58f797172773d6d711f3f4722ab222fd9014538deaa46f8186df27e0c2a0d330

Analysis

max time kernel
146s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef71a60240369d76bd3e70d83c885f10_NeikiAnalytics.exe
Size

42KB
MD5

ef71a60240369d76bd3e70d83c885f10
SHA1

9916eb92ef9c68d0a77c0bcb4ad98db53930b097
SHA256

58f797172773d6d711f3f4722ab222fd9014538deaa46f8186df27e0c2a0d330
SHA512

e2ed1857b199bde6f64c4cd5da6c56b084e52c9beb5072fc0c49a8337233f3f41713e855069593cc80809221805e84651d2d19f2722531ce55dfcb1b60ea7bee
SSDEEP

768:ITZdyPb5sujht0H/BHMy7ekY54PFx/BDYBtGYiK1IA/1H5wW:IWPbljht0HJs8gGTJDYLG3S

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhaebcen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnnep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjodl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogaceh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkmhlekj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbaemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfqlnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpnfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekhjmiad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaejf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajiknpjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogmkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddpeoafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbaemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elbmlmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdgdgnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdcdbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ef71a60240369d76bd3e70d83c885f10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkcmdhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcddpdpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghieg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eadopc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elbmlmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flnlhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe

Executes dropped EXE 64 IoCs

pid	Process
4592	Onholckc.exe
2096	Odbgim32.exe
456	Ogaceh32.exe
3032	Onklabip.exe
3008	Ocgdji32.exe
4220	Okolkg32.exe
4728	Obidhaog.exe
5004	Pcjapi32.exe
464	Pjdilcla.exe
5008	Pbkamqmd.exe
1844	Pghieg32.exe
2776	Pjffbc32.exe
1392	Peljol32.exe
2252	Pgjfkg32.exe
4628	Pjhbgb32.exe
4636	Pabkdmpi.exe
1572	Pgmcqggf.exe
3988	Pnfkma32.exe
3420	Paegjl32.exe
3760	Pgopffec.exe
4400	Pnihcq32.exe
4016	Qecppkdm.exe
3632	Qkmhlekj.exe
2240	Qchmagie.exe
4904	Qjbena32.exe
3892	Aegikj32.exe
912	Ajdbcano.exe
4348	Aanjpk32.exe
2320	Ahhblemi.exe
2856	Anbkio32.exe
4056	Acocaf32.exe
1080	Ajiknpjj.exe
748	Aeopki32.exe
4312	Ahmlgd32.exe
3184	Angddopp.exe
3624	Adcmmeog.exe
880	Aniajnnn.exe
1628	Bhaebcen.exe
1800	Bbgipldd.exe
3064	Bdhfhe32.exe
2180	Bjbndobo.exe
2132	Balfaiil.exe
3256	Bdkcmdhp.exe
3156	Bopgjmhe.exe
2980	Baocghgi.exe
4528	Bdmpcdfm.exe
3092	Bobcpmfc.exe
3348	Bdolhc32.exe
4540	Cbqlfkmi.exe
2692	Ceoibflm.exe
2300	Chmeobkq.exe
2612	Cogmkl32.exe
2872	Cddecc32.exe
4784	Clkndpag.exe
2508	Cbefaj32.exe
4568	Cecbmf32.exe
4396	Clnjjpod.exe
3168	Colffknh.exe
1404	Cajcbgml.exe
2212	Cdiooblp.exe
3436	Clpgpp32.exe
4120	Camphf32.exe
3280	Cdkldb32.exe
2224	Clbceo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpkman32.dll	Peljol32.exe
File created	C:\Windows\SysWOW64\Gkhbdg32.exe	Fhjfhl32.exe
File created	C:\Windows\SysWOW64\Afomjffg.dll	Imfdff32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaedkdp.exe	Jcbihpel.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Aegikj32.exe	Qjbena32.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Qjbena32.exe	Qchmagie.exe
File created	C:\Windows\SysWOW64\Neiigifj.dll	Dahode32.exe
File created	C:\Windows\SysWOW64\Qamhhedg.dll	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Hjqaij32.dll	Dhpjkojk.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Kplpjn32.exe	Kmncnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Aanjpk32.exe	Ajdbcano.exe
File created	C:\Windows\SysWOW64\Immapg32.exe	Iefioj32.exe
File created	C:\Windows\SysWOW64\Jpnchp32.exe	Jidklf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Fohoigfh.exe	Fljcmlfd.exe
File created	C:\Windows\SysWOW64\Hodgkc32.exe	Hcmgfbhd.exe
File created	C:\Windows\SysWOW64\Hfqlnm32.exe	Hofdacke.exe
File created	C:\Windows\SysWOW64\Pkbbae32.dll	Hofdacke.exe
File created	C:\Windows\SysWOW64\Dmamoe32.dll	Jefbfgig.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Hjakkfbf.dll	Iejcji32.exe
File opened for modification	C:\Windows\SysWOW64\Imfdff32.exe	Iikhfg32.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ilghlc32.exe	Iihkpg32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Eaacilcc.dll	Qecppkdm.exe
File created	C:\Windows\SysWOW64\Fmfmfg32.dll	Ecoangbg.exe
File created	C:\Windows\SysWOW64\Fllpbldb.exe	Fdegandp.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kmncnb32.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Ipnjab32.exe	Imoneg32.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Ddpeoafg.exe	Daaicfgd.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Mnkhmbin.dll	Miemjaci.exe
File created	C:\Windows\SysWOW64\Bopgjmhe.exe	Bdkcmdhp.exe
File opened for modification	C:\Windows\SysWOW64\Cecbmf32.exe	Cbefaj32.exe
File opened for modification	C:\Windows\SysWOW64\Dekhneap.exe	Dbllbibl.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Adcmmeog.exe	Angddopp.exe
File created	C:\Windows\SysWOW64\Fdgdgnbm.exe	Faihkbci.exe
File created	C:\Windows\SysWOW64\Hcmgfbhd.exe	Hfifmnij.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Edpnfo32.exe	Ecoangbg.exe
File created	C:\Windows\SysWOW64\Ejckel32.dll	Jlnnmb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8980	8720	WerFault.exe	418

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnihcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkdbljm.dll"	Eoaihhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciglpe32.dll"	Hfifmnij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balfaiil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlncan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjhib32.dll"	Anbkio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afomjffg.dll"	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmbha32.dll"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobcpmfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkhbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaddm32.dll"	Cajcbgml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfkao32.dll"	Clnjjpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffbangm.dll"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcqbd32.dll"	Pjhbgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Echknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikhen32.dll"	Gdqgmmjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeopki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clkndpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clnjjpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnepdqjg.dll"	Eefhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Angddopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ef71a60240369d76bd3e70d83c885f10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Echknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll"	Ippggbck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnihcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baocghgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Choehhlk.dll"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbinofi.dll"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogmkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Collmj32.dll"	Elgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baocghgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4592	212	ef71a60240369d76bd3e70d83c885f10_NeikiAnalytics.exe	83
PID 212 wrote to memory of 4592	212	ef71a60240369d76bd3e70d83c885f10_NeikiAnalytics.exe	83
PID 212 wrote to memory of 4592	212	ef71a60240369d76bd3e70d83c885f10_NeikiAnalytics.exe	83
PID 4592 wrote to memory of 2096	4592	Onholckc.exe	84
PID 4592 wrote to memory of 2096	4592	Onholckc.exe	84
PID 4592 wrote to memory of 2096	4592	Onholckc.exe	84
PID 2096 wrote to memory of 456	2096	Odbgim32.exe	85
PID 2096 wrote to memory of 456	2096	Odbgim32.exe	85
PID 2096 wrote to memory of 456	2096	Odbgim32.exe	85
PID 456 wrote to memory of 3032	456	Ogaceh32.exe	86
PID 456 wrote to memory of 3032	456	Ogaceh32.exe	86
PID 456 wrote to memory of 3032	456	Ogaceh32.exe	86
PID 3032 wrote to memory of 3008	3032	Onklabip.exe	87
PID 3032 wrote to memory of 3008	3032	Onklabip.exe	87
PID 3032 wrote to memory of 3008	3032	Onklabip.exe	87
PID 3008 wrote to memory of 4220	3008	Ocgdji32.exe	88
PID 3008 wrote to memory of 4220	3008	Ocgdji32.exe	88
PID 3008 wrote to memory of 4220	3008	Ocgdji32.exe	88
PID 4220 wrote to memory of 4728	4220	Okolkg32.exe	89
PID 4220 wrote to memory of 4728	4220	Okolkg32.exe	89
PID 4220 wrote to memory of 4728	4220	Okolkg32.exe	89
PID 4728 wrote to memory of 5004	4728	Obidhaog.exe	90
PID 4728 wrote to memory of 5004	4728	Obidhaog.exe	90
PID 4728 wrote to memory of 5004	4728	Obidhaog.exe	90
PID 5004 wrote to memory of 464	5004	Pcjapi32.exe	91
PID 5004 wrote to memory of 464	5004	Pcjapi32.exe	91
PID 5004 wrote to memory of 464	5004	Pcjapi32.exe	91
PID 464 wrote to memory of 5008	464	Pjdilcla.exe	92
PID 464 wrote to memory of 5008	464	Pjdilcla.exe	92
PID 464 wrote to memory of 5008	464	Pjdilcla.exe	92
PID 5008 wrote to memory of 1844	5008	Pbkamqmd.exe	93
PID 5008 wrote to memory of 1844	5008	Pbkamqmd.exe	93
PID 5008 wrote to memory of 1844	5008	Pbkamqmd.exe	93
PID 1844 wrote to memory of 2776	1844	Pghieg32.exe	94
PID 1844 wrote to memory of 2776	1844	Pghieg32.exe	94
PID 1844 wrote to memory of 2776	1844	Pghieg32.exe	94
PID 2776 wrote to memory of 1392	2776	Pjffbc32.exe	95
PID 2776 wrote to memory of 1392	2776	Pjffbc32.exe	95
PID 2776 wrote to memory of 1392	2776	Pjffbc32.exe	95
PID 1392 wrote to memory of 2252	1392	Peljol32.exe	96
PID 1392 wrote to memory of 2252	1392	Peljol32.exe	96
PID 1392 wrote to memory of 2252	1392	Peljol32.exe	96
PID 2252 wrote to memory of 4628	2252	Pgjfkg32.exe	97
PID 2252 wrote to memory of 4628	2252	Pgjfkg32.exe	97
PID 2252 wrote to memory of 4628	2252	Pgjfkg32.exe	97
PID 4628 wrote to memory of 4636	4628	Pjhbgb32.exe	98
PID 4628 wrote to memory of 4636	4628	Pjhbgb32.exe	98
PID 4628 wrote to memory of 4636	4628	Pjhbgb32.exe	98
PID 4636 wrote to memory of 1572	4636	Pabkdmpi.exe	99
PID 4636 wrote to memory of 1572	4636	Pabkdmpi.exe	99
PID 4636 wrote to memory of 1572	4636	Pabkdmpi.exe	99
PID 1572 wrote to memory of 3988	1572	Pgmcqggf.exe	100
PID 1572 wrote to memory of 3988	1572	Pgmcqggf.exe	100
PID 1572 wrote to memory of 3988	1572	Pgmcqggf.exe	100
PID 3988 wrote to memory of 3420	3988	Pnfkma32.exe	101
PID 3988 wrote to memory of 3420	3988	Pnfkma32.exe	101
PID 3988 wrote to memory of 3420	3988	Pnfkma32.exe	101
PID 3420 wrote to memory of 3760	3420	Paegjl32.exe	102
PID 3420 wrote to memory of 3760	3420	Paegjl32.exe	102
PID 3420 wrote to memory of 3760	3420	Paegjl32.exe	102
PID 3760 wrote to memory of 4400	3760	Pgopffec.exe	103
PID 3760 wrote to memory of 4400	3760	Pgopffec.exe	103
PID 3760 wrote to memory of 4400	3760	Pgopffec.exe	103
PID 4400 wrote to memory of 4016	4400	Pnihcq32.exe	104

C:\Users\Admin\AppData\Local\Temp\ef71a60240369d76bd3e70d83c885f10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ef71a60240369d76bd3e70d83c885f10_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\Onholckc.exe
  C:\Windows\system32\Onholckc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\Odbgim32.exe
    C:\Windows\system32\Odbgim32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\Ogaceh32.exe
      C:\Windows\system32\Ogaceh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Windows\SysWOW64\Onklabip.exe
        
        C:\Windows\system32\Onklabip.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\Ocgdji32.exe
        
        C:\Windows\system32\Ocgdji32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Okolkg32.exe
        
        C:\Windows\system32\Okolkg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Obidhaog.exe
        
        C:\Windows\system32\Obidhaog.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Pcjapi32.exe
        
        C:\Windows\system32\Pcjapi32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Pjdilcla.exe
        
        C:\Windows\system32\Pjdilcla.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Pbkamqmd.exe
        
        C:\Windows\system32\Pbkamqmd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Pghieg32.exe
        
        C:\Windows\system32\Pghieg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Pjffbc32.exe
        
        C:\Windows\system32\Pjffbc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Peljol32.exe
        
        C:\Windows\system32\Peljol32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Pgjfkg32.exe
        
        C:\Windows\system32\Pgjfkg32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Pjhbgb32.exe
        
        C:\Windows\system32\Pjhbgb32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Pabkdmpi.exe
        
        C:\Windows\system32\Pabkdmpi.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Pgmcqggf.exe
        
        C:\Windows\system32\Pgmcqggf.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Pnfkma32.exe
        
        C:\Windows\system32\Pnfkma32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Paegjl32.exe
        
        C:\Windows\system32\Paegjl32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Pgopffec.exe
        
        C:\Windows\system32\Pgopffec.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Qecppkdm.exe
        
        C:\Windows\system32\Qecppkdm.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Qkmhlekj.exe
        
        C:\Windows\system32\Qkmhlekj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Qjbena32.exe
        
        C:\Windows\system32\Qjbena32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        27⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\Aanjpk32.exe
        
        C:\Windows\system32\Aanjpk32.exe
        29⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Ahhblemi.exe
        
        C:\Windows\system32\Ahhblemi.exe
        30⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Anbkio32.exe
        
        C:\Windows\system32\Anbkio32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        32⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        35⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Angddopp.exe
        
        C:\Windows\system32\Angddopp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        37⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Aniajnnn.exe
        
        C:\Windows\system32\Aniajnnn.exe
        38⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\Bhaebcen.exe
        
        C:\Windows\system32\Bhaebcen.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        40⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        41⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        42⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Bopgjmhe.exe
        
        C:\Windows\system32\Bopgjmhe.exe
        45⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        47⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Bdolhc32.exe
        
        C:\Windows\system32\Bdolhc32.exe
        49⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        50⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        51⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        52⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        54⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        57⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        59⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        61⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        62⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        63⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        64⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        65⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        66⤵
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        67⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        68⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        69⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2136
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        71⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4608
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1764
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        74⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        75⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        76⤵
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        77⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        78⤵
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        79⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        80⤵
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        81⤵
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        82⤵
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        83⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        84⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4720
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        86⤵
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        87⤵
        
        PID:932
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        89⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        91⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        92⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        94⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        95⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        96⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        97⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        98⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        99⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        100⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        101⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        104⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        105⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        106⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        107⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        108⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        109⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        111⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        112⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        113⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        114⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        115⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        119⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        120⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        121⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        123⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        124⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        126⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        127⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        128⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        129⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        132⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        133⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        134⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:544
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        137⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        138⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        139⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        142⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        143⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        145⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        146⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        147⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        150⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        151⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        152⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6692
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        155⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        156⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        157⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        158⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        159⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        160⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        161⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        162⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        163⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        164⤵
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        166⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        168⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        170⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6736
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        172⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        173⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        174⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        175⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        176⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        177⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        179⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        180⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        182⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        183⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        184⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7084
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        188⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        190⤵
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        192⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        195⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        196⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        197⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        199⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7176
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7264
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        203⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        204⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        205⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        206⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        207⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        208⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        209⤵
        Drops file in System32 directory
        
        PID:7580
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        210⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        211⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        212⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        213⤵
        Drops file in System32 directory
        
        PID:7748
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        214⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7788
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        215⤵
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        216⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        217⤵
        Drops file in System32 directory
        
        PID:7920
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        218⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        219⤵
        Drops file in System32 directory
        
        PID:8004
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        220⤵
        Drops file in System32 directory
        
        PID:8048
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        221⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        222⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        223⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        224⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        225⤵
        Modifies registry class
        
        PID:7252
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        226⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7292
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        228⤵
        Drops file in System32 directory
        
        PID:7380
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        229⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        230⤵
        Drops file in System32 directory
        
        PID:7528
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        231⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7668
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        233⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7816
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        235⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        236⤵
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        237⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8076
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8168
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        240⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        241⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        242⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        243⤵
        Modifies registry class
        
        PID:7464
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        244⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        245⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        246⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7928
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        248⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        249⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        250⤵
        Drops file in System32 directory
        
        PID:7236
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        251⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        252⤵
        Drops file in System32 directory
        
        PID:7468
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        253⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        254⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        255⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        256⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        257⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        258⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7432
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        260⤵
        Modifies registry class
        
        PID:7860
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        261⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        262⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        263⤵
        Modifies registry class
        
        PID:7640
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        264⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7684
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        266⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        267⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        269⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        270⤵
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        271⤵
        Modifies registry class
        
        PID:8224
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        272⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        273⤵
        Drops file in System32 directory
        
        PID:8324
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        274⤵
        Modifies registry class
        
        PID:8368
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        275⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8464
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        277⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8564
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8604
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8652
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        281⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        282⤵
        Drops file in System32 directory
        
        PID:8756
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8800
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        284⤵
        Drops file in System32 directory
        
        PID:8848
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        285⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8940
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        287⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        288⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        289⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        290⤵
        Drops file in System32 directory
        
        PID:9112
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        291⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9152
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        292⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        293⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        294⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8348
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        296⤵
        Modifies registry class
        
        PID:8428
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        297⤵
        Modifies registry class
        
        PID:8484
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        298⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        299⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        300⤵
        Drops file in System32 directory
        
        PID:8680
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        301⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        302⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        303⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        304⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        305⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        306⤵
        Drops file in System32 directory
        
        PID:9060
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        307⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9204
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        309⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        310⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        311⤵
        Modifies registry class
        
        PID:8636
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        312⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        313⤵
        Modifies registry class
        
        PID:8824
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        314⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        315⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        316⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        317⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        318⤵
        Drops file in System32 directory
        
        PID:8592
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        319⤵
        Drops file in System32 directory
        
        PID:8792
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        320⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        321⤵
        Drops file in System32 directory
        
        PID:8236
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        322⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8540
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        323⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        324⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        325⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8720 -s 396
        326⤵
        Program crash
        
        PID:8980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8720 -ip 8720
1⤵
PID:8612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aanjpk32.exe

Filesize
42KB

MD5
1772b85ca41f65417c7466d98820c3a3

SHA1
67f9ea13c7e87ec7f19498b168573a825514096b

SHA256
0944226de53d09ecc9106a9ff5736a237781337d453aa6ea3478344669e67d28

SHA512
02ed57737e5827ae220f1e6ddb518dbd891cc569b2c592c749333d929b63eba4c922dcbfddb5b25868891893bd90fedaf9d994bfd07b2c5960a344fb6f5575eb

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
42KB

MD5
4777993e84568a53a7bdb8731038d429

SHA1
87cce094b32f7ded0ac94c7cdea8248bac5f6269

SHA256
557ea994c871f77b8c041de95fef46b27c9c07d1a7e99635d4cb5a9cd14090f6

SHA512
776496aab943fa81d9e6ed8909f46c7c53cbee9b9b7a79370912a17f2570acdba2d4241cab52a184bc0dade0fca9bae126e99c8f6c6bad9da866975cbaffbdeb

Download Submit
C:\Windows\SysWOW64\Acocaf32.exe

Filesize
42KB

MD5
b2808cff962e789422eb27ae6a6acbd2

SHA1
c178a16efdd08202564c3f0ff284974955a9dfda

SHA256
2e19404cef263d4742867c63888499676db7d34fd890a19cfc8d3fc37df187b7

SHA512
163ebc545e2c5c5c92ab9474cf4e03bee5390783126785a6518e8a1a3f2aaa3685555acee79b388948196a7b094c286c089defcbb77122e4fe846142e87491f7

Download Submit
C:\Windows\SysWOW64\Aegikj32.exe

Filesize
42KB

MD5
10227aaeb43e245f069586eccf5ca4d5

SHA1
a1db9de1265b750a03743a366d8a8aa1583a4aec

SHA256
ffd5eca768d9d4b7aef09f5574e77c44f9854db215c24f9f644e52372357b73b

SHA512
0501d44e5f637665831089e09cef7f58ec75f18aec39346278c827d395305e13ecc41d8df6fceb4dffb3110d02dcf648e187a532abb359fbb56d190409ba0fcb

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
42KB

MD5
06e704f2f7003b91b64767ac13cc1ecb

SHA1
edf144a0d5a383d40e644d51ecaf6e51aea0afad

SHA256
bd5e01076370d145b16544b072f4fb1a896c9564805a7284e67bb9c7f187ec39

SHA512
8994efefbdcfe2b17ffbc94242f88dde84041bfa9cf0fe4405a9151e541033ede2376033cce1dad153ab8dc3e93aeb5591ce7116cd84c0d48ae53469e4f293c9

Download Submit
C:\Windows\SysWOW64\Ahhblemi.exe

Filesize
42KB

MD5
ecc613853d8115be3bdc684f29dc75f5

SHA1
488cbab0a2aa3b8608e3fe593672d80d9865acd7

SHA256
e20361b4d63025bd352eb49da281860420fcff9979bfd3a70db0ea647d003726

SHA512
f3cbd3e4745c7823d894a04137a1e0d67bdea779296f737bd36e1c4a2d5edde10373813ab57c2a3edc3fed643e6e697d84e787b995e9b0653143d764108e3c58

Download Submit
C:\Windows\SysWOW64\Ajdbcano.exe

Filesize
42KB

MD5
64af6c8750faebedf7d8666d3fda57a3

SHA1
8a9524423e8146f80060056237ddbd387deb075e

SHA256
8d8d0f99507693dd3a24fcc545e2078602e3fbf43ae5b584dfd4e28b1f34e237

SHA512
ed5eb8b13f9ebca65b12d1ffec8d4f51d16e48663c3754a750688a73d52794f16813bad70e9547c5a4ef5a2b2715aeb2a9f768de838741e66a6bc730a079f164

Download Submit
C:\Windows\SysWOW64\Ajiknpjj.exe

Filesize
42KB

MD5
9e8d7ff76a7f20c301f161ad22eac3ef

SHA1
1aea6818589bd7f6490a5fd5422d9758cf08e803

SHA256
2d530613de0746a0f9e282cbf72f5465a0821afdbd2599dd9d1e8d1b4a148240

SHA512
62d4393a0a102a00a62473ca551671e19e594c7857d0e984f4253655877a8d123957f8e9789d44728cbba6297ad53a5016606ab5310422b9077c484bb53b6d59

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
42KB

MD5
3e5479b7d8d552c86dbafdb803776a08

SHA1
a5b28c00f800e2df93bf1a1bd8fa8caa25085112

SHA256
9e88c9185f943f19d9da113ceebe9336457b80848ab56361c75789e310396c55

SHA512
bc05e5e76e92da44f42590d09a847bf76991872aeacfc7404842385a77d9d5d571c10229c51fe87caabd2e62290719f6ead0996238d452cf004304f7fa41d2b6

Download Submit
C:\Windows\SysWOW64\Anbkio32.exe

Filesize
42KB

MD5
ba07057458b6ee08f6e8bca9892b2ff4

SHA1
606daeac331906b6276693732b6b584ad3c2d4e3

SHA256
c24155269958c7a4e9a708f8c68cb224a9d67267d40815f963f556aad4b6ae33

SHA512
c19c943739e164a235e23937cd67da3fcfc0c7170079d9db699babd27cd0c86a603fdfff0b84e862133d12aeb7795255b1b4d9d751f9105c4ea62021e7a3980b

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
42KB

MD5
d98c7904c165669c3855aa73fae0e334

SHA1
d424092e9625a94a722916f9a0d8694d5cf04512

SHA256
32acd8e540f5a086dcf8fc4740b26db95a2bdd773810e9c105cc24b91ced752d

SHA512
bb3de0d4c538bd2b9138af56dfc9b88f4219567e3dec7c5fa5ea592a3217c647fb0f72e8177e901b2e6518df0597f5f42097b9e688eabb5055e89ace1082d715

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
42KB

MD5
33448062a7be8ef3e4ab2a5f739230e4

SHA1
f84441d53ea13f49601c6e8d7f5ef4871cf1cbeb

SHA256
ed54b150df77c72bc9b4903556b9b1d381ac6b765973e475bea3d949dcb686ff

SHA512
79c12fe1e298f904ed3a3c8442d154506c07022113e8812460cc8a5821ad8ba8c507139d6be57e2e7a7adfaed44a4c2d114d39fd866cc811146882349024a603

Download Submit
C:\Windows\SysWOW64\Camphf32.exe

Filesize
42KB

MD5
e39e1cf6aab5950d33976dbc93b7ed69

SHA1
39b89a254624c0d68943e82b1e78e076c9b87963

SHA256
1f8ff207f2f6bf751053eb7377fe4db88b0438aae752a1f8f99a38c7a6bc7c42

SHA512
81d35ce132e5eb9fc7d7500c364315f1d67ec64e684462c26e0d1ba7fe6eca8c56d94cebee2c6ce5b9d275c4c3efe56fcb4a4a4b8556709720e6a2792f84718d

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
42KB

MD5
4c43a4ad6743281728a6f6d05b9963cd

SHA1
eb81e748bf3931ce4bc865b6eefab21db9f3b3c2

SHA256
662c3ef1d5e145f52e6f80be7afabfafe296da144ea2abe96f0dcf0e5dfff0d1

SHA512
15b3da7854451d7d4fc9cd3f7f2797c024e81c739407b983e6ecfbdb4bde8677fff2be11bb15c09356be958b6a9963dd20a72bebec605f63516ba825dc33cf14

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
42KB

MD5
e676a96701e024afb3625cf8b7038ed5

SHA1
5a7f41f4d83eba2e6184a27eab400dd38a0e0b58

SHA256
08d6455354a562741e862f8e9850457f0348d6ddf3d7bc4ef24f609bbc07d4f1

SHA512
a07e17f267be8465c843bf5b55e68e9c0c0ef894eb2dd3c3fe3b7c8b322549a0cbd25d963543676dd11a8ef778158aaf4a2d1494e9c97d0578786cc370d188d3

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
42KB

MD5
f4bd6238b29b908f751624098633c73c

SHA1
50632f4bc26f14e74b64d3ef7b0e430bb2f58c73

SHA256
f91f99871501623aaf3a0024fe0d6eccb2f172a0ae5e23f0fc26be1aa09201de

SHA512
46449939305b05c568b8f40e24aa3ab5a917de0c92a04a79302f464daf08eeba6865047d47ce940bbcf57365f3b27eb2dda677bdea8f7cc9fbd4b04c56986bab

Download Submit
C:\Windows\SysWOW64\Gdcdbl32.exe

Filesize
42KB

MD5
665325da1f3cc5ca83567df8f3cab9f5

SHA1
3742f92e405961c86636be751de361532927ca49

SHA256
7e516985082e86609d9ba85e40b0976517e114753d6dffaf34ba3a75b95a4f96

SHA512
115eb52a32a36462e8c976d517f207d81bfd099cf9f0544afcda88aa658cbe833585817a074d755d66f137836a6474a225c5fdd16b6889ca1f1fe0ccaa987d42

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
42KB

MD5
db6b671959206228914990697196cf92

SHA1
efda0c3f7134b0f3c7ca263a14eb71282404da0c

SHA256
9067c844b4187f652614871c3ebb273bb4b3c40140893f770d187038a4b95362

SHA512
f8531e14a729ba31c2f221b41dd9a7204ac26c474a1a148c24458ee64393ccadd2e98360c21377bd86080ab394aeac664c0884c143a93f264c92b94cc73be6c2

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
42KB

MD5
a709a55bcd1474ac8ad445c2bc108e16

SHA1
d03c3751e379d5af8d97dec9b88d575a82067882

SHA256
ecf22519092da890b7127cd5c126c98f61de4b384ac4860aa149e704907e429a

SHA512
27666ee623f349f1059261587e2df41324967c23edcff0115e8456f43f443a858d00640d8010babfc4cc2a5b6baa230fe686818d9a5c065743dfbe04b14f2b30

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
42KB

MD5
6224cd3aa9d2ac61163ff2cac140e0c4

SHA1
b96bd6b0bfa40e95712f9e7aa9e3a6a6de3a6451

SHA256
2270401693e50979489ac7587f4ad70b434e491fcba4405b0c45d39f3c76abbf

SHA512
cdf167d76d7f15d785937c3b3e8d20e4b2adc84a85f846c73b883e39d2f8117cfc3a2146ccf5fd4ca08acdb9c745f9065c5a8b475c78ada4497e530b4a1341dc

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
42KB

MD5
19bef2320265a08daae49a65bab4030b

SHA1
59e58eff66b68de43f3a531e453e85c17bf37aa6

SHA256
806d2230612ee9f8ac1888b609ece11f765af29c932709a32417fd983fe3b00c

SHA512
7dede3fa7473554e54b663194bfd2de994c3c818f17bccf8a131119fc8d7a1f1b2c36d1d82171deca2fc99f4c54567e00ca120e31b2866830675cc994438acf4

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
42KB

MD5
99e428a57e19226ce9eee3dfd72b25fd

SHA1
efe105d3a2ebb13a2ae7df25e10c6047304fcc6e

SHA256
16a4d2e229474d8eb4824858c100e94908cdac62be838dbac97c364183a91b86

SHA512
59075686c3d0e79b9461861f3f43029fd8c2e9200347daaa0ec0c01b7d530c3c746f56d8077c43ded1951bbf378a44d6e52a4cb9401f8f0dded991127011e0c2

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
42KB

MD5
8c629f2af9f477a56ab5097313389695

SHA1
aa8caaff46fc609287eb14bdbedeeb39edb57a34

SHA256
d36630be96f30953821fd7d3759eb65133694a0700840cdc10b110eb0800d17c

SHA512
bfa1ece79491717868293849159a8ab4728b6540fe1feddbc2005442448c136b282a547fc319cef8aa51ca1e222b95b14240ff88747a194b14aaa473b431e532

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
42KB

MD5
aa4ac1791737846cd3a0f985acc6410c

SHA1
7c2b6061e7362cbb19140a3e94c386235912c13b

SHA256
f05bdca86dfefc5ba79665e433078c0dfaf7269ca0ba82574603aa8065031708

SHA512
57f073e83bcc1dcb6144b6f6db8b378b7ac7a4212ed053594557b4e00db47e62fbe2381aa65be94966b1c0989c0b3b91b375282549935d4e0ab72272e149ff8b

Download Submit
C:\Windows\SysWOW64\Obidhaog.exe

Filesize
42KB

MD5
f840359f293b55233651de48f6a9b656

SHA1
b53f3e27457f69bcd1ed786591c82d23d1e2101f

SHA256
4e03f94c1f46e1b0bcafe34d70d5f2c17881ea4d8b6e65d2e59d06ba7194da93

SHA512
b02caf8a0805245aa90641b4be3acc45bb0908768a860da737fc25c1f9b9ba0410e86fc1249771af9040dedd45e9a37e281f42df1c14c3e5ea68512c79cf9a2c

Download Submit
C:\Windows\SysWOW64\Ocgdji32.exe

Filesize
42KB

MD5
73a781c31e6c9549f4936e6687ac8d22

SHA1
dbf84bc2943ba3ec73d292bd87f5a467a0e8b830

SHA256
59969a047e67a695082f60351ee8354183a782dfc82e63461e794b8331e80cfa

SHA512
e67be7e395dc216897cfbb6130b4e7319f6b3de8b6e6938b6b10a3db81deb7eac33f678611961d55bc64afb3213e7af3566f85f5c1c904a229b40b38c6dc20e8

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
42KB

MD5
f779daf39a76581cd5966ca1e13ba5be

SHA1
2e73b49efc038ece46b6934355af9f6d5f51a9d8

SHA256
c7b7ed5cbc9dd223e3bea92e55dacc0f3e519fc983168b9946089848a1721be1

SHA512
c2b4e7d315c589d666fa2162d4665980e196bb02b3dfe76fd7d87e907d48ab00227fb5b9c70dbe1b41598b128c58a650118fe43545d005a7504521f08c06c820

Download Submit
C:\Windows\SysWOW64\Odbgim32.exe

Filesize
42KB

MD5
7e888dd04437d4cf27da7e0a6d10255f

SHA1
11ff99c7e48840b297a189266f8aa57fcda10d11

SHA256
6e4b5c55a2f09f34a93bbc435c74e0fa173e00c84728af2536d861742139b6e5

SHA512
df36b1a49735f2b4a60119e56a3a1b3647b7b08de34da3e90f8d5690f9f21248d4b1f2206a961e44ab24ef4ee6e6a327cc470588c5ea50daa5f3addfd315cdd6

Download Submit
C:\Windows\SysWOW64\Ogaceh32.exe

Filesize
42KB

MD5
d6c407944fbc6eb899d0bc48321ea01c

SHA1
70a4b430d11f8779188550e8666ddfa14faa0142

SHA256
82e68af887030d9be51da1a672a41877583f6744cdb95ac4526fcc14400ca633

SHA512
e41ee63461a99260911153528622d9c4add382de963c8325d88d2653b2961e472ab1f8380874f3a5264d0040da84f8ad1bcdd5da0ed288d5c6ddea743f7a1cb8

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
42KB

MD5
b0e13da5a5d909ec6d7c861c18503a24

SHA1
d46dd1f9f15ad176a99d0a34905834969680c4b3

SHA256
6a6765393f6dd65a76b532d59006ee1d4a5e7260f4c07374f959cb87a1a3c382

SHA512
702f24dee522071db98f856d255ec199fdc29c719f2ab523afdd3a8426750c3a6845df957471397134db4d393e9f4f4c5a27bb620288d192464313a7dd32fb93

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
42KB

MD5
f264b79628886757391634115e8782cf

SHA1
31269b12379e40ec2be6dafd26fcb7c245122416

SHA256
f0b494b8e260649d3cd3b68da8aa4515c6afc42d0f460f932ac3784039777f53

SHA512
d8f6d688fd6d4fbb6ef72655d8f3635bca9a23bc88faba9ce710cc9dc1aabbe551e7995b26eb703f2341fe536ec9211b04506bc3c1a0f5f656f595de6f3e524d

Download Submit
C:\Windows\SysWOW64\Okolkg32.exe

Filesize
42KB

MD5
adba5281eb0c988434ae3a04efdbc70e

SHA1
df9f29f8b8f115ac6ed1df854070d4e9a638260f

SHA256
452c2272dbf52cb7ea60a2dd9cd6986fe554c16b3b24481fc477485bfc41f77f

SHA512
d15d78975c8cf2c4c0214a3662915843918511d4c99351cfacb05ad825545bdcc9499917f7a84b5a4a2323d0dbb8464fc9fd98963bd0e59363803a02140dc9f5

Download Submit
C:\Windows\SysWOW64\Onholckc.exe

Filesize
42KB

MD5
cb7298f5d9a75e1a74c051c031d06029

SHA1
f9977aa7f5061701a87185ddd9ed5cc89b71b692

SHA256
67f2067390d9c7b7151324cc7dcf2becbe5fb73f6fc287a4dc632027b9450705

SHA512
63470a52e8707048f1caaff6bd471827f8271557226636dfe0dd655856d45b6a0ab98355a6637c31f664405c82b561f2cac0eb1d5a48952e50dea68ee4a81537

Download Submit
C:\Windows\SysWOW64\Onklabip.exe

Filesize
42KB

MD5
3679b9d58507850faf1a4f54759940e8

SHA1
e3f9a67cc9da3dad784cc0cb704011efebfa5587

SHA256
57627521ac7c65e6180b12440a95389c93caa1fcc0fd720835c1bca5ec1609e2

SHA512
4bc0b38b6f5f667bf759f9490300a450a5f362809a12b9aaf26fce8b990ef22695d17add58cc0fcb6fc4edcbdaefe5b136e35dc0c6975f87df45555654161e27

Download Submit
C:\Windows\SysWOW64\Pabkdmpi.exe

Filesize
42KB

MD5
4eab95321168edf9156b63598a654957

SHA1
505ff90e5b37f9de01aee3927263e4e8c9666dfa

SHA256
b89f9e1275ec197f633cf1254749ff3843a5ee403c8f3c41916945edef0188d5

SHA512
cce9bb77d0b10a34c26750124c20db160be510aa7e9d5f94676e04c5da1b634de10dac41cef5b57dc86b4a1727a29d4ee3ba0f22f39c0768f8e4545b4b336bd4

Download Submit
C:\Windows\SysWOW64\Paegjl32.exe

Filesize
42KB

MD5
6899cf4178cceadb098127a5335ae72f

SHA1
dd4a24a49693a6aa138cf2d0c147b5b6f4e9b87c

SHA256
430e7218dea8774cda34e79dd04a7e01f58568d5a48f06ae9b97c369efe87745

SHA512
264aa02e91079d17e8c1ae2ba51b2ee4991cc3daf605f7322b6e1adf505a5b623d191434369a8cf00ecf789042be61b180587f29dbb42c81869a0dbdf20f3806

Download Submit
C:\Windows\SysWOW64\Pbkamqmd.exe

Filesize
42KB

MD5
0c8f5bd82107f4fee24f29d6c56830e3

SHA1
097190683be3d31084210955582acd20fc67f43c

SHA256
8ae4952405ce34d582ba33c5d82a57f508dd49585289abe60aea7df0b2e8fcb6

SHA512
d72c669d6e868f644befded1e9321e8413c31f9844a9b78e1c91a7a213ce813739dcbe10f9946d6809f1543d4584c7d0b7ebaebc8e59b084908762ba135462b8

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
42KB

MD5
ec9c572d04e2714cc7959b9f0daebc71

SHA1
1af71343bd58588ba1d53162e39cb2cdbd696f5e

SHA256
351506133715d60251c2e783c509b4bdab9e821b0740b44d258974fe461162e5

SHA512
7cff74c84ea3a778e1da1b3f46c43d07e3c7cb93456bde93d5c9570147bbad8260d516deefbbcc0e1a79783eb4b3bf656a397f638c456b908030a5cd80fdf10b

Download Submit
C:\Windows\SysWOW64\Pcjapi32.exe

Filesize
42KB

MD5
fc55259a4de9bff518da3699011ab77b

SHA1
cef10a4057c0c730a811819c576fbcba02571d92

SHA256
5b3c8f66466cc470fa8980faf51ce0ffb65b910765bcdc5ba422ffb1cee82808

SHA512
c4a0c8c73ed71ab3bfe915616d5a81da14e7de1d091478296de6572f05a0ea09d8271ee8d4749c895431d8453c0900c43b921cc9aa3faac4d57f94e256b9622f

Download Submit
C:\Windows\SysWOW64\Peljol32.exe

Filesize
42KB

MD5
35ee59bb6c1fb5252be2e9cc29c7e56f

SHA1
12e7a7de5ef52546a01fb8ed53455ed29dbaa45d

SHA256
5b83853ac77af511533dbf5c145af8d7675d156fa943f572db78a29a3523d77f

SHA512
23d9941a3e512850b928b9484b9b33c2d0fa01d1e70f76deddc4415f5aa116d4cef9f38e9f9b1a9d5ba39111dc9f57aada14ddf223d8a5e32dde32af0fe4e1f5

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
42KB

MD5
957263ae74a7d44f5599dd06665adc09

SHA1
f6e30641e62d745c7466c701e50ffff10b677010

SHA256
5adf919edf1088d81514bdba9394b694c31c364e145e90442f8b0607e29103d0

SHA512
9a42b56ea2c42e61a07c8fde3e695682de32e2ffe897af8e74e739831e529a1181ad8344e916d3c20352b01026f51b53e71a5396fe03dbd9cd396d58d644f5db

Download Submit
C:\Windows\SysWOW64\Pghieg32.exe

Filesize
42KB

MD5
1b3ab50bd35139a8d699f71b7731f40d

SHA1
639d613669cf69f375f68051a1d8a43f75dcc781

SHA256
19be3570bf05db6deca976320893db72981ff52f06d7c01ad4d70688c08177ae

SHA512
4127adeca1aa7982a522ebfc82119af52e322b2c299a3def1e4ed12e6c47f6a753386f4a921bddff515e38b096b54e2feac1b489d6dba17079b0085e034d47be

Download Submit
C:\Windows\SysWOW64\Pgjfkg32.exe

Filesize
42KB

MD5
9a7150f7b80f291d6153c021d576d282

SHA1
37a7735889ccf59a56426df82b3f1703c08add64

SHA256
b4b74ea00f0ea7df07aea324800e23e8108455a1d8239dec63af8b16d58e390c

SHA512
af0c8ed4aedf45daaef8349e5973d75084de16fb3125d2b392a945a049cf0a47faaf1a8d7e6dd6ac082f6dde61a828be18a28f0004effb427cb30bc1deccab9d

Download Submit
C:\Windows\SysWOW64\Pgmcqggf.exe

Filesize
42KB

MD5
351c7235b8cfe2d7e0a834c031c35827

SHA1
0d5777c74eddcbef723a7a32d2a0413d0bd14e8a

SHA256
2eb41dc1c2917cb9598fef5baeace5345f24029c2f2d420fa0ed9b276b1900e6

SHA512
b346bd17e9c099f4e253df2e18bc9e945fc995b02de55e1fd52232cff68c34ef435f23cc5aad8ec4a9aa97d5f13f03017f57f9186ca2b958b06c3a68d5ff4b4b

Download Submit
C:\Windows\SysWOW64\Pgopffec.exe

Filesize
42KB

MD5
831353751f0baec67d4463168eaa34b4

SHA1
ae2984c69c55fdda4aa93a1a1dddaf9688872fde

SHA256
572eda16ed7ea4af03059ff5a10368fc0ab4141ddf3459311fe7371a01c292fb

SHA512
957b82196a6ba94665b34c489e2bbf61b38090d5a189724e6ace796fdcdffc4200f871f4127c0177d32e2765403c6cd68d59ba9b8597759f86741b60d919aee7

Download Submit
C:\Windows\SysWOW64\Pjdilcla.exe

Filesize
42KB

MD5
8e8f876de4c74dc1f4ae2a2c8fa8863b

SHA1
1db9c3b5d3f48253921f839f4c44cef9317e2cbf

SHA256
1f7608cad5f0e1da8f70f318e70398b8facbcf1cab780468c7a869bb635335b0

SHA512
c3c4f5f569135c4d2dd87f5c2509fcb8fcd1dc9e3db3651dd8bc57bee013855fd37165154c54ed08c41b2a3f5f64aac0937327fab93316dc4dcd9bfb7c161732

Download Submit
C:\Windows\SysWOW64\Pjffbc32.exe

Filesize
42KB

MD5
c0bee6f7d42533e6d0a6861ea36530af

SHA1
60567b7ef2c19ac1233f4f87890d42b0fbcf785b

SHA256
9d20e638d7e205cce67dc3774b07aa47a7168738de28a75c6530c2a84527cdc0

SHA512
49a52db034dd131b3c5932e5d63f66bdef5fa9ec098e7bcfb97cb329a422de57ef336b5bbf9a8a3685b40cb571d447b6f4c4015a89d4442392ed57a503decb3b

Download Submit
C:\Windows\SysWOW64\Pjhbgb32.exe

Filesize
42KB

MD5
fd2fb4cef1325b1120f3d49077880c13

SHA1
b0e11f628c782ad7cff3409aceee1edb7e533fdc

SHA256
62f569e7e34d740a6c1bf051dda309136429cfedf21f5d78e40a9f76a0bfbb7b

SHA512
7a937d6abf83433fd2ab26c21b81c587c3b05595e0aac23fe30c319e85ba1dcff5d8cd177a94d8c7c5d3326e7e0eed20c381041b899873bdb182bf0f3e0f3c26

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
42KB

MD5
87a19b8cc857524acea02cf3d37ea003

SHA1
da400fde21126651abcb55e08109b1aab33830f2

SHA256
9cfc6db02066c85267ea912c910b2773d586ff15461c5c8b19a82c3962b9a107

SHA512
e1727de1238c5eb8d4b879819b69610bf52b6a5646a64dd0f99b052a34ac398d48666e839616441b1455585b6e4bebba6b41540194622636ed0f78f687180503

Download Submit
C:\Windows\SysWOW64\Pnfkma32.exe

Filesize
42KB

MD5
55d3419df3e3d94c838f5f82407d5684

SHA1
7c2e80594d4f98bf350b3e0af4e719e11de16e2b

SHA256
d40faf0f22eda174b1d6ecb2596dc95d27b7bd7fffaa2f1c69ac59f33c8f0695

SHA512
aa191d0096953a0a0090cda535f909d49dd0bcd73a0e9adb6bd63e5a2c2b486f427eebd8323b77b4c52892caeece9de7c7dbc0fe07ad7373095d3428137bb61d

Download Submit
C:\Windows\SysWOW64\Pnihcq32.exe

Filesize
42KB

MD5
93e09c6c123c77bd02f5358abacb228e

SHA1
9f7d94a5fd3953c0bd0fa4aaa6aa9b7c6d680c0b

SHA256
4a3117c1b36f2bc10b14293c06a75dd5d10b2c9978ab6712795ce07ba38a96e8

SHA512
0953a87e40ae3f1a0ccb4078ddf4c41a4c8a46807d21e74f60e15ab8ab6e4f26f181d2c813caf4dd69f6189bd17554dd015ffcd9edbc03b8e442268f3b96d827

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
42KB

MD5
a38e30fd919d1c0322937852356d81ca

SHA1
7bd1106a91c48fa4c9bf3acddb0656e6d6008c38

SHA256
a704d73e978f758c91b317a4cba2026e0007f309e1a6dc6359608883ed32518a

SHA512
e95c181ac19a810e56899717eeaa911cddb223593a99f1fcebb432cb278303ef512fa3fed6fe76dcaada74f42e4f02a0f68e68849bc9375774cd63e646cd3aab

Download Submit
C:\Windows\SysWOW64\Qchmagie.exe

Filesize
42KB

MD5
fab152d1b21b544b18e41ccc632af668

SHA1
dd9d8334bce9568d5baeb4534294b808a44dcc69

SHA256
6a8bafeae64692d3d9d7df3e0d90c5216cb331ec1bf0dc954c39d3e235cad97a

SHA512
443dff38a378366acc767ef5d12b4c92be12367990ad45f6f4fe87d475c69efed462f162af8514d4259defa6ca41571919bdc8fb9d1e7d281d2b282dce5f014d

Download Submit
C:\Windows\SysWOW64\Qecppkdm.exe

Filesize
42KB

MD5
6859def7d31839b00fc283a922961c35

SHA1
823da3114cba43daf476804c49c9775274a405c9

SHA256
c770c1705fc51febfe2d06ef474ed8203c5c7ebdc2321e8d8025a062de21a586

SHA512
16f0ee1f49eb554b4cb8a95dcdb304643d945697bd4c03129ba4999f5cff44780caa5a67fc453fe7d5a256d1de75fb72065865c40c15fd2fbbfc077dacd5cacb

Download Submit
C:\Windows\SysWOW64\Qjbena32.exe

Filesize
42KB

MD5
9187154da98cf9c3848590514deef218

SHA1
9049b0a3f33db512685db6b1117a3d0098ae1b3e

SHA256
7ae4d247aa0f402411f0535c78bf0cda762aea0bf70b797b85be5f339a16cc13

SHA512
1ff2949efb026c488659d22b9d60e454c86971ae10500ff1515f3010c4bc7343ca10536bcfb6640dcd8586508cdc93085efa2ae94763138bc36521ead8dc5bfa

Download Submit
C:\Windows\SysWOW64\Qkmhlekj.exe

Filesize
42KB

MD5
daaf82fc144cb272b5d2e37f6bd76c12

SHA1
e7e49ae57a5783025f7b43abb5868c267b0c99c9

SHA256
6d9588287e59391a8e834e723344051b1af73c5685920437eca89ff479a9e27e

SHA512
cf8f3cb366e4c2af13eb0a4d4bda8ddab3b5543d444129d67b93fabcbe8bad2933a85876d4cecd69b13deb1048418dda0ab7f34e0a7275de84eea26853e68b3c

Download Submit
memory/212-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/212-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-591-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1764-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3184-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3256-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3436-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3760-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3856-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3892-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-577-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-597-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5144-598-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8792-2243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads