b8897502aa4289e437c6d7354ff29716f173d27be53df4d65ab9bc7ed8130ef6

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

058295a33b3d7ce68b4ecb75a494df70_NeikiAnalytics.exe
Size

80KB
MD5

058295a33b3d7ce68b4ecb75a494df70
SHA1

a24430e1e0a96410947dfea43d319d9f7982d25c
SHA256

b8897502aa4289e437c6d7354ff29716f173d27be53df4d65ab9bc7ed8130ef6
SHA512

a937bdab2260d3bcfc508f6ef79cf75ad0de8870ed8b9c1faf11bfe9c4bd9993ef979f24927bb413f06092e0c800cc4e3b230fd64fbf4ad368210050064a2155
SSDEEP

1536:aGDuOAvJyaV9NzOgLZe7brutH9J+2L4qJ9VqDlzVxyh+CbxMa:OtvJyg9NyWGqH9JD4qJ9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hleneo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkomhhae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moeoje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjbhph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhbhapha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhddgofo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhlgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmijf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fecadghc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbiej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijngkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcgekjgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgjoif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfaenfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcgekjgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgihanii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loopdmpk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgpibdam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeneidji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbiej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jflnafno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghojbq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekgqennl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidbgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migcpneb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmijnfgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfjnhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhopgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjeibc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqbohocd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Limioiia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koonge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeneidji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmejp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqdlmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihmfco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnebo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feofmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppamjcpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gklnem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpegkj32.exe

Executes dropped EXE 64 IoCs

pid	Process
948	Mcelpggq.exe
3600	Ocgbld32.exe
3392	Phajna32.exe
4896	Phfcipoo.exe
3572	Qobhkjdi.exe
1800	Ahmjjoig.exe
888	Akpoaj32.exe
4336	Bhhiemoj.exe
2360	Bpfkpp32.exe
1624	Baegibae.exe
4548	Conanfli.exe
3268	Ckebcg32.exe
1448	Cpdgqmnb.exe
1004	Dddllkbf.exe
1884	Ddifgk32.exe
3484	Dgjoif32.exe
4244	Ebaplnie.exe
2224	Eqgmmk32.exe
440	Eojiqb32.exe
1100	Fnbcgn32.exe
1176	Fqbliicp.exe
732	Fbbicl32.exe
4436	Fecadghc.exe
4520	Fiqjke32.exe
712	Galoohke.exe
3872	Gkdpbpih.exe
4612	Gacepg32.exe
4084	Ghojbq32.exe
3352	Hioflcbj.exe
3184	Hbihjifh.exe
5048	Hejqldci.exe
1852	Hihibbjo.exe
856	Ihmfco32.exe
4228	Ilkoim32.exe
2844	Iehmmb32.exe
3652	Joqafgni.exe
3584	Jhifomdj.exe
4804	Jhkbdmbg.exe
4956	Jpegkj32.exe
2272	Jpgdai32.exe
4064	Kpiqfima.exe
3260	Koonge32.exe
3012	Kcmfnd32.exe
1052	Kabcopmg.exe
2028	Lhenai32.exe
3280	Lhgkgijg.exe
3620	Mledmg32.exe
4156	Mfnhfm32.exe
2296	Mjnnbk32.exe
2576	Mlofcf32.exe
4204	Njedbjej.exe
556	Ncmhko32.exe
4672	Nqcejcha.exe
4344	Obgohklm.exe
3104	Ojqcnhkl.exe
4536	Ojcpdg32.exe
208	Oqoefand.exe
4972	Pqbala32.exe
4340	Ppgomnai.exe
4952	Ppikbm32.exe
3804	Pmmlla32.exe
2836	Pmphaaln.exe
1088	Pblajhje.exe
3800	Qppaclio.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mcelpggq.exe	058295a33b3d7ce68b4ecb75a494df70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Loopdmpk.exe	Llngbabj.exe
File opened for modification	C:\Windows\SysWOW64\Jjdokb32.exe	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Nfmcle32.dll	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Ahmjjoig.exe	Qobhkjdi.exe
File created	C:\Windows\SysWOW64\Hlohlk32.dll	Akpoaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojcpdg32.exe	Ojqcnhkl.exe
File created	C:\Windows\SysWOW64\Hpkdfd32.dll	Oqoefand.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Loopdmpk.exe
File opened for modification	C:\Windows\SysWOW64\Odedipge.exe	Oljoen32.exe
File opened for modification	C:\Windows\SysWOW64\Cnboma32.exe	Canocm32.exe
File created	C:\Windows\SysWOW64\Kkmijf32.exe	Jcmkjeko.exe
File created	C:\Windows\SysWOW64\Apeknk32.exe	Qikbaaml.exe
File created	C:\Windows\SysWOW64\Lcckiibj.dll	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Dfhegp32.dll	Oljoen32.exe
File created	C:\Windows\SysWOW64\Cpnhfn32.dll	Glmhdm32.exe
File opened for modification	C:\Windows\SysWOW64\Eoekde32.exe	Dlpigk32.exe
File opened for modification	C:\Windows\SysWOW64\Ifnbph32.exe	Igieoleg.exe
File opened for modification	C:\Windows\SysWOW64\Oqoefand.exe	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Lmpjmf32.dll	Gqkajk32.exe
File opened for modification	C:\Windows\SysWOW64\Ohbfeh32.exe	Ndpcdjho.exe
File opened for modification	C:\Windows\SysWOW64\Fgkfqgce.exe	Fjeibc32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhhenhf.exe	Hnokjm32.exe
File created	C:\Windows\SysWOW64\Jcmkjeko.exe	Jjefao32.exe
File opened for modification	C:\Windows\SysWOW64\Joqafgni.exe	Iehmmb32.exe
File opened for modification	C:\Windows\SysWOW64\Fempbm32.exe	Fidbgm32.exe
File created	C:\Windows\SysWOW64\Njmejp32.exe	Mphamg32.exe
File created	C:\Windows\SysWOW64\Nbjadm32.dll	Ejnbdp32.exe
File created	C:\Windows\SysWOW64\Llobhg32.dll	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Hejjanpm.exe	Hgcmbj32.exe
File created	C:\Windows\SysWOW64\Clkaqh32.dll	Chfaenfb.exe
File created	C:\Windows\SysWOW64\Mhgfep32.dll	Pgpobmca.exe
File opened for modification	C:\Windows\SysWOW64\Odaiodbp.exe	Ngipjp32.exe
File created	C:\Windows\SysWOW64\Beaecjab.exe	Bmfqngcg.exe
File created	C:\Windows\SysWOW64\Fkloka32.dll	Hqkjaifk.exe
File created	C:\Windows\SysWOW64\Kmpido32.exe	Kcgekjgp.exe
File opened for modification	C:\Windows\SysWOW64\Qhddgofo.exe	Qnopjfgi.exe
File created	C:\Windows\SysWOW64\Mpedgghj.exe	Mmdlflki.exe
File created	C:\Windows\SysWOW64\Polnbakm.dll	Adpogp32.exe
File created	C:\Windows\SysWOW64\Kigmon32.dll	Mmokpglb.exe
File opened for modification	C:\Windows\SysWOW64\Fqbliicp.exe	Fnbcgn32.exe
File created	C:\Windows\SysWOW64\Hjbhph32.exe	Hlogfd32.exe
File opened for modification	C:\Windows\SysWOW64\Lmiljn32.exe	Lfmghdpl.exe
File opened for modification	C:\Windows\SysWOW64\Mbldhn32.exe	Mmokpglb.exe
File created	C:\Windows\SysWOW64\Hejeak32.dll	Ppgomnai.exe
File created	C:\Windows\SysWOW64\Fmnfcojj.dll	Fckaeioa.exe
File created	C:\Windows\SysWOW64\Fhbghb32.dll	Eoekde32.exe
File created	C:\Windows\SysWOW64\Hkaioiof.dll	Fidbgm32.exe
File created	C:\Windows\SysWOW64\Pgpobmca.exe	Pnhjig32.exe
File created	C:\Windows\SysWOW64\Ihmfco32.exe	Hihibbjo.exe
File created	C:\Windows\SysWOW64\Eepbdodb.dll	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Glmhdm32.exe	Fgpplf32.exe
File created	C:\Windows\SysWOW64\Ppcjmk32.dll	Ohbfeh32.exe
File created	C:\Windows\SysWOW64\Gnfmkhcj.dll	Pahpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lbcabo32.exe	Lkiiee32.exe
File created	C:\Windows\SysWOW64\Gacepg32.exe	Gkdpbpih.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Ckbncapd.exe
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Ckbncapd.exe
File opened for modification	C:\Windows\SysWOW64\Kehojiej.exe	Kkbkmqed.exe
File created	C:\Windows\SysWOW64\Aehbmk32.exe	Aeffgkkp.exe
File created	C:\Windows\SysWOW64\Fpdggeba.dll	Eeaqfo32.exe
File created	C:\Windows\SysWOW64\Achmpagb.dll	Fempbm32.exe
File created	C:\Windows\SysWOW64\Kcgekjgp.exe	Kjopbd32.exe
File opened for modification	C:\Windows\SysWOW64\Oggllnkl.exe	Omjnhiiq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7380	7272	WerFault.exe	392

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khfdlnab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iqfcbahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnehfee.dll"	Mpedgghj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjdokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfahb32.dll"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakdifap.dll"	Foenplji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll"	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobdnbdn.dll"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepbdodb.dll"	Hejjanpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgpdifp.dll"	Gckcap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnjmilq.dll"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cqghcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlemeao.dll"	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fidbgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oggllnkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkaioiof.dll"	Fidbgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfkamk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlejao32.dll"	Bjhgke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pblajhje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjopbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfndbnlp.dll"	Kmpido32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmbfiokn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgihanii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegmfd32.dll"	Fejlbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefgjq32.dll"	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inkjfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckaeioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcmkjeko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihibbjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejain32.dll"	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnjgog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkabefqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nahakl32.dll"	Kmbfiokn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkmijf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnhjig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hipdpbgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maoakaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnhjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hojpbigq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgmmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdknpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiinbn32.dll"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgpibdam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajjjjghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehlolk32.dll"	Cqghcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abocgb32.dll"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcmkjeko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bboplo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geflne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abflfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmokpglb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 948	3580	058295a33b3d7ce68b4ecb75a494df70_NeikiAnalytics.exe	92
PID 3580 wrote to memory of 948	3580	058295a33b3d7ce68b4ecb75a494df70_NeikiAnalytics.exe	92
PID 3580 wrote to memory of 948	3580	058295a33b3d7ce68b4ecb75a494df70_NeikiAnalytics.exe	92
PID 948 wrote to memory of 3600	948	Mcelpggq.exe	93
PID 948 wrote to memory of 3600	948	Mcelpggq.exe	93
PID 948 wrote to memory of 3600	948	Mcelpggq.exe	93
PID 3600 wrote to memory of 3392	3600	Ocgbld32.exe	94
PID 3600 wrote to memory of 3392	3600	Ocgbld32.exe	94
PID 3600 wrote to memory of 3392	3600	Ocgbld32.exe	94
PID 3392 wrote to memory of 4896	3392	Phajna32.exe	95
PID 3392 wrote to memory of 4896	3392	Phajna32.exe	95
PID 3392 wrote to memory of 4896	3392	Phajna32.exe	95
PID 4896 wrote to memory of 3572	4896	Phfcipoo.exe	96
PID 4896 wrote to memory of 3572	4896	Phfcipoo.exe	96
PID 4896 wrote to memory of 3572	4896	Phfcipoo.exe	96
PID 3572 wrote to memory of 1800	3572	Qobhkjdi.exe	97
PID 3572 wrote to memory of 1800	3572	Qobhkjdi.exe	97
PID 3572 wrote to memory of 1800	3572	Qobhkjdi.exe	97
PID 1800 wrote to memory of 888	1800	Ahmjjoig.exe	98
PID 1800 wrote to memory of 888	1800	Ahmjjoig.exe	98
PID 1800 wrote to memory of 888	1800	Ahmjjoig.exe	98
PID 888 wrote to memory of 4336	888	Akpoaj32.exe	99
PID 888 wrote to memory of 4336	888	Akpoaj32.exe	99
PID 888 wrote to memory of 4336	888	Akpoaj32.exe	99
PID 4336 wrote to memory of 2360	4336	Bhhiemoj.exe	100
PID 4336 wrote to memory of 2360	4336	Bhhiemoj.exe	100
PID 4336 wrote to memory of 2360	4336	Bhhiemoj.exe	100
PID 2360 wrote to memory of 1624	2360	Bpfkpp32.exe	101
PID 2360 wrote to memory of 1624	2360	Bpfkpp32.exe	101
PID 2360 wrote to memory of 1624	2360	Bpfkpp32.exe	101
PID 1624 wrote to memory of 4548	1624	Baegibae.exe	102
PID 1624 wrote to memory of 4548	1624	Baegibae.exe	102
PID 1624 wrote to memory of 4548	1624	Baegibae.exe	102
PID 4548 wrote to memory of 3268	4548	Conanfli.exe	103
PID 4548 wrote to memory of 3268	4548	Conanfli.exe	103
PID 4548 wrote to memory of 3268	4548	Conanfli.exe	103
PID 3268 wrote to memory of 1448	3268	Ckebcg32.exe	104
PID 3268 wrote to memory of 1448	3268	Ckebcg32.exe	104
PID 3268 wrote to memory of 1448	3268	Ckebcg32.exe	104
PID 1448 wrote to memory of 1004	1448	Cpdgqmnb.exe	105
PID 1448 wrote to memory of 1004	1448	Cpdgqmnb.exe	105
PID 1448 wrote to memory of 1004	1448	Cpdgqmnb.exe	105
PID 1004 wrote to memory of 1884	1004	Dddllkbf.exe	106
PID 1004 wrote to memory of 1884	1004	Dddllkbf.exe	106
PID 1004 wrote to memory of 1884	1004	Dddllkbf.exe	106
PID 1884 wrote to memory of 3484	1884	Ddifgk32.exe	107
PID 1884 wrote to memory of 3484	1884	Ddifgk32.exe	107
PID 1884 wrote to memory of 3484	1884	Ddifgk32.exe	107
PID 3484 wrote to memory of 4244	3484	Dgjoif32.exe	108
PID 3484 wrote to memory of 4244	3484	Dgjoif32.exe	108
PID 3484 wrote to memory of 4244	3484	Dgjoif32.exe	108
PID 4244 wrote to memory of 2224	4244	Ebaplnie.exe	109
PID 4244 wrote to memory of 2224	4244	Ebaplnie.exe	109
PID 4244 wrote to memory of 2224	4244	Ebaplnie.exe	109
PID 2224 wrote to memory of 440	2224	Eqgmmk32.exe	110
PID 2224 wrote to memory of 440	2224	Eqgmmk32.exe	110
PID 2224 wrote to memory of 440	2224	Eqgmmk32.exe	110
PID 440 wrote to memory of 1100	440	Eojiqb32.exe	111
PID 440 wrote to memory of 1100	440	Eojiqb32.exe	111
PID 440 wrote to memory of 1100	440	Eojiqb32.exe	111
PID 1100 wrote to memory of 1176	1100	Fnbcgn32.exe	112
PID 1100 wrote to memory of 1176	1100	Fnbcgn32.exe	112
PID 1100 wrote to memory of 1176	1100	Fnbcgn32.exe	112
PID 1176 wrote to memory of 732	1176	Fqbliicp.exe	113

C:\Users\Admin\AppData\Local\Temp\058295a33b3d7ce68b4ecb75a494df70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\058295a33b3d7ce68b4ecb75a494df70_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\SysWOW64\Mcelpggq.exe
  C:\Windows\system32\Mcelpggq.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\Ocgbld32.exe
    C:\Windows\system32\Ocgbld32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\Phajna32.exe
      C:\Windows\system32\Phajna32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        23⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        25⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        26⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        28⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        30⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        32⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        35⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        37⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        39⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        42⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        44⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        46⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        47⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        51⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        52⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        53⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        54⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        59⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        61⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        62⤵
        Executes dropped EXE
        
        PID:3804
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        63⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        65⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        66⤵
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        67⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        68⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1128
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        71⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        72⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2372
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        74⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        77⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        78⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        79⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        80⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        81⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        82⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        83⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        85⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        86⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        88⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        89⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        90⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        91⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        92⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        93⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        96⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        97⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        98⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        99⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        101⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        104⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        105⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        106⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        108⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        112⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        113⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        114⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        116⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        117⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        118⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        119⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        120⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        121⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        122⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        123⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        124⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        125⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        127⤵
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        128⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        129⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        130⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Eiijfd32.exe
        
        C:\Windows\system32\Eiijfd32.exe
        131⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Egdqph32.exe
        
        C:\Windows\system32\Egdqph32.exe
        132⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Fnnimbaj.exe
        
        C:\Windows\system32\Fnnimbaj.exe
        133⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Fckaeioa.exe
        
        C:\Windows\system32\Fckaeioa.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Fjeibc32.exe
        
        C:\Windows\system32\Fjeibc32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\Fgkfqgce.exe
        
        C:\Windows\system32\Fgkfqgce.exe
        136⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Fgpplf32.exe
        
        C:\Windows\system32\Fgpplf32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Glmhdm32.exe
        
        C:\Windows\system32\Glmhdm32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Gjqinamq.exe
        
        C:\Windows\system32\Gjqinamq.exe
        139⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Gqkajk32.exe
        
        C:\Windows\system32\Gqkajk32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\Gfgjbb32.exe
        
        C:\Windows\system32\Gfgjbb32.exe
        141⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Hgpibdam.exe
        
        C:\Windows\system32\Hgpibdam.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Hqkjaifk.exe
        
        C:\Windows\system32\Hqkjaifk.exe
        143⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Hnokjm32.exe
        
        C:\Windows\system32\Hnokjm32.exe
        144⤵
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Ijhhenhf.exe
        
        C:\Windows\system32\Ijhhenhf.exe
        145⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Ienlbf32.exe
        
        C:\Windows\system32\Ienlbf32.exe
        146⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Ijmapm32.exe
        
        C:\Windows\system32\Ijmapm32.exe
        147⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Inkjfk32.exe
        
        C:\Windows\system32\Inkjfk32.exe
        148⤵
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Icgbob32.exe
        
        C:\Windows\system32\Icgbob32.exe
        149⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Jeneidji.exe
        
        C:\Windows\system32\Jeneidji.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Jmijnfgd.exe
        
        C:\Windows\system32\Jmijnfgd.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6480
        
        C:\Windows\SysWOW64\Kfanflne.exe
        
        C:\Windows\system32\Kfanflne.exe
        152⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Kaioidkh.exe
        
        C:\Windows\system32\Kaioidkh.exe
        153⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Khfdlnab.exe
        
        C:\Windows\system32\Khfdlnab.exe
        154⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Kfkamk32.exe
        
        C:\Windows\system32\Kfkamk32.exe
        155⤵
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Mkdiog32.exe
        
        C:\Windows\system32\Mkdiog32.exe
        156⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Maoakaip.exe
        
        C:\Windows\system32\Maoakaip.exe
        157⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Meljappg.exe
        
        C:\Windows\system32\Meljappg.exe
        158⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Moeoje32.exe
        
        C:\Windows\system32\Moeoje32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7144
        
        C:\Windows\SysWOW64\Nggjog32.exe
        
        C:\Windows\system32\Nggjog32.exe
        160⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Ndpcdjho.exe
        
        C:\Windows\system32\Ndpcdjho.exe
        161⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Ohbfeh32.exe
        
        C:\Windows\system32\Ohbfeh32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Abbiej32.exe
        
        C:\Windows\system32\Abbiej32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4760
        
        C:\Windows\SysWOW64\Bngfli32.exe
        
        C:\Windows\system32\Bngfli32.exe
        164⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Chfaenfb.exe
        
        C:\Windows\system32\Chfaenfb.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6760
        
        C:\Windows\SysWOW64\Cppelkeb.exe
        
        C:\Windows\system32\Cppelkeb.exe
        166⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Cfjnhe32.exe
        
        C:\Windows\system32\Cfjnhe32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Dlpigk32.exe
        
        C:\Windows\system32\Dlpigk32.exe
        168⤵
        Drops file in System32 directory
        
        PID:7124
        
        C:\Windows\SysWOW64\Eoekde32.exe
        
        C:\Windows\system32\Eoekde32.exe
        169⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Eeaqfo32.exe
        
        C:\Windows\system32\Eeaqfo32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Ellicihn.exe
        
        C:\Windows\system32\Ellicihn.exe
        171⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Ebeapc32.exe
        
        C:\Windows\system32\Ebeapc32.exe
        172⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\Fidbgm32.exe
        
        C:\Windows\system32\Fidbgm32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Fempbm32.exe
        
        C:\Windows\system32\Fempbm32.exe
        174⤵
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Gckcap32.exe
        
        C:\Windows\system32\Gckcap32.exe
        175⤵
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Hfbbdj32.exe
        
        C:\Windows\system32\Hfbbdj32.exe
        176⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Hlogfd32.exe
        
        C:\Windows\system32\Hlogfd32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6916
        
        C:\Windows\SysWOW64\Hjbhph32.exe
        
        C:\Windows\system32\Hjbhph32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1672
        
        C:\Windows\SysWOW64\Igieoleg.exe
        
        C:\Windows\system32\Igieoleg.exe
        179⤵
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\Ifnbph32.exe
        
        C:\Windows\system32\Ifnbph32.exe
        180⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Iqfcbahb.exe
        
        C:\Windows\system32\Iqfcbahb.exe
        181⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Ijngkf32.exe
        
        C:\Windows\system32\Ijngkf32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6620
        
        C:\Windows\SysWOW64\Jflnafno.exe
        
        C:\Windows\system32\Jflnafno.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1252
        
        C:\Windows\SysWOW64\Kpilekqj.exe
        
        C:\Windows\system32\Kpilekqj.exe
        184⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Kjopbd32.exe
        
        C:\Windows\system32\Kjopbd32.exe
        185⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Kcgekjgp.exe
        
        C:\Windows\system32\Kcgekjgp.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Kmpido32.exe
        
        C:\Windows\system32\Kmpido32.exe
        187⤵
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Kciaqi32.exe
        
        C:\Windows\system32\Kciaqi32.exe
        188⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Kmbfiokn.exe
        
        C:\Windows\system32\Kmbfiokn.exe
        189⤵
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Kggjghkd.exe
        
        C:\Windows\system32\Kggjghkd.exe
        190⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Liifnp32.exe
        
        C:\Windows\system32\Liifnp32.exe
        191⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Lfmghdpl.exe
        
        C:\Windows\system32\Lfmghdpl.exe
        192⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Lmiljn32.exe
        
        C:\Windows\system32\Lmiljn32.exe
        193⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Lhopgg32.exe
        
        C:\Windows\system32\Lhopgg32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3328
        
        C:\Windows\SysWOW64\Ldgnbg32.exe
        
        C:\Windows\system32\Ldgnbg32.exe
        195⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Migcpneb.exe
        
        C:\Windows\system32\Migcpneb.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3340
        
        C:\Windows\SysWOW64\Mdlgmgdh.exe
        
        C:\Windows\system32\Mdlgmgdh.exe
        197⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Mmdlflki.exe
        
        C:\Windows\system32\Mmdlflki.exe
        198⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Mpedgghj.exe
        
        C:\Windows\system32\Mpedgghj.exe
        199⤵
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Minipm32.exe
        
        C:\Windows\system32\Minipm32.exe
        200⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Mphamg32.exe
        
        C:\Windows\system32\Mphamg32.exe
        201⤵
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Njmejp32.exe
        
        C:\Windows\system32\Njmejp32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1640
        
        C:\Windows\SysWOW64\Ngipjp32.exe
        
        C:\Windows\system32\Ngipjp32.exe
        203⤵
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\Odaiodbp.exe
        
        C:\Windows\system32\Odaiodbp.exe
        204⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Omjnhiiq.exe
        
        C:\Windows\system32\Omjnhiiq.exe
        205⤵
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Oggllnkl.exe
        
        C:\Windows\system32\Oggllnkl.exe
        206⤵
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Opopdd32.exe
        
        C:\Windows\system32\Opopdd32.exe
        207⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Pgihanii.exe
        
        C:\Windows\system32\Pgihanii.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Ppamjcpj.exe
        
        C:\Windows\system32\Ppamjcpj.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4056
        
        C:\Windows\SysWOW64\Pnhjig32.exe
        
        C:\Windows\system32\Pnhjig32.exe
        210⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Pgpobmca.exe
        
        C:\Windows\system32\Pgpobmca.exe
        211⤵
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Pnjgog32.exe
        
        C:\Windows\system32\Pnjgog32.exe
        212⤵
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Pknghk32.exe
        
        C:\Windows\system32\Pknghk32.exe
        213⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\Pahpee32.exe
        
        C:\Windows\system32\Pahpee32.exe
        214⤵
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Qhbhapha.exe
        
        C:\Windows\system32\Qhbhapha.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1632
        
        C:\Windows\SysWOW64\Qnopjfgi.exe
        
        C:\Windows\system32\Qnopjfgi.exe
        216⤵
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Qhddgofo.exe
        
        C:\Windows\system32\Qhddgofo.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Aqpika32.exe
        
        C:\Windows\system32\Aqpika32.exe
        218⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Akenij32.exe
        
        C:\Windows\system32\Akenij32.exe
        219⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\Aqbfaa32.exe
        
        C:\Windows\system32\Aqbfaa32.exe
        220⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Ajjjjghg.exe
        
        C:\Windows\system32\Ajjjjghg.exe
        221⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Adpogp32.exe
        
        C:\Windows\system32\Adpogp32.exe
        222⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Ajmgof32.exe
        
        C:\Windows\system32\Ajmgof32.exe
        223⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Ahngmnnd.exe
        
        C:\Windows\system32\Ahngmnnd.exe
        224⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Abflfc32.exe
        
        C:\Windows\system32\Abflfc32.exe
        225⤵
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        226⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Bbhhlccb.exe
        
        C:\Windows\system32\Bbhhlccb.exe
        227⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        228⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Bqnemp32.exe
        
        C:\Windows\system32\Bqnemp32.exe
        229⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Bjhgke32.exe
        
        C:\Windows\system32\Bjhgke32.exe
        230⤵
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Bqbohocd.exe
        
        C:\Windows\system32\Bqbohocd.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:556
        
        C:\Windows\SysWOW64\Bjkcqdje.exe
        
        C:\Windows\system32\Bjkcqdje.exe
        232⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Bqdlmo32.exe
        
        C:\Windows\system32\Bqdlmo32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:464
        
        C:\Windows\SysWOW64\Cnhlgc32.exe
        
        C:\Windows\system32\Cnhlgc32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:380
        
        C:\Windows\SysWOW64\Cqghcn32.exe
        
        C:\Windows\system32\Cqghcn32.exe
        235⤵
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Ckmmpg32.exe
        
        C:\Windows\system32\Ckmmpg32.exe
        236⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Cqiehnml.exe
        
        C:\Windows\system32\Cqiehnml.exe
        237⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Cnmebblf.exe
        
        C:\Windows\system32\Cnmebblf.exe
        238⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Cicjokll.exe
        
        C:\Windows\system32\Cicjokll.exe
        239⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        240⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Canocm32.exe
        
        C:\Windows\system32\Canocm32.exe
        241⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Cnboma32.exe
        
        C:\Windows\system32\Cnboma32.exe
        242⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Cigcjj32.exe
        
        C:\Windows\system32\Cigcjj32.exe
        243⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\Djipbbne.exe
        
        C:\Windows\system32\Djipbbne.exe
        244⤵
        
        PID:836
        
        C:\Windows\SysWOW64\Dlhlleeh.exe
        
        C:\Windows\system32\Dlhlleeh.exe
        245⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Dgaiffii.exe
        
        C:\Windows\system32\Dgaiffii.exe
        246⤵
        
        PID:684
        
        C:\Windows\SysWOW64\Dnkbcp32.exe
        
        C:\Windows\system32\Dnkbcp32.exe
        247⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\Dbijinfl.exe
        
        C:\Windows\system32\Dbijinfl.exe
        248⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Dicbfhni.exe
        
        C:\Windows\system32\Dicbfhni.exe
        249⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Eblgon32.exe
        
        C:\Windows\system32\Eblgon32.exe
        250⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Enbhdojn.exe
        
        C:\Windows\system32\Enbhdojn.exe
        251⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Ehklmd32.exe
        
        C:\Windows\system32\Ehklmd32.exe
        252⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Eeomfioh.exe
        
        C:\Windows\system32\Eeomfioh.exe
        253⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Ejnbdp32.exe
        
        C:\Windows\system32\Ejnbdp32.exe
        254⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Eecfah32.exe
        
        C:\Windows\system32\Eecfah32.exe
        255⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\Fongpm32.exe
        
        C:\Windows\system32\Fongpm32.exe
        256⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Flbhia32.exe
        
        C:\Windows\system32\Flbhia32.exe
        257⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Fejlbgek.exe
        
        C:\Windows\system32\Fejlbgek.exe
        258⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Focakm32.exe
        
        C:\Windows\system32\Focakm32.exe
        259⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\Foenplji.exe
        
        C:\Windows\system32\Foenplji.exe
        260⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Feofmf32.exe
        
        C:\Windows\system32\Feofmf32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4536
        
        C:\Windows\SysWOW64\Gklnem32.exe
        
        C:\Windows\system32\Gklnem32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Gbecljnl.exe
        
        C:\Windows\system32\Gbecljnl.exe
        263⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Glngep32.exe
        
        C:\Windows\system32\Glngep32.exe
        264⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Geflne32.exe
        
        C:\Windows\system32\Geflne32.exe
        265⤵
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Giddddad.exe
        
        C:\Windows\system32\Giddddad.exe
        266⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Hleneo32.exe
        
        C:\Windows\system32\Hleneo32.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Hepoddcc.exe
        
        C:\Windows\system32\Hepoddcc.exe
        268⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\Hafpiehg.exe
        
        C:\Windows\system32\Hafpiehg.exe
        269⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Hojpbigq.exe
        
        C:\Windows\system32\Hojpbigq.exe
        270⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Hipdpbgf.exe
        
        C:\Windows\system32\Hipdpbgf.exe
        271⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Hakidd32.exe
        
        C:\Windows\system32\Hakidd32.exe
        272⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Ilqmam32.exe
        
        C:\Windows\system32\Ilqmam32.exe
        273⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Iameid32.exe
        
        C:\Windows\system32\Iameid32.exe
        274⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Ilcjgm32.exe
        
        C:\Windows\system32\Ilcjgm32.exe
        275⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Iapbodql.exe
        
        C:\Windows\system32\Iapbodql.exe
        276⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Jkomhhae.exe
        
        C:\Windows\system32\Jkomhhae.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Jjefao32.exe
        
        C:\Windows\system32\Jjefao32.exe
        278⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Jcmkjeko.exe
        
        C:\Windows\system32\Jcmkjeko.exe
        279⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Kkmijf32.exe
        
        C:\Windows\system32\Kkmijf32.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Kjnihnmd.exe
        
        C:\Windows\system32\Kjnihnmd.exe
        281⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Kkofofbb.exe
        
        C:\Windows\system32\Kkofofbb.exe
        282⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Kbinlp32.exe
        
        C:\Windows\system32\Kbinlp32.exe
        283⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Kkabefqp.exe
        
        C:\Windows\system32\Kkabefqp.exe
        284⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Kifcnjpi.exe
        
        C:\Windows\system32\Kifcnjpi.exe
        285⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Lmcldhfp.exe
        
        C:\Windows\system32\Lmcldhfp.exe
        286⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Lflpmn32.exe
        
        C:\Windows\system32\Lflpmn32.exe
        287⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Lkiiee32.exe
        
        C:\Windows\system32\Lkiiee32.exe
        288⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Lbcabo32.exe
        
        C:\Windows\system32\Lbcabo32.exe
        289⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Limioiia.exe
        
        C:\Windows\system32\Limioiia.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Ljleil32.exe
        
        C:\Windows\system32\Ljleil32.exe
        291⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Mmokpglb.exe
        
        C:\Windows\system32\Mmokpglb.exe
        292⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Mbldhn32.exe
        
        C:\Windows\system32\Mbldhn32.exe
        293⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7272 -s 408
        294⤵
        Program crash
        
        PID:7380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 7272 -ip 7272
1⤵
PID:7328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
80KB

MD5
1fa590626f160e5d18048348c1e8b6cc

SHA1
29d6fa4021254c3bd7b6d5bd61365e1f725045c3

SHA256
4dc9324f18ec546e5029eec99b644d492fa7695af80829135a09befeba2f8f3a

SHA512
ab4319386ba067576f1642214b5fdebb9c083bc0345c326b37f58bea66f4a498139f660b90a3f081a47aebc1464d6f79e6fbdfa59fde2d7509047a956e82d469

Download Submit
C:\Windows\SysWOW64\Akpoaj32.exe

Filesize
80KB

MD5
3ed55e760d307ad4582aeee591ee9402

SHA1
5b2967981fd5733c9e1b1ef39cb9a6467e94d20a

SHA256
7331854976533e9deca2b749fab49dc6377bd47bccb711a118656820243054df

SHA512
465897134de40315d170950b691c21ac8c8eeb81b86730710d8142edb741c1b3b667f633c8db04f40c6508c7cf8c0ff71a54564afe4bff131db9723eb237da93

Download Submit
C:\Windows\SysWOW64\Aqbfaa32.exe

Filesize
80KB

MD5
b7988d442f55545e61f12e3795126273

SHA1
0954c11e55a90f2d492812d558ee605fb6ddcd29

SHA256
aae0e124ca6c856b44a3ec148441d4e48bf19b080e90d3624d6677d12a77b257

SHA512
9167afd9e24627a4bbd5e34379f4bb2c221ba72af648a1a9df49599e1c74d1335d0cabf1b679fda8d2378de40f8beceb4be37cf5661253ce865d69b26f6dadde

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
80KB

MD5
df9720a9267532bfe26a2f67290872b1

SHA1
a040cab196935b3982dbcb903d7f9ce01a5ca844

SHA256
6186511964a110f13a27bed49c8c4c1575e0337a201bbc559006912d23e9c615

SHA512
626ec3e4aec7533cddfc5258f6df15f602f1a836eff95dd6fca6b70676e75e0f52721dcb3a8896c3fcb5dc32489c4b84686dc6755cc94e74f3098cda11645653

Download Submit
C:\Windows\SysWOW64\Bbhhlccb.exe

Filesize
80KB

MD5
2c16a4fc4ef6a17028f9462ae9881bfb

SHA1
1f2ca6b2dfaa03de9313d60343f43ca90546d565

SHA256
070b216fc70355c10a6e8f8d7a331c9bcc0650813d75dfe07a8da047bb4e42f8

SHA512
2cc6d024fc615f6f8be45f1ac9cc8eb6b3f4d5de2e1635c44de6dcc94259428bd23c1cb27fd33cc1e7bad069a34db217b2522142ed67dd057f7a71f60524ee49

Download Submit
C:\Windows\SysWOW64\Bboplo32.exe

Filesize
80KB

MD5
a104e0bbd02ecaf39c04c00db7d3f41b

SHA1
0bdbe1d9126206ec3b277261a7cb6faa85e806ca

SHA256
83c4c49c79ebf90e347396d3c0af8e10733e4db6b6f7f6aa7f1237673c38f078

SHA512
cf4a0a203d25985b5591ebd9c40e26dbd33fc28dac1e37c5f73cee889f3818959c40bb4cf55fd9d96b8ac94eb2d716b54dfeb052596844939c21d2c5a0f8856c

Download Submit
C:\Windows\SysWOW64\Beaecjab.exe

Filesize
80KB

MD5
8a48adef41b82af29cef12586e288596

SHA1
57f30dd3fe088af056c77992a48d05938b602d75

SHA256
279560436734a90eb0bd663c25b5a27a6c75b963edbda3fdb4644a1a0d16d18c

SHA512
3cafc57140145b169cee1b02dc39fdb7cc8848730f929c79ad46e894011d3cbc255fe2bdb9ec93e441548ab7a88d33b4876f344ec11de9d255c3b6ef5c47dfd1

Download Submit
C:\Windows\SysWOW64\Bhhiemoj.exe

Filesize
80KB

MD5
6ec20eede97166acc54c62cede30f154

SHA1
4625e49f73da532cf892e0cf1059ad2435c49fdb

SHA256
2c000380e034e03211e27a18b60551b24ac8268a5b42d530e5d3eb485509b883

SHA512
77997a14f92d49a513e2b1247f085d9f6da7cad64a2ec3cb49ba1228d9a47864fdfaa1a3abfa073814e2dfb25795dd3dca6012d37691c37c922df6ec94c55f05

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
80KB

MD5
13163268a539ea663e2ee1f7643cd8ec

SHA1
fdbeab2dac437167cf840f1d70ffd977ea31c8d6

SHA256
7c38a1307486ddab051eb1b2d4a69ebc472507d07c74e5086b74aaf5cf9383f4

SHA512
5a9cd740827b986ba8d4c00851cc58253fd490e2a6b87d1715c5bf43ee6676083b6b9b93158ceca74126d340be227ca4eb9eca3466ff8eb0f73ae6d3862f1bcc

Download Submit
C:\Windows\SysWOW64\Bqdlmo32.exe

Filesize
80KB

MD5
121412337334e7f8293be8505499abd8

SHA1
44461fda83ecc3a6ffdc89e51c6ead51ef273fb1

SHA256
49389a0eab9a98a5e07251e42202bad85c0d73b4593091a7a078c1abbc9f2bbb

SHA512
8a59d9f98002111b0acd5b95c402690482cbc6ec28bde8b20e47ad37ab085824a03874f42d4f4cee90c3b1647c0a2516760923f01fef217b3f9cd5c78563fb8e

Download Submit
C:\Windows\SysWOW64\Canocm32.exe

Filesize
80KB

MD5
7e803a5b78c59a48160fcd662bae761f

SHA1
2c4b859e59c3ea994f9ffe4ad5074a498d4c4a15

SHA256
42e613234b8fe9d9b7f1d66dc7cde13c758273bcadc74c2c70dab01ae27e3311

SHA512
a1e5ffa7ef580db35b2ce0a99c92a2bf9c6754eae95d020c240992f64f08b55a77846c5a315e3d6edd7024d3e1fac0e74e89a35ce581933b5430e1a71a2a8c31

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
80KB

MD5
4796a70a2ca03d938b906c89d8824b6b

SHA1
ff02cb3ff245b2fbff5a356c6de743927e1ab941

SHA256
0c00187d1d00dc6af768bca0b3bb518a248d3c16a52b206364efac30d07c10b0

SHA512
f3672c8f8e78e2e8f027f9ca778082f2a20f474b705c8c2c36703f2383231ba7d5a5aeab65850c3f6b3863fe7a5d321ab681f3a6b99d7331441534d4e3cc2e92

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
80KB

MD5
e913c97b5accf844ef5626ddde627583

SHA1
5826996e25c0ff960f73c47a08c1b5d05c067f67

SHA256
9500d603891ee10c1ead6f669fc9b70a029df906627a177229e88b2ebb3c9c8b

SHA512
3c4353d8205ee9c754bdd39241b401d9c49f9501f982c95d7aed78236bcd5f42af9479154a2276430245c60c3c7a73862e5849de86ce6bb733b729d930863614

Download Submit
C:\Windows\SysWOW64\Ckmmpg32.exe

Filesize
80KB

MD5
de9dff4e0e5a99287ba59d404d13ff3b

SHA1
7855ec26f0cfc94dc3e9bb46da7ead3c327f195b

SHA256
96d250c3d5e0bf312ab2b056d0e85c129de1b19ed78d951d175e55bf250192cb

SHA512
0388b5bdd9d62cf5962bde887413397a26c6bc31d241d40541f71196c544240f0aaf381d9b72a738bc2a519884a239cfc9f16f3109876c64573b0d29cafb52fd

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
80KB

MD5
7a982de6daf55d5901c40e1fe9cae0ae

SHA1
e2d68fe7119cde162a512f030ccef3b6e0aa452b

SHA256
f75d0668baf8100586379e18b485fec240f0aa6a8b90cb3765e8306b1dd5efa0

SHA512
b8a3e0f165622fa63ba72995df81f10c75a2893770258c5f17f531654b1c6b2de578cdcadb18d56d2127688a271e8bdda1857cc571abd4ba6c9a2c63f8a4dec9

Download Submit
C:\Windows\SysWOW64\Cpdgqmnb.exe

Filesize
80KB

MD5
28be09f84e7cd73bef88837f10207cd2

SHA1
ca850f2489edec8151f0c2de78365019da0eca89

SHA256
aa874c5f7b020c451864e4299860d3891639ed358b1044889545def38c863a6f

SHA512
dd6b37072e1a51fe1fc8343a8cd4269356984a2d0f8dacd6ae7dc2e17ca1c00b4890a239c507132ecd333f0554776076b55673ecf453f3c530376bfd40d4532a

Download Submit
C:\Windows\SysWOW64\Cppelkeb.exe

Filesize
80KB

MD5
23907d964f65b67315d004fc2a8a2132

SHA1
f4026651cfc08405da519c2002513b8b1962d30f

SHA256
ae8299400f3e95ce4cf4da4607a684a7e29bc9dd55966218351d4ee1bf2e8281

SHA512
6edbee098c5d51b8271855e6c1e53949d84cf9486bec400ca757dcc835b02ec70a1b1ee2b225a3d1ac43b120f57fd400ecea984ce819db7e976e11ed1f14d716

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
80KB

MD5
d2a6a78f88ddba5d4562cc9883d026de

SHA1
94a1674e62d9d96ca3ece04bff92e3fd54d39255

SHA256
29b1610306d7e4e62ad188628dd00469c707627022935ff6c925e196f3738f20

SHA512
55ebf57ee5f4e38cb9197eeae5ae52e29cf599f8db79ce7b565c39e2c5948b1796167ba628e29809dda4bffe24b252f92b0696f23803875ed0475cf69ebc1ddc

Download Submit
C:\Windows\SysWOW64\Ddifgk32.exe

Filesize
80KB

MD5
c82ecf7f08908f6d20cc98e2c8c2ecfb

SHA1
1bd487fd511f745c680b93e981b7ff94f77f50b0

SHA256
5a225cc7accfee13f5224241d3e2fea6a97cfd06a7e52ec8e8057df352c712e9

SHA512
dd737353adfddec309c024e8a9f8e2b72e19859712ee1a1c5aee88450907a2787f2d094b82b415f707b86d409bb53c196ec6852def04c256b97203b29e52e539

Download Submit
C:\Windows\SysWOW64\Defheg32.exe

Filesize
80KB

MD5
43c26b4bd0062d960c7e3d03a1373f33

SHA1
4e6603a55674e6b50367dca8d659f83a95fd9515

SHA256
75e1a2db8f2329692e1ef0382fba2bbddee056bef79f49460e13b517a1014786

SHA512
c42f8e38b9bdeed90c78b974d43d44488be16b59a41db7d05da0cd3c2e209bc580eb79f53e29eb3e23794118323f5bc11e8134734d4e1a571b9fedf40dfb0ca1

Download Submit
C:\Windows\SysWOW64\Dgjoif32.exe

Filesize
80KB

MD5
d643a3453a81c934d53d912666ff3fa1

SHA1
5a7bfd5505b6319a3b9e94e57ad3bc4c2c2ec31c

SHA256
1eed6ea56fe6984f02dbc48ef6d928d0cf7b4ecbb0ec6c8b245878ec8bdfa822

SHA512
44ed89287e01f0fc08aa52129da845ccbd2b41220a6bb1144fb81e917f7be2ee23a5e5bab0b6f6bbd4b8bcfa8b5f3451d0c55636f302cac09201d38e3a8ed9c1

Download Submit
C:\Windows\SysWOW64\Djipbbne.exe

Filesize
80KB

MD5
98ea669df6b8b5daffe672525a646926

SHA1
681e00924094d7ddd343b86e0bbcaa5b705a4fed

SHA256
72caca67e8002bccbf2b2c02063618a9c22096bc713d226274a8802d757e1b36

SHA512
f07ef3333ffe4ed81213c170468efd22b970710614f50563250eb9a6248b487fad21d292d929e14d0a36c999145bf67a88efc01f6227c98b11f1586ba2ad28dc

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe

Filesize
80KB

MD5
c48a4363d40011d323c07879a01ccf02

SHA1
6511aa1ac4747f4fb2b33252cbf25bd2244062df

SHA256
5cd7322cefe59c0bbcaa73bc39674db755bcecf767142241bb728788e5df10fc

SHA512
d334ec0838ff563ddd8cbf2e59c26dd581827275a0ba6761b1e5d66fdce07402ecd91531df54b72103134df4d848ffa67273125fab36bee8a1bca20c9ad41d70

Download Submit
C:\Windows\SysWOW64\Eecfah32.exe

Filesize
80KB

MD5
dbc7272bee33ed2db86bae477bb9aaf9

SHA1
f94161e4a3ba0305659997e3e152132e4360abef

SHA256
eafde610fea419c3fa1753e373cfe886a5c58286f03b720352e7cc8079a81fce

SHA512
b6b92b9b071788f83ee8010e5169d024d3e61b763b5ee78fa52581cebe020cffd361e73b6f05c768c1157eb415fcbbd0b28ffadc9608fb48ead9e9336b05f17d

Download Submit
C:\Windows\SysWOW64\Ehklmd32.exe

Filesize
80KB

MD5
ae67dfc593d3d3caae92edf83d8e2cd8

SHA1
0842ee4f47758cc393a711e0f3271124c72a8362

SHA256
15f58f00ea29209eefecadaaa2d78f993476f444058575736d7e45efc3247af0

SHA512
3867e7277df64b748f9d61fde31126760178ce6ac09ab571444b7a001732b10f016aa5bbdc29d39312cebe374ca573fd701195bc3d8fe8434c4c1897c0b69675

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
80KB

MD5
c187bc169a512fe4fc71a30b452e065e

SHA1
bc6a43ec2e659c7629d6d705ae30fad1dc609d11

SHA256
5d454d9b551af89571991a8db02ea95dc6d39a21719a210d6c66c3d5a0ec4474

SHA512
7bffa651396df82c55e9093ed14757bcfbe178b05b04c9860a6eeb3c6e83989a16cc4b61a24c1ef361ad3736269e476eff1eb49afe1c41b116870832943eacb3

Download Submit
C:\Windows\SysWOW64\Eojiqb32.exe

Filesize
64KB

MD5
2f4af552480facd11c75e7b2277ba082

SHA1
9f1c1102cfe196cd05360c90fd2a221e9b519edf

SHA256
3204ad1bb7cf2a908e16f572d9a74ac40b937eea7a1d41149b7b8ee08b4552fc

SHA512
67a53472f9842f288a31f8920e43a09753abc043d002023d61602a52b844db1bd26780757e36af88cbc1c0052c2565856536c10f6394ebeab961a4ddb3f57a34

Download Submit
C:\Windows\SysWOW64\Eojiqb32.exe

Filesize
80KB

MD5
3eccc6798b71c460b3f88cb1a61bd4d0

SHA1
eaac0fbd3837b5cbaccb04a87e4e76858e4494c2

SHA256
e14af901d3f7827c6bb2ad9f017a56271d9b82a62a37cc177bce7863be3fa38b

SHA512
a9fad8ca6445d549a5bbe7adae4feda82214398e52e721f932b1a8964ef02283fb50f4c19ad4c21aff2b21e5c66aafd5b7e518d562a545731221164b9fa16a45

Download Submit
C:\Windows\SysWOW64\Eqgmmk32.exe

Filesize
80KB

MD5
f9f82086e7df75977c3360c3afeb8d6a

SHA1
1178bf6d0fa2b7064a038843aa598225b9e4dc22

SHA256
a84d7121fd5381b1e74902ab6eaac10e378d54ea63d7ee390c95cc5f108c4af9

SHA512
0913be0324bf5e1e5fca4b5ef970ace38b94f075f16e2135dd7000d1e2c60cc63f2389b41d436951b91e1f2bcaf2c2e36764dde2a30573b114db1b3e1d6d5cc8

Download Submit
C:\Windows\SysWOW64\Fbbicl32.exe

Filesize
80KB

MD5
1cf5a43abeae100dffb9df9a0badd923

SHA1
bee2482897f56f075f3c22d51830d919dc1394bb

SHA256
19f0c06cb4a98dab8fbf902452acc6b3ffb730205670a2ab25ffe2935224feae

SHA512
c61030c916e089f0dc3fac890538667ac210d50b0a898991a54d1edfc0fdfc0250f26c2a4b9c582df9bec8394d81425d5f8dd5f9a1175c033b5b1eae8af7f36b

Download Submit
C:\Windows\SysWOW64\Fbdnne32.exe

Filesize
80KB

MD5
1ddf53b8803e36113c54709e9efca670

SHA1
a36afa64cb8fee936a09a3cb37aa2770dca90a77

SHA256
98f37f98511274eab3f6ae1256da5410533d4e0ee72f0f0ab89dc3b86488964d

SHA512
d04ef1498ddfddd9ae46ecfd7d31e40ca33704c821e8212f65970a79021ac3a8158ed69d97af41a2fe14d5ca8f34983c23d12e11277b6fd3cecae0d2b0e8aca3

Download Submit
C:\Windows\SysWOW64\Fecadghc.exe

Filesize
80KB

MD5
caeb5af03808d8b2c59174ee66985b31

SHA1
24559ef07c12595dae5da89703c78e87ab663de4

SHA256
4c607a713498e969c9ab7cbd078d177851152f6a0406184c637fdb28c0465576

SHA512
bd5d33376bf01892ef343635c81da84a13bad75157a6539f6087c4c040a21e370fdc32c26829812bf58eab6bd71ac1e39bed2b94f0dcefee832df5a723cd5269

Download Submit
C:\Windows\SysWOW64\Fejlbgek.exe

Filesize
80KB

MD5
c3dc07b8b91abac72adfe12bc7241bcb

SHA1
189c048e436b6b245d3f04b363fa5fd627d0b440

SHA256
4507ce9b45770417f8cc550a07f8ec61e09d78ef571bab9d919da181428847c3

SHA512
50d66c1f0239f97fda7fb0126d378de62929cf03aaf4c1096cf0af5bdc121d0bf2517331227b38f4c26a70b08955af5e3cd472d807bfa98554277e5fe7a2463a

Download Submit
C:\Windows\SysWOW64\Fiqjke32.exe

Filesize
80KB

MD5
996a29858d238539cd22539f0a92b0c7

SHA1
9669d4edcd4a131fae6e5cfcbdb54c16b3d952b9

SHA256
df92b647894c1a36c3d1970ccde564725014fcc3f02e5abfe0f6ac38d90f8cbd

SHA512
43b17c9df6bf3d696779fc1b41b7691dde8b00148b98271ac2165e6bfaee37e1e7525eeaed2e6d1a28d702523cdfc4ab5f53c9bdd7842fab81346dec7472fc99

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe

Filesize
80KB

MD5
d7231144139aa23ecb219afc17256d89

SHA1
6d6e9b85418cf79eb580db2a20016a20a9a2eee1

SHA256
e82931ceb6c10ae8588b72274fcb50024181ca2c60e270ef82516ec3bace47b8

SHA512
5aa88c055c5dd9b2db952649337caf751ef9a91dd0a1113c873f7c700e9bb6798e272833827e30c3064c9b287ff36ea29933cd343b653837ddb6e49fc8013c93

Download Submit
C:\Windows\SysWOW64\Fqbliicp.exe

Filesize
80KB

MD5
461a74301d959614de248ceef84c67e3

SHA1
03507e1ecee92ebbd232f18abe16a8e62c8359dd

SHA256
e9b7f93e4f330c5dc887f7adac914a00757f9235bcabb2295a2a9572f133304c

SHA512
d02de50a0a329572dd3710e37b0d6759faeda92cb144687343ed46f8c6f70a9918e9abff0156110d374864b1b0ddad3716e506d3523172da12837692bbd97983

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe

Filesize
80KB

MD5
6f31b0076a2540ccef20b15d4db87916

SHA1
52bd63028925f62c820c1235ddbb50f867bd8cc1

SHA256
8417cf6640e92d8370c3ee8ef371880cb6c3d7fd523f414b1fc43a8aef97eba1

SHA512
a47eae734d0be4cbf6deb85e43362080dd2c4fcc1ccd4a715696b35f59b11aad0e1b9743156c491035681e6f173fe7f46b8047df29afa9fc5ffa7a5bacefe763

Download Submit
C:\Windows\SysWOW64\Galoohke.exe

Filesize
80KB

MD5
2f715593ca684b7845249178040694dc

SHA1
589236770396f12717546d86eff7912cd0fb63ee

SHA256
df0b92246376d96b3e3ab9bbb21e83324bd9bcc62087dbfc18c12001da8290b5

SHA512
ba255b804354ec72bca553d96fb2bc11a63a9e609cede0a05b71e8c896448670a0b96e4890a06d3164e7324d2bf2ea1f07888fd2571b2dce353123fef78c31e6

Download Submit
C:\Windows\SysWOW64\Geflne32.exe

Filesize
80KB

MD5
4707db70b9fd7a9b03da7a0576249ff6

SHA1
40a579616c8714c0d8030c15f177fd7efd14fc29

SHA256
805e1b2da8fa4c7f544023e6d15b2262aba6a0a035b7f9a0632043965600dbd7

SHA512
b601907939030501df0a64105def66f60ccf18ca57cdb77df6c09b99bfe2173db0084dee00a91e19a6c347c96b8c194aa7f9fdbfbb1aff719fb7909fb79f8d20

Download Submit
C:\Windows\SysWOW64\Ghojbq32.exe

Filesize
80KB

MD5
42623d10a2fe4294021d39369c8af5c2

SHA1
1a12f6729339878dc5070ce8e86c4554f03ce3b2

SHA256
88e49c51e1f19a8b37751a7b253dc527a1239b6ec16774354e5c1fd5cf8f1c8b

SHA512
60dc9e267d9bedde9150abcb422b79a9d9bc2851644b6c1fe1b144d5232f2dc5e773d7267dc384f5d0b7f9ac7f11e920112a4b9689ae8c4c50efd2b14461fab6

Download Submit
C:\Windows\SysWOW64\Gkdpbpih.exe

Filesize
80KB

MD5
b1ad34bd7c82e1616f1dd5a9b31413e2

SHA1
bd41bd9059ce8ede1fdeaa7839df9b1cd846792f

SHA256
157050435f76e660f7628c5c59e7c5fed0b4b4131e5fbecaa378902137effdb1

SHA512
1e680f924a0fc3d6ec5b0bd13f2d5640bc66d42b407a8d13c23d68fe9915021eab72908fab656cd5e5f4c2efab1725dff4f0afedbaea63dffd8fd305913f5d24

Download Submit
C:\Windows\SysWOW64\Hafpiehg.exe

Filesize
80KB

MD5
76388488e6af49245c8a038080d2d66a

SHA1
f03a88d80e3cc9ac3cb64f5855fbc5863d5d555a

SHA256
3db155c83bbced7e8a71c29f2047a5fb74baaf1de14961d6423b8fcafeefa8e6

SHA512
b499aca22aba3e68bca6f69650f75c49a4a7b103152274f20ac542c7617baed1f4a07404ca0aed7cb7b3f5a8a87562743ce4ecfb36797bbffed9a8fcbb76610d

Download Submit
C:\Windows\SysWOW64\Hbihjifh.exe

Filesize
80KB

MD5
8c1394f779586a078c7197d77c585940

SHA1
8f2c172b84b22855a8a30df830b1476f1101ad97

SHA256
9892df7aa9c65a53dfe8162bc7d93da646d807db2eb84e8ee96c2a2e2587f483

SHA512
4d5d260c598a89c65b6cbda3882a6f82bc840c9ab43bffda49174337d066d4411298f3fd06fc2608cfdaebe3e7aa4f849d18de7ac8b810c516f6ea9d55fb59c2

Download Submit
C:\Windows\SysWOW64\Hejqldci.exe

Filesize
80KB

MD5
35da55873019b5f587db694c7e00d2a4

SHA1
2e50498b6c2c91f88d233ace51809d1aecd06fe8

SHA256
73dc37feefd2bad8ae6f1749ce78ee436c6bda48653f09fe2139eb053a021a52

SHA512
2b98dcfd17d9d3cc82cc46b578072e8171f93293836dc3a803f74f7c3bd5500d28a583ccea6d5b49cc33534f3bcbfec5abec50915dcace14967387d492837c6d

Download Submit
C:\Windows\SysWOW64\Hihibbjo.exe

Filesize
80KB

MD5
b88293dc6787c670bd77e3d546a21d66

SHA1
7ca8ce6b1e8a875c3436d405a04abb71ed395d26

SHA256
e7c7cde686c08c75e899e776ca0e6c99f67f0d35f8f40ef349de6544730b247f

SHA512
8ca32b31cc5f7ba75fb805abb8a8ea794218026b8e48f372bf5f056e44a8c70ab6a3a6143461c71cc14e64b689b6cc8c5ac711a9a02ebd8e4bd8824ecff582bd

Download Submit
C:\Windows\SysWOW64\Hioflcbj.exe

Filesize
80KB

MD5
7de542e96e32b11b1918cb4bfef25e2a

SHA1
b5e18f661d2396b606df95ce278ce110e94c1a7b

SHA256
d0deef57d2dc6aec735e9fc06c03e3bf05fdaba3075b502718ee1eb790207119

SHA512
0f2efef1aa03f5039f7b824b36a0c570af2c359ee7d609dd3daba8807fee21bb6ce1b6d1f970d0bcf37028b1311dacd422819bdf24165dd21855ad485022c441

Download Submit
C:\Windows\SysWOW64\Hleneo32.exe

Filesize
80KB

MD5
daf4db193cfd9600f0a554e3f8429a90

SHA1
8cab24469dce1a4f8e5adb26f1bd5cc297159f92

SHA256
8329cd4595f6691a791be9f378ff13309d1908b641e1bab77159f820d3de686d

SHA512
13850107e04f9f6f617975a08ae227f6f05cca7c66b2fa62005fc1183b5cd101b5c6a757987c4a219fa4cc8c730ca959852c8c017e276051339939b7ecedc79c

Download Submit
C:\Windows\SysWOW64\Hqkjaifk.exe

Filesize
80KB

MD5
e9d94e785ab4063886d42700f25589f5

SHA1
ab3d2ea9c7d41fa7725d6aa53a4ff5eb916c6ec0

SHA256
f2acc409362b315f95554c4730d701fab2592ec5955ff699014421282fdd6cc3

SHA512
2f5a1e8b5099e86acd7ddb8690e632afba2bc79b7d3603f2606daeffc16d0738dd7977dd9be798106fdb3ff7b2cdd189ea07d5828751273a722c8f82ce41cf00

Download Submit
C:\Windows\SysWOW64\Ienlbf32.exe

Filesize
80KB

MD5
c3150023103b0511ae6f15d1d506e659

SHA1
c94ecf9c7614564871ac6e69809a101f5e18b2a8

SHA256
8e49785a50577094ea6faa010683488b042f3be2701e2024a27cca3727c42bb1

SHA512
810092c3bd2ab110d47c3178511b17a5579103219564056dcab48ea3774f1c16d6e2e0b502fd083d37e37eb5d0fb035c334f753d9f942ef5897f0f1b34edbdcb

Download Submit
C:\Windows\SysWOW64\Inkjfk32.exe

Filesize
80KB

MD5
b2a9497874be5959d3835bec1b807688

SHA1
53c3d60547843e6a43b95eccddc357d8367dd6a2

SHA256
ac1c68fa423d8238ad010d1cfdb10f78cf835b02ab1bcef967d88e4b563d3458

SHA512
2ca50094b8d8cd170b806077b256d0819c04561f2748e52a40b47f576bfb86acc4f6eef85263f9150c4b52fef97231b105052783a3187a0179e7500402e93f87

Download Submit
C:\Windows\SysWOW64\Jcmkjeko.exe

Filesize
80KB

MD5
cb97bf78885d9de3c1d25265c1393e7e

SHA1
1a62dab47795594144058f079a61a5264c0db488

SHA256
9645cddc15be66c8dd854fc0466abce4b0aa45e7f18cbe3318fee7cccaff66b7

SHA512
42b6f7c63c511f80f798ceeba11c75df32612fe9c64ce5483e9eb949023eceb184d93333f67321b1a32777d5b4416afb672b4c820ff322c5181f2753d249e72e

Download Submit
C:\Windows\SysWOW64\Jjdokb32.exe

Filesize
80KB

MD5
7fc6a1c10d31b0d054aa67531ef64fd8

SHA1
508221d2fe28add47fa5764d1309bc3a1e327c5d

SHA256
d0e867d78e244d54eaf2d9ba13bdbcaf36305f94720031d483d651f024e3e1b7

SHA512
4975e2fd91e8b882bd34ccd1d516e4f4e981d4e2533b815577bb19ae8caf370b601ac871dcbe0ec57cda11f4aa55056b65aca8f365c2116f79380ac6f50e6a8b

Download Submit
C:\Windows\SysWOW64\Jmijnfgd.exe

Filesize
80KB

MD5
6df3edbafc2146431531ea59ee0014c0

SHA1
e2b9bd281f70995dcedf0856e76e3a6462a8723b

SHA256
bbb8dec4639703f4795692b3e6171b6b2d384a11c1a2bd8365890363a5f1e574

SHA512
4ec353d4358209c0e0567e171b040bc786c36788852fefe512ed6b64825bacf066185e0100acdda54226a710ed594f5b614ca2ed8e000a68a44b13088285a706

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
80KB

MD5
eb123b7a1c5f8b3d950a4f0121ea40e9

SHA1
57906b202761f86e48443938101382201db49155

SHA256
6fa7aad0863a625346b2fc6065bcad59f4ea63199c3a61e0671993cf9d397239

SHA512
8e908037fb5485cd98e6ca50d22cabff4f31398e5ade2eece880cde22befd6b22152aab6bfcf7e5d7685b054745fd3bbb62c91d20c8551e797b7715b2a4a4309

Download Submit
C:\Windows\SysWOW64\Kaioidkh.exe

Filesize
80KB

MD5
2f99008236c971a0c47b349507008e64

SHA1
e1ced1cf93849b14e4d3146b34af249f7c2ccd6a

SHA256
c0782efbd0a3a476bf9b0b88d2a0e9039d4054614467ad94a7d0d2bc6cbf4e75

SHA512
5e01d239f4fafdf45f1d3c5ae001afdbadfec2615cdf27b81751bcfe1f20d6c9a79346f34d23c844bb2696f9bfdb329c9c5c538fe5a8d6b1742e15283088ca16

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
80KB

MD5
47ae47d7e8e3c83f333bd6a485256fdf

SHA1
af48dfa03ae2105908e51bb47162c36938a16837

SHA256
b08c307e95b9e92b5b397aa48d40c9795c642b9279d62d00ca19441ef5a5050c

SHA512
0b9f85c0b4c402156861b1aeb14508f2c25a018f1663e2dbca290ebd6c3e93e871a7192d0f2d9a755f69fbbecf68855840bb6a75a460f282160732d25079c8ff

Download Submit
C:\Windows\SysWOW64\Kkbkmqed.exe

Filesize
80KB

MD5
5dabdcaa3daac599abf0790974df398d

SHA1
f7f8328155cf0ab4adf4b56fb68d9573a6967801

SHA256
0c7fbe18d9f09c694cb92a3ed13ac8d16f8b0f878f0dc4fe2472934a4b818119

SHA512
d897ad842e526d3fd57300d8f60e116c6be1a57709191b90a5b4c8f0ddeb4c06bbf95af44589dc7f9b11099391af0acd070faaeacd67c68a24848b8962273812

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
80KB

MD5
c4271d05538a698b220257bdb227fc9b

SHA1
a7ae096f90de2eec67579ff0289671dffdcbe262

SHA256
3b10a1f0492d79f033dcfa869e617851390b31f4cdf1cb08f71342c27e8c3ed7

SHA512
bc76337c549caf7c1285c9d964a74375956ebead7bd23292d3d98fed727b648442c7899bcbb046573ff6af40dfcfe5fb58ece52a588d9c10d55e6503f86c8586

Download Submit
C:\Windows\SysWOW64\Limioiia.exe

Filesize
80KB

MD5
5c9477d26bf283ff5da7e6fe8c6d128b

SHA1
067e6f401c97ff69559aa04296fe8dbe61bef1cc

SHA256
3c408a561606bef5811c346956992794cdd4bc69f5b46a95ec10fef02f49d493

SHA512
24a1d053e6b2a5bf848f3cb70d7dd28007de2111c5f0313d3078dfe93dd07788892b795587255d2d13b62193a7004e94cb9ff7065c9a7859a2367d4efa38f976

Download Submit
C:\Windows\SysWOW64\Maoakaip.exe

Filesize
80KB

MD5
3d8a8c5ce59ab9ec6e63c0abfe0e8b5e

SHA1
c98626362a2c930fd29cfb52eccc60c229607ff5

SHA256
7ab872c7fa7ecd3f5efc1e6e9ab332b882bdffe7209241d0d7e34cc747f48cb1

SHA512
954468ad1139ce8e5da98f29f823d7493d2bc8f2d21564ee7f58100cd4a2706124099d66e90bf22ef38d1901e61e5556d8f5363069747dbd873c42ce9e9284e6

Download Submit
C:\Windows\SysWOW64\Mbldhn32.exe

Filesize
80KB

MD5
c6036b856d3a6bfc1eaa97efcfd1eddb

SHA1
2e1424e7a934043364c2bb1da4656bd4c9ea2f64

SHA256
8302ef52a608338074ece8e9766c0dd52e36fe1dbd330551337ee219b9bafcad

SHA512
209ac66318e348dd79e108920b5db51729a56ccd4bf056eb1b7ed56df7267a84ca179999e7a23639001575715bc3b1f5d1e675cad291df17c7c5128871f5412e

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
80KB

MD5
6fc64c81db747fd4c1734452678d0c8f

SHA1
d74053a8a578482ccddaa817c58c449d38f47987

SHA256
a58d20b35318a96321e30b4a6120b981069592896ea830943e754db96102c5d9

SHA512
a847490535adda1b2a88c74ecf3459ecb0cfff601b1675a38d2bae68212b6ad9aa0b67df31b9da103d6c3706fae3bc9d5073528f04edfbed37d9d894f10a424a

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
80KB

MD5
f6dbc50c3776893735a7af64a760b95c

SHA1
43169cb879615be0a178a277c0266c87504c710e

SHA256
331ddf6504a2502745216faf07b9769d34f5c4839333a1f773af76160f5ecc90

SHA512
2b49442744c80d9f1e0308eafeea502e08927c0fe33cfba04950eac89cada6a3b6ef35d961b82c61fabbd9f0eb43b8fe950012772266a194377f35bf02455838

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
80KB

MD5
91e145fa5429b3d4472a7ac4e990b9eb

SHA1
47aabb3cd393fef13ca686f335bdbb6a15a72df1

SHA256
caf97a7f8093cb11befee5bdd279eb4ffabf7be06ce81709d933bfc3e57a58a0

SHA512
72e9abaad3d6604b41753c0ffa37f75e33458fd3a7f84469f019e0fc00225a528fc5c23bb97e8e24ef5ee32d6f21863466f2d68a4df1f056654b2afce05ec411

Download Submit
C:\Windows\SysWOW64\Nggjog32.exe

Filesize
80KB

MD5
d1339c4e94935ca00fe0bdf8ec9d6c13

SHA1
cf69f3ee7b4ac59bce1f339f68d91996a6e0233b

SHA256
232b6754d2a4ea132565fbda84abbca5b92c2d7a7428ded8013c877976213c8c

SHA512
97f3e7a2d24dcc329e1d667ed10eb3f3c56965ad7485458161256bd141c3dfdd982c60f43bf8a6aaeed8868768cdbc2ca5b0b64a0ce3428f0fb766c2869b1bd3

Download Submit
C:\Windows\SysWOW64\Obgohklm.exe

Filesize
80KB

MD5
ba4197fc40c516b3e05ff3a5f25fde88

SHA1
438609228e137fea55b4e0809409dfcc47d8af2b

SHA256
e9238b8a9e2280011d3699bdf24150d22e66fe7e034e0e7dc28d55285a964389

SHA512
dcfc84bccb27b884d60e0eeeeca75f42a1b359098f6a01fe291ea4b97b2bac06eda7d2b03c20e56eb71b04c3558dfc14c8654e15308ba266e46e418bdd84cdd6

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
80KB

MD5
19daa063a23f3ad7517a65a21ad93b60

SHA1
4d1b899146054a02816ca62375876d11268ecc10

SHA256
cc93a2212befcf5093c51b21a1739cc81b660f8f6773130447a8e57c13f0e609

SHA512
2ee9af9db03480e8e358982475c399761ffc83b29e4288603ab34d40c6198da0bd031a4cabe9d37a6c0cafd81a345eef4f9b69bd4b1cef2179be816c3f2e6942

Download Submit
C:\Windows\SysWOW64\Ohbfeh32.exe

Filesize
80KB

MD5
3bfa979d92b001b3678bf22dcc8a7cad

SHA1
4e1037da00b96281af71d57daabd172e67f3135e

SHA256
187943b35a83394baf71c327c40bc072834a1a987da37d93c60b6500dd2a695f

SHA512
2101a3e04ce66a5f3617d53101740b1b6ca613fb8464e52746d17dd4f0b848b5aaa1f3122a32a4b77cbf2fdfa7cfc553dfb0c70e4ef67fd459556fed47ac985f

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
80KB

MD5
bde2013b549dc5a2a4688ca13f769074

SHA1
61e7c338c33876eaf2c19b48cec691ae322afc91

SHA256
4b39ce71269f16fefe421c3e274895dbe146950a7e1521d937c18ad96e07e5ca

SHA512
4f1a70f7f1db7adb64135b9be93ca94fe87e0be609b76452c723a2e77fe5770bb2a8b33b13ada1ebb07b874df7595e7cdbc16c87ebe7cb384f0fd6f44f2f7c09

Download Submit
C:\Windows\SysWOW64\Oljoen32.exe

Filesize
80KB

MD5
00ef7c9069965c98eeb6319a94298eb0

SHA1
ac48c8e2df51bcfe334251d0f0222689be9a277f

SHA256
63ad3273ee770ab396b08c2d1e3f67ad7873981d69059c24575555aa2155c352

SHA512
22d623cc2ca26b1ce1461ee372e7a89df833664251067aed283840be62f43a7b8e36336d943a237a17d776741b6dfb72a5bd94b2a0e12282693eea3aba12d519

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
80KB

MD5
cbe1dc64a525c08529749787e8b01a88

SHA1
93ccc3fcc8111a0ab8914a48a7d0ddff492ad1b0

SHA256
649a4a1b743eb2b0dd37d86d039390a3a696a5037d811468087b3cd4feda2f42

SHA512
381cc5910b536a042882f4560c9263bdbb2e79352fc0f18a2e6994af8281c7dc04338756108ff54def08994f5f2c0984412f9146b0c69f0502af0c56bd2fbb88

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
80KB

MD5
ae753f9a15141a5bcd922e6fbf567ba8

SHA1
e6b8c4bbc3a3d889ce722f03d7d5ab029d2e1312

SHA256
0e70f798094c0478f40befda4c70e33cac889f1652c28e941d7000389ae52a1c

SHA512
2f53a3b632a85c8439412766d53d889a147fa7ac85454f65132dc19e609553bc86d2dd408a92aad5004f6d23c94f9441155be07dc2989b2ee872434a367667b2

Download Submit
C:\Windows\SysWOW64\Pmmeak32.exe

Filesize
80KB

MD5
a529623fbc43cce8d7a8312eb3431ac2

SHA1
423b8ca69c559e21206bb4604d74bc11faff1f47

SHA256
0e0fa5903560d17581065a276094e2da9089cdd282b1793f4ddfe5829d6fc846

SHA512
2fb735a10c6058c1fd7df8894a2c57cb27b849e495bcd5f6cd277bff8ba5bb60c5b69e162bbdcb34edbfd74dddf05ca80df6c766defea49efc8aa1626cd96f3c

Download Submit
C:\Windows\SysWOW64\Pnjgog32.exe

Filesize
80KB

MD5
98f5de260180ec52e0d813cab7ed1196

SHA1
5602d5cb85504d1f2f70e923e3ebe155a8c85ae3

SHA256
c77b6c09ae2fc5972c57a9479374b587fe474dbc05e3ebd2e3260021085d1f17

SHA512
22c73fc0c4b97eac1273f39456d156ff579c3da1bd2b321878df109e0531d1b3a55d23d452ee2a29b424f750712161cd251c5f1c7584b786de6ce68f76606ad3

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
80KB

MD5
2398e177a6b8808dd5a3d2102a4b5747

SHA1
1b5c8249fe8884d5d8a124668d9e2d5a05769a40

SHA256
8e56b257aa2e73c82cdd6876fe7c0ed052ccc511fde1e1ce9da7c86e38445415

SHA512
9514c56691e24bcca70876b125d1c0e11b126130cc0c28e59a8b9aee0507070baee7ac1c20e2bf42b3da4408cc59a57e8eb68555680095a8a44a2d7e163290a6

Download Submit
C:\Windows\SysWOW64\Qhddgofo.exe

Filesize
80KB

MD5
b619ee57ef429428626d4aa736791a25

SHA1
7a654948dd11a7b2d2966ebb812b6485354f3961

SHA256
a4bd0aabc0d297b6966644bb95b184c89022643ee0cad3ec8ac5f021ca9de7e4

SHA512
df82dd6fc7c1f80b04f1010e5f9211ba97a2242c018a507ab5a0df831fcd26881cd28045c6f5a0c7da34bb1427246806ad6fbcf09f8985a22f29974fced9b04b

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
80KB

MD5
e68e78ef717489c8c413cf0ab4491ae4

SHA1
95bcdceadc80eb3801765d9538795d759f7f685c

SHA256
cdc8fd1e9cdb75238ab1839e60de74b3f4f9345d33d1d1632a8d3fda9ff63378

SHA512
415d66c22a1227f1a506dcca0aad80eb461a5fe9bcda3baee86be2797b6051cc8b542942cfcca3f95a4e039bcce35554c6ccfee3940563431c21785f956566aa

Download Submit
memory/208-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/712-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/856-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1100-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1884-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2360-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3232-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3268-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3280-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3352-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3392-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3392-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3580-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3580-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3580-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3652-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4952-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5132-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5188-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5224-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5268-526-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5336-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5388-538-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5440-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5488-550-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5536-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5588-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5628-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5688-578-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5736-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5800-592-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads