e9b2c2dd1dd3baf11f6aa80257de1868d709f1eab77c625bf52e60698ebe71647d3ff21283f7b0eed2

Download Submit
C:\Windows\SysWOW64\Demecd32.exe

Filesize
77KB

MD5
9f34b6b274fe5bc84b5830f4ebbb2b4e

SHA1
e613d776760ca84e907c2e10f5d8286190c047de

SHA256
f5c60eee164382f691df421a2ddfb759e1abe44ca33edc10ef00c3ae2f7e8670

SHA512
b331e403432ab07836195c0b8023fbe4c8a07ef161bcf17bd98c85cbd2a38f636ed721c93e186322e31da72e35f8f3f3e132387ffa23217e89e070da3eb4246d

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
77KB

MD5
fd8c19618443f3672fa07f920b927e1b

SHA1
5ed7b29cc722a482b233ae46f130b844421e8108

SHA256
f8b5f4e209d7619519566ca2ada093a9e5526edbd665e54101e7df3843d4e802

SHA512
85fd7e5349cf002fdc61727601fbab12b7917afde201f1a6e541c241f6c41fd5c3d82acb88ea0a6d26061d319cfd0f83e9ef378c248bea4e1f8cdf498e03d478

Download Submit
C:\Windows\SysWOW64\Dhkapp32.exe

Filesize
77KB

MD5
099d066c938efa7888edbed129de46f2

SHA1
b0925caf006b3a973e911c5e82e8cf7411d70e10

SHA256
c15458c51509936a598066273916229999478313a96588e716f273a65a171e5b

SHA512
723f8e1798884c2d16ac99d055c1946250b9a878ef777a2bacdb079d76e4f63aebb9d912f228818fdbccc3b95c5f17fe955ae0ef9e61ae61a93f975d79edc765

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
77KB

MD5
ea6e390ae68f20b67e4c70c91962531f

SHA1
0340ce3554f79584c96e2fccf155b2c027e88667

SHA256
a6cfb1494ec34bcae3cd2879f5190bc03e7c7603419ea5083534d18e19ac5261

SHA512
efabd7ba7ac9e7020e43d6d144d62856fd2770873abbe65fb321f7c681883a6e8658a935478339030a8d610c7ace9c2623bfdefa00656e335013ba722ad5a696

Download Submit
C:\Windows\SysWOW64\Dlgmpogj.exe

Filesize
77KB

MD5
e2f36e4a87746c3c18c95377a9224cb7

SHA1
022c7d3dc3886b629b8bf7bae86455a274a8552e

SHA256
7b696f093ce619c89c1443ff72ce8027ffb5ace1dd0cda15eb1bc3d800b92ab6

SHA512
89f92f7772722fa749f8f48032a60392fe554bee1c3664dcba42d5b1ddfea18b73693f59e6b313e3288181d7771ffd9ec51c40fd741c2cb6c7adbfecbcd6183a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
77KB

MD5
d544c5162eadb40571db9070e422dc35

SHA1
9de4ac90ee518731045d9c682368c5a47acfb9dd

SHA256
fb82babf90867220d42b07d3a269b588580a05a082285e35c757239e8762b42e

SHA512
511d776df703959a1fb7a1f36bb42d825a747a98c40da9988200871e972a331f1f745f91d25c1f6f8523d5aa89c3055480f57d124d24e7d264612ad525b913fc

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
77KB

MD5
7b44735176bb2022bb4d3825b7b94fc0

SHA1
e07d817321f689951e7445c54da7fdca90d1c899

SHA256
6ab897be636194d736782c41f2e25f344205ce70731adc25f5a378aca952559f

SHA512
fdb0f6dc34cf40e5b126713dfe1ee0c893f82e96e16ae393cbdb49149b8e594af5546a9d9a2826f072d3f4caef410558d015d9ce59a4f8587d3aa3ba3a921d86

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
77KB

MD5
750c9651756b0894263639347b89b71d

SHA1
24ba94c8facd1f5efcf1d1282f2866a83765b6bc

SHA256
e5d63611fbff0dcad4abbfb4f7c2f6f66e84521bfaf0c89a22d63173c2d4d76c

SHA512
580f08a2219336d6508a66d0d4f0bd098f0773b70dd011ea2f7497dd2379151f62fdea86a6fe5a3e44fea30d6ef23db2e831515682c3d135cd5e645ed219a2d3

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
77KB

MD5
edd01ce41ad3c0cf274a4bdd779989d4

SHA1
a2eb5904bf1997e56682f65726caa2795e310d35

SHA256
2da065a13068c881aa1f17965be113887577f4b3d9fb182910ec9420e485ba7f

SHA512
fcaa6a47c085d21529133f9504b32fcd5e40bb66ed036a00c9e5d44c92ed79e31ea37634c5a8c345242963523844bbf15200e8016dc1cc8751f3b33c588ea788

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
77KB

MD5
19abfe39c7a86757ed3a1c4872125379

SHA1
55824390de265e6c7a8c2aa7bc84d4a3d7334051

SHA256
60b2b4e729d697081d412f57ac3b3bdf9f5f815f48f621061cd27051271277ab

SHA512
f88b956c6a681732b8653d1a2b4afedb0ded50c5f70f6cd6f9f8b9bf355635985ada333dc165862050187ade25e2c5f6cbabeab5f4d459027d9849296c323350

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
77KB

MD5
0dadafee4f72ba3882dccfff1d0accd1

SHA1
4d2cffb251a52a096e5bcc4a9086dd4bc30d3cda

SHA256
89551433b52a438feb803e735d4897d3f209fd0ac0a287cf3aaabbd2df809963

SHA512
f63dc429f88e6a3304fd14ed9eb4d455140c96d7ad5798092cb45fbcee1401c46824d597f3d6124902d56bb3419033bfb3c412152885336f8b9c7bc6df546163

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
77KB

MD5
8f1a9d6f0b986c5ab339ca81f82bf7f0

SHA1
4b834be8c2273cb2126665cf7618484d62750433

SHA256
151b05c5a2b9ac9095cd626a988975b486eec510b5543e26b63ce3c54d959018

SHA512
1f2447238fda2af9ab74d328687f4fe3e7bb39a93f5f55fcbf597eeeac4fac957ddef9afe5e87f9089ffe3ac5283e9ce81b5daa06eb49ada37c3dc06ebc3d6cf

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
77KB

MD5
c4fc1802d4eae0c1e824fdb9ff14bba7

SHA1
ff0b9092f94c96d347a874bf1452d674f9965a6b

SHA256
cb92bad779dc0e8eb521f6a4e54ed1e0ded1b672097d7462d170a03e7b4d0e7a

SHA512
88ae54f7f467a492954d58b191a1038dddad239c2f381f6ee9ab5fa96dc1e4300991a06e74cd75663e1d4d83b302f6e23b81e0778f6b1c36637186b2ad94f6b6

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
77KB

MD5
53bbea59bf26b46c5c0a0400a30e8bf8

SHA1
aa7bfcee692ed6baf69283a39952b2448ab7f05e

SHA256
7472740374cb1d8f670d212118e27e49ad65c449e5face7d1a7787b00ab59015

SHA512
fe10cc2e710ab2887ce08c12f3f48da08ab6d661bdd015a8df860fe1a60c25f5f726dcf8585a5ef938f5cc5594558053e179ef1d6923d023d4e097badb8b0270

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
77KB

MD5
6115885405f545ccb68ae437a4e0ada5

SHA1
8fa2165b9db94f43c1866e0777c1f372075b4df6

SHA256
ea5e01163432cf847c88a8e95caf9a0e33fda6f71c567e18d8bf104d151f636b

SHA512
879883915dad8603ad9afdd33c5802b7139e4e600d51914a4ab697ba5d319f14fb0acb72a49de4a560c6687c674e68a17aad303aa27d51343ed07865d556805b

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
77KB

MD5
a8179d24d79c727044749b300aa8e03e

SHA1
7ee5250c1a0ea16fd24e3fe9453d3f19202a1743

SHA256
c5dba4638e555f93f6934c5fea52f08dcdcfa0431657c51baeefb7db46066bee

SHA512
3be31718a80853b648fe4c3473c42c8cd9f6b008a53093d080ab2b839e68227bc68ee45556b1f7bcde5fd038012f1ba3897db7f8d2ba79e2b12e1f6d07509a69

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
77KB

MD5
b2d8851ff83635ecc138694902846014

SHA1
554e970d08cfe8dd7780b4b243c24cae95405b5f

SHA256
578c16554c1020584db19c5a8abfd8c7879cd0702e160fb51072bccc13ff26ef

SHA512
a9360aeacba5b7b5a1115b419e4207033f236967526dff57afdbec2e3d06b9ae9f53b526200ef67a0ac5e5ef33aeec423e72a82c3a6e8b62f72048c7a7270faa

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
77KB

MD5
8cbe6b0682a306b7bf438de1ea768608

SHA1
b6ee477fca3823ec82b72a416d5dfd9b65dbf9a8

SHA256
a3fe4855c2a7cbd4816e9a9f493b26754009bb5b4d038a292317956780f13fdc

SHA512
b05d37885b609fdea75a4e2c0ae5fbe35c159ad13b8aa073b786976429c1523ce122365b97bbf0d820398512c846cb6e3ffd0fa72f5c74de609cab66348fa042

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
77KB

MD5
4ced04bd0f7a7e2d701a1c02b16dc8ca

SHA1
ec47ac1b43d1dcd85e172ea88f4556476e55eb08

SHA256
c379274b5083e2621dc8d5b851ed37c1301fdc93950ece1fd3adfa3de017de3f

SHA512
8d58b1f137d893ab987c6ad13029e6c6f0a875d003e1453bb235936d301b0124407eeca3f36915a9aed7c0d2e6013db52413a80e9487a716528c9a4b8490c929

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
77KB

MD5
9beac47fc43bab46c6266c32ac03d783

SHA1
81d358d5fda19748ff36be6715f5c9e1e1dfcf86

SHA256
e14b3ea5104b152398f8db0295fab53fbf3c468b4941e4f1230971fd00c5a4d5

SHA512
22b986e35ffa78b5647c53afffdf97e723f9a2a9a737e51b7cea74f64ae2510390bb4dd8f62ca59968d31ea3f7aab88b08069b23e5d0ad2b59f9ba8cf6bf79f8

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
77KB

MD5
497ab15226d9904d8d8304dcc898dc94

SHA1
792d775d8df769f3130aff1bff08e37c0c759bf1

SHA256
faabe98f9241c9b06b51af242af76f2cf72d8039580bd03b9a85554f4a1160ba

SHA512
04c8e8c5d01347cf316e419b4dccab70e677377cc2c059ac891e5a8b1afefe53598bfd235973a8365d9ddfde681998a76c76d2db1139656c909d8db7d5de3cae

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
77KB

MD5
a45c637f8bee50f1f617822df70ba373

SHA1
1a5076743d16d43f01c444f4ed0468421015e216

SHA256
8dcce0a7b336b7addecfe9c2ebe3d586d3aa30fea1844da426a80a305b6df14c

SHA512
9da74d8a067cafbf60f6c396b87725fc4d2b09c84e7a1693f29da2721fed4b2087b41219ea1cb732b829a5be42f8d385a28b7063b6ab9585cf177b98073fdacd

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
77KB

MD5
8770c956e2574ac4b26e3eeacc7a101a

SHA1
ede458f87524dde149aa7ebf7bef774d6eef8b4b

SHA256
6bc4cbdd185e0d09d7fbab45f814596af666e8cc71b759ea57fd4182c7e84d05

SHA512
6a2dca86d72b86e25b6c33d00f3b6b668fefaba24cba1579af522268b0b93afae927b315706aeeb340f34f5d66f17bb342ca448b91c13e5ce7526cf0641406bc

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
77KB

MD5
69f52523b63cc6281dbaaccce0d8b7ff

SHA1
a4dc258117434592038bd4dd4a20a53c3fa7b6d3

SHA256
b6844ccd35fcc9b693ec1c1d52cffef45720e4ecad3a3ce19bbe17fb63997d4e

SHA512
436388ff0ffb5ca57c539641591b4c70181875c8abdd4c68cb9bbc76782679096e2123d23c27a08ea883a73de232534da0810575810e0c1ef8d04f2524fc0332

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
77KB

MD5
412bc7b434a2dc6ed7479499755657ae

SHA1
e944c59bfeb7cb3ea33370a39cfadaaacb0a1fe5

SHA256
95a2252cbbdd572311a0337ea2ab7f38f6820a66679bb490655f741bcc17b3cd

SHA512
18735878d23807cc9e63f234128e6092a020a89df466e633effb1608cfe74f617fac2dc1e1df25128540a2e08398fea67584993b1517957ca9507b30267c6135

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
77KB

MD5
1c130258bc154b3f7fa8b8670f5ceea7

SHA1
d11b228987ae4bc5675780414c031eb9558fa954

SHA256
4df0eb9990746e804296ef8d1e749b72ca573f93ba9e7e92fc12bbc792c77c9e

SHA512
d0045f7e1ed5085290eb19bf42a3f02842dd337b6bbf933ba5bfceb13b87b5faf2ac27d4fa2321f73661be61dc6b3b398affbacd1a58e23350af081d586e1743

Download Submit
memory/212-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-584-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1256-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1336-599-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-596-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2952-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3280-585-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3556-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-598-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3788-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3788-543-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3788-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3924-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4200-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-582-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-519-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-595-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads