8c8016e11b9128263138b9bd21acff71b76e93d992243fcb77d5f12dbe123b72

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ff8d32eeff4bd3af121cfafdefb9e30_NeikiAnalytics.exe
Size

78KB
MD5

4ff8d32eeff4bd3af121cfafdefb9e30
SHA1

c58f5375123ce74100504e68743ae903965579d6
SHA256

8c8016e11b9128263138b9bd21acff71b76e93d992243fcb77d5f12dbe123b72
SHA512

8a08ae7b62b9e19bd114095b7fb91e8f4142ea717a2dbe8eb1a02417e8369677f094d44a56c29893cf85bbedf5683d1c4510856d9e7f49e6eb4483d89a3c72a3
SSDEEP

1536:HRgtyhCelkw5luB8UFaxOAVmoa9uhcQu0KiVSN+zL20gJi1ie:xgtOCelhuraxRmoa9J0KiVSgzL20WKt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdqgmmjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dceohhja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gohhpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhpjkojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekemhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkffog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicinj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eamhodmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfembo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkldb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkhbdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcbpab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhja32.exe

Executes dropped EXE 64 IoCs

pid	Process
3128	Cbgbgj32.exe
696	Chdkoa32.exe
3468	Ckcgkldl.exe
636	Camphf32.exe
404	Cdkldb32.exe
3048	Doqpak32.exe
3860	Daolnf32.exe
2180	Ddmhja32.exe
2068	Docmgjhp.exe
1996	Daaicfgd.exe
2524	Dhkapp32.exe
4876	Dkjmlk32.exe
4628	Dhnnep32.exe
3256	Dkljak32.exe
4200	Dhpjkojk.exe
4640	Dkoggkjo.exe
964	Dceohhja.exe
3020	Dedkdcie.exe
3220	Dhbgqohi.exe
1672	Edihepnm.exe
1896	Eoolbinc.exe
1388	Eamhodmf.exe
4832	Ehgqln32.exe
3788	Ekemhj32.exe
880	Eapedd32.exe
936	Ednaqo32.exe
1828	Ekhjmiad.exe
5080	Ecoangbg.exe
1284	Edpnfo32.exe
4424	Elgfgl32.exe
4456	Ecandfpd.exe
3464	Edbklofb.exe
2564	Fkmchi32.exe
1724	Fohoigfh.exe
3060	Fdegandp.exe
4076	Fllpbldb.exe
832	Faihkbci.exe
5048	Ffddka32.exe
1484	Flnlhk32.exe
1880	Fchddejl.exe
4488	Ffgqqaip.exe
3280	Flqimk32.exe
1080	Fooeif32.exe
2496	Fbnafb32.exe
5024	Fhgjblfq.exe
4300	Fkffog32.exe
1664	Fcmnpe32.exe
1844	Fdnjgmle.exe
1000	Gkhbdg32.exe
2844	Gcojed32.exe
4624	Gdqgmmjb.exe
4676	Gkkojgao.exe
2232	Gdcdbl32.exe
1600	Gkmlofol.exe
3584	Gohhpe32.exe
4596	Gdeqhl32.exe
1072	Ghaliknf.exe
4856	Gcfqfc32.exe
5064	Gfembo32.exe
4824	Gicinj32.exe
2808	Gomakdcp.exe
808	Gcimkc32.exe
3116	Gdjjckag.exe
4176	Hmabdibj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhpjkojk.exe	Dkljak32.exe
File opened for modification	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Daaicfgd.exe	Docmgjhp.exe
File created	C:\Windows\SysWOW64\Gdjjckag.exe	Gcimkc32.exe
File created	C:\Windows\SysWOW64\Fpeohm32.dll	Hecmijim.exe
File created	C:\Windows\SysWOW64\Jmehcnhg.dll	Iblfnn32.exe
File created	C:\Windows\SysWOW64\Pacghh32.dll	Iemppiab.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Jlnnmb32.exe	Jioaqfcc.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Jgbcdnbb.dll	Gfembo32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdqba32.exe	Ilidbbgl.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Gdeqhl32.exe	Gohhpe32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Iaheeaan.dll	Jioaqfcc.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Djhgpa32.dll	Eapedd32.exe
File created	C:\Windows\SysWOW64\Ffgqqaip.exe	Fchddejl.exe
File opened for modification	C:\Windows\SysWOW64\Jbjcolha.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Gebgohck.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Mmlpoqpg.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Mhciec32.dll	4ff8d32eeff4bd3af121cfafdefb9e30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Genaegmo.dll	Dhpjkojk.exe
File opened for modification	C:\Windows\SysWOW64\Jedeph32.exe	Jbeidl32.exe
File opened for modification	C:\Windows\SysWOW64\Kedoge32.exe	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Benlnbhb.dll	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Jcpfco32.dll	Doqpak32.exe
File opened for modification	C:\Windows\SysWOW64\Ecandfpd.exe	Elgfgl32.exe
File opened for modification	C:\Windows\SysWOW64\Ifllil32.exe	Ipbdmaah.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ednaqo32.exe	Eapedd32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ogbipa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9792	9652	WerFault.exe	442

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doqpak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4ff8d32eeff4bd3af121cfafdefb9e30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhbcf32.dll"	Fcmnpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhoholen.dll"	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edbklofb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngknngal.dll"	Gkhbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iemppiab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckgieoo.dll"	Dkoggkjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnhlp32.dll"	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll"	Hioiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpppj32.dll"	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacghh32.dll"	Iemppiab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqfah32.dll"	Camphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiaefcan.dll"	Dhnnep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll"	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipknlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chdkoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkffk32.dll"	Fchddejl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3128	1468	4ff8d32eeff4bd3af121cfafdefb9e30_NeikiAnalytics.exe	83
PID 1468 wrote to memory of 3128	1468	4ff8d32eeff4bd3af121cfafdefb9e30_NeikiAnalytics.exe	83
PID 1468 wrote to memory of 3128	1468	4ff8d32eeff4bd3af121cfafdefb9e30_NeikiAnalytics.exe	83
PID 3128 wrote to memory of 696	3128	Cbgbgj32.exe	84
PID 3128 wrote to memory of 696	3128	Cbgbgj32.exe	84
PID 3128 wrote to memory of 696	3128	Cbgbgj32.exe	84
PID 696 wrote to memory of 3468	696	Chdkoa32.exe	85
PID 696 wrote to memory of 3468	696	Chdkoa32.exe	85
PID 696 wrote to memory of 3468	696	Chdkoa32.exe	85
PID 3468 wrote to memory of 636	3468	Ckcgkldl.exe	86
PID 3468 wrote to memory of 636	3468	Ckcgkldl.exe	86
PID 3468 wrote to memory of 636	3468	Ckcgkldl.exe	86
PID 636 wrote to memory of 404	636	Camphf32.exe	87
PID 636 wrote to memory of 404	636	Camphf32.exe	87
PID 636 wrote to memory of 404	636	Camphf32.exe	87
PID 404 wrote to memory of 3048	404	Cdkldb32.exe	88
PID 404 wrote to memory of 3048	404	Cdkldb32.exe	88
PID 404 wrote to memory of 3048	404	Cdkldb32.exe	88
PID 3048 wrote to memory of 3860	3048	Doqpak32.exe	89
PID 3048 wrote to memory of 3860	3048	Doqpak32.exe	89
PID 3048 wrote to memory of 3860	3048	Doqpak32.exe	89
PID 3860 wrote to memory of 2180	3860	Daolnf32.exe	90
PID 3860 wrote to memory of 2180	3860	Daolnf32.exe	90
PID 3860 wrote to memory of 2180	3860	Daolnf32.exe	90
PID 2180 wrote to memory of 2068	2180	Ddmhja32.exe	91
PID 2180 wrote to memory of 2068	2180	Ddmhja32.exe	91
PID 2180 wrote to memory of 2068	2180	Ddmhja32.exe	91
PID 2068 wrote to memory of 1996	2068	Docmgjhp.exe	92
PID 2068 wrote to memory of 1996	2068	Docmgjhp.exe	92
PID 2068 wrote to memory of 1996	2068	Docmgjhp.exe	92
PID 1996 wrote to memory of 2524	1996	Daaicfgd.exe	93
PID 1996 wrote to memory of 2524	1996	Daaicfgd.exe	93
PID 1996 wrote to memory of 2524	1996	Daaicfgd.exe	93
PID 2524 wrote to memory of 4876	2524	Dhkapp32.exe	94
PID 2524 wrote to memory of 4876	2524	Dhkapp32.exe	94
PID 2524 wrote to memory of 4876	2524	Dhkapp32.exe	94
PID 4876 wrote to memory of 4628	4876	Dkjmlk32.exe	95
PID 4876 wrote to memory of 4628	4876	Dkjmlk32.exe	95
PID 4876 wrote to memory of 4628	4876	Dkjmlk32.exe	95
PID 4628 wrote to memory of 3256	4628	Dhnnep32.exe	96
PID 4628 wrote to memory of 3256	4628	Dhnnep32.exe	96
PID 4628 wrote to memory of 3256	4628	Dhnnep32.exe	96
PID 3256 wrote to memory of 4200	3256	Dkljak32.exe	97
PID 3256 wrote to memory of 4200	3256	Dkljak32.exe	97
PID 3256 wrote to memory of 4200	3256	Dkljak32.exe	97
PID 4200 wrote to memory of 4640	4200	Dhpjkojk.exe	98
PID 4200 wrote to memory of 4640	4200	Dhpjkojk.exe	98
PID 4200 wrote to memory of 4640	4200	Dhpjkojk.exe	98
PID 4640 wrote to memory of 964	4640	Dkoggkjo.exe	99
PID 4640 wrote to memory of 964	4640	Dkoggkjo.exe	99
PID 4640 wrote to memory of 964	4640	Dkoggkjo.exe	99
PID 964 wrote to memory of 3020	964	Dceohhja.exe	100
PID 964 wrote to memory of 3020	964	Dceohhja.exe	100
PID 964 wrote to memory of 3020	964	Dceohhja.exe	100
PID 3020 wrote to memory of 3220	3020	Dedkdcie.exe	101
PID 3020 wrote to memory of 3220	3020	Dedkdcie.exe	101
PID 3020 wrote to memory of 3220	3020	Dedkdcie.exe	101
PID 3220 wrote to memory of 1672	3220	Dhbgqohi.exe	102
PID 3220 wrote to memory of 1672	3220	Dhbgqohi.exe	102
PID 3220 wrote to memory of 1672	3220	Dhbgqohi.exe	102
PID 1672 wrote to memory of 1896	1672	Edihepnm.exe	103
PID 1672 wrote to memory of 1896	1672	Edihepnm.exe	103
PID 1672 wrote to memory of 1896	1672	Edihepnm.exe	103
PID 1896 wrote to memory of 1388	1896	Eoolbinc.exe	104

C:\Users\Admin\AppData\Local\Temp\4ff8d32eeff4bd3af121cfafdefb9e30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4ff8d32eeff4bd3af121cfafdefb9e30_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\Cbgbgj32.exe
  C:\Windows\system32\Cbgbgj32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\SysWOW64\Chdkoa32.exe
    C:\Windows\system32\Chdkoa32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\Ckcgkldl.exe
      C:\Windows\system32\Ckcgkldl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        24⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        28⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        29⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        30⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        32⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        34⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        35⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        36⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        37⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        38⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        39⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        40⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        42⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        43⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        44⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        45⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        46⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        49⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        51⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        53⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        54⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        55⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        57⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        58⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        59⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        62⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        64⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        66⤵
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        67⤵
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        68⤵
        
        PID:732
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        69⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        70⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        71⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        72⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        73⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        74⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        75⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        76⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        77⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        78⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        79⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3552
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2412
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        82⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        83⤵
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        84⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        85⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        86⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        87⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        88⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        89⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        90⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        91⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        92⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        94⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        95⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        97⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        101⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        102⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        103⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        104⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        106⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        107⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        108⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        109⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        110⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        111⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        112⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        113⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        115⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        117⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        118⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        119⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        120⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        121⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        123⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        124⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        125⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        126⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        127⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        128⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        129⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        130⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        131⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        132⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        133⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        134⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        135⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        136⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        138⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        139⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        140⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        141⤵
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        143⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        144⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        145⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        147⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        150⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        152⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        153⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        154⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        155⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        156⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        157⤵
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        158⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        159⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        160⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        163⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        164⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        165⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        166⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        167⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        168⤵
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        170⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        171⤵
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        172⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        173⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6656
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        175⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        176⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        177⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        178⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        179⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        180⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        182⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        183⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        184⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        185⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        186⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        187⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        188⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        189⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        192⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        193⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        194⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        195⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        196⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6492
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        199⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        200⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        201⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7272
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        203⤵
        Drops file in System32 directory
        
        PID:7316
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        204⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        205⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        206⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        207⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7544
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        209⤵
        Modifies registry class
        
        PID:7588
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        210⤵
        Drops file in System32 directory
        
        PID:7640
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        211⤵
        Drops file in System32 directory
        
        PID:7684
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7728
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        213⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        214⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        215⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        216⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        217⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        218⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        219⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        220⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8088
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8132
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        222⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        223⤵
        Modifies registry class
        
        PID:7216
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        224⤵
        Drops file in System32 directory
        
        PID:7292
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        225⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        226⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        227⤵
        Drops file in System32 directory
        
        PID:7492
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        228⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        229⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7736
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        231⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        232⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        233⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        234⤵
        Drops file in System32 directory
        
        PID:8032
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        235⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7196
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        237⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        238⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        239⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        240⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        241⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        242⤵
        Modifies registry class
        
        PID:7848
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7960
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        244⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        245⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7396
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        247⤵
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7788
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        249⤵
        Drops file in System32 directory
        
        PID:7968
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        250⤵
        Drops file in System32 directory
        
        PID:7208
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7480
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        252⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8084
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        254⤵
        Drops file in System32 directory
        
        PID:7324
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        255⤵
        Modifies registry class
        
        PID:8096
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        256⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        257⤵
        Modifies registry class
        
        PID:7368
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        258⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8216
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        260⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8304
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        262⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8388
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        264⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        265⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        266⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8568
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        268⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        269⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8688
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        271⤵
        Modifies registry class
        
        PID:8736
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        272⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8828
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        274⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        275⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        276⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        277⤵
        Modifies registry class
        
        PID:9008
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9048
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9096
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        280⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        281⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        282⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        283⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        284⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        285⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        286⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        287⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        288⤵
        Drops file in System32 directory
        
        PID:8640
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        289⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        290⤵
        Modifies registry class
        
        PID:8768
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        291⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        292⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        293⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        294⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        295⤵
        Drops file in System32 directory
        
        PID:9088
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9168
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        297⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        298⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        299⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8544
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        300⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        301⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        302⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        303⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        304⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        305⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        306⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9192
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        307⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8364
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        308⤵
        Modifies registry class
        
        PID:8600
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        309⤵
        Drops file in System32 directory
        
        PID:8724
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        310⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        311⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        312⤵
        Drops file in System32 directory
        
        PID:9160
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        313⤵
        Drops file in System32 directory
        
        PID:8488
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        314⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8836
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        315⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8468
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        317⤵
        Drops file in System32 directory
        
        PID:8676
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        318⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        319⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        320⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        321⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9228
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        322⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9304
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        324⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        325⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        326⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        327⤵
        Drops file in System32 directory
        
        PID:9500
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        328⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        329⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        330⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9632
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        331⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        332⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        333⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9764
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        334⤵
        Drops file in System32 directory
        
        PID:9808
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        335⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9852
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        336⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9896
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        337⤵
        Modifies registry class
        
        PID:9940
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        338⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9984
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        339⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        340⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        341⤵
        Drops file in System32 directory
        
        PID:10116
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        342⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10160
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        343⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8996
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        345⤵
        Drops file in System32 directory
        
        PID:9288
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        346⤵
        Drops file in System32 directory
        
        PID:9352
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        347⤵
        Drops file in System32 directory
        
        PID:9416
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        348⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        349⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        350⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9652 -s 404
        351⤵
        Program crash
        
        PID:9792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 9652 -ip 9652
1⤵
PID:9752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
78KB

MD5
90d0cbf3e3ae76960034e29d76656192

SHA1
b8bc8c285c05f5fb7bda2ae8f636ef4768489c93

SHA256
ea42e7be94ec912b64daffdd540658df23922ce4ccf5d3bb79cd61986d149f4d

SHA512
dbfc478823825c12f4834df12eaa4c1139f3785d362311aa4ebee9214755d270394a63eba1cc60fe3c3377966c233691b1fc27673396dbf446a82ee514570bee

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
78KB

MD5
c581b25e0db7259ef9a7567be97a151e

SHA1
a6ed79ce6e2c4e3ac4ceb79e0500220b0a385d5d

SHA256
cd5ccd98f5eaab6d891c45342db2cee964fba082c11f67d0b6c58db0c26b745b

SHA512
a25631208259c742e930fcb25f0798028a7d36d7dbbd64579c5429fcd9552cf438738216a0986c156160eb882264278e062b7f5a5a968bdba5efa3d6e6c14778

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
78KB

MD5
e44423a8e35e4c99e1e2263d7618f649

SHA1
a8ac3aaad9353ad53e16b38c8fc7adc007ad74b4

SHA256
55ec1ff67ea49bd338639a703462106b56ac8a2b21d7f298ca307af461f118de

SHA512
504edbb2a199b6caefc3afb9999bc279d1efde398be8f147f603acb9a70f53b0022c21b2cc62484ca5960e957c174659db08232c3f6bd635242c599e8f7e3c55

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
78KB

MD5
34d4105e8aa2c9b01cd32ec9e853f4b2

SHA1
6bc46e3ec08478d6bdd7d506ada67d675627d358

SHA256
51e9aa44ddb0c12226732da8f5e2da5bffedd18839491837c9a3b23c2f636e7a

SHA512
9c6162356783c7f49d3c4e484a8719b144b31b3bae6b28f3708e1a3074af50dd22b47bede10af6e293d58e46dbcfadab51094a2754b94d32f5929eef8b424def

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
78KB

MD5
c2b6f9d766a7a86496fd117f185c1f08

SHA1
aad11c965ed79b59aeef8bb8befe6230f9c735d6

SHA256
0080833df7d270b0035e8ce44d8484f9a35246667b6d3eabddb1f07bc7244fe6

SHA512
e08547e6d4308df38eb5277c75cd4d19325ce5ff6d99fa181ba971b73b50550a62b9e70af96bf46e6ed5924c6789bc61f3506df17a61cf4c4c587ff8efd0eb8f

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
78KB

MD5
fbb2fafb87a353e55507da8b6a20ce79

SHA1
25c9a900c422038f51628889e8cbb13e43d0450e

SHA256
8fafff2568c708a0a2cc73ce64eaa9197985bfa49a7205f03d4fc031edfae1a3

SHA512
f71d1095a4da868e76471b842a10bf8d63e437140311e37b4ac384645a33097831801dc72200feb6a18fd5a32ebffc18b515cf43ded71bc47f64a8b8fd12c01e

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
78KB

MD5
c2a78e5575dbb304339aed07766b99b3

SHA1
b41fbbe9daecf21b5c5bd5011aa8f1b2917b3b72

SHA256
e85b2c0bc1be56fafab57bcae7667a8c75dfa2fdcd3fe95275b5b13f7e8737a7

SHA512
49601a67509e51a01553642ba82e32baebfc20e0e97c715e5388d4a9c2b74fd13ab3c9f7c6751b3f5b6b91346e634e9ed9305de255a39ee9c7ef91510c06c757

Download Submit
C:\Windows\SysWOW64\Camphf32.exe

Filesize
78KB

MD5
d056fde2335e21664049e75f77e9ad47

SHA1
42ebb5a9a51575f2259de885b9aa650e8745e8b8

SHA256
90f7462f7dc32a52f424b054471ec5dcb0df4bac575efe4caa6557bca4729ee1

SHA512
ba43495a442e519e2b24123bfa25aebede159fd5a23732f3f15ca5b96b0fad25c226d4ea66d830bc0ef8ef2f83f08bc5b0dbd477e015a52e39b0ab70368bb6c5

Download Submit
C:\Windows\SysWOW64\Cbgbgj32.exe

Filesize
78KB

MD5
ca9abeef5e354e7f37605c911e888aae

SHA1
088102fce4bb5466b8c68f1cf4e872dcf812bfbc

SHA256
c25760e8909c21eee1e25cae086309ada271ac235848ed39a46660dd88017930

SHA512
742cc81962f71fec91d7b102e06c1ebd4d93880e2410582428319779df87341999ceae2abc21597d3fe9ca25366650929d0eaa6cb0e244e4609cfac7ed3341cc

Download Submit
C:\Windows\SysWOW64\Cdkldb32.exe

Filesize
78KB

MD5
9558edd8c70340a5f50412565aabf330

SHA1
174fd5ce58681204a7e9c09cb9d28c42e3365c43

SHA256
7441c0aa7a03522703b60ef86d75fdc7dd3911350db6ae6d3eacf3deddbc52d9

SHA512
681b2cf243d25bf66ccde9530ee3bb4812f6a0ae7d6ff312015017c425ae4e569b9e161e201f379211401d0769341d3ad4ccf412d6ef2799f82e2dd52b4cd9f8

Download Submit
C:\Windows\SysWOW64\Chdkoa32.exe

Filesize
78KB

MD5
da2925668414d8a88e8294ea5c783b7f

SHA1
eb80b75cfbe3a84332b3c0addbbb232cb902f657

SHA256
375b69929b396693fd4e69f5132c61c45ecefe071eb02c0824d264f1ca5ff1f8

SHA512
5218c790a5f25a7ce9ff5ad66ac835d7d8bc25e8f34efa925a82a9944605f30d2b9b5ef9aa55b243efaf440a6d03687e0436af8e52bd3d6dd7683ad49637eb87

Download Submit
C:\Windows\SysWOW64\Ckcgkldl.exe

Filesize
78KB

MD5
e48f854d3ab633a1c6086681676403a2

SHA1
6c46193ac89343c227a2e865ca19be4d342eb9fb

SHA256
260ef261fbda6ed44fcff2b25070bd67fbcc1ade8cf4f4087ce1f1b92f2366d8

SHA512
7e45d0cd0bcc90ce6043a9417d1e33724676d79803531907fde8d848f303f8b86139e56cf9ccd7bf0619a5ce880b7e923b7f09db4130eaefd4c8d14dba5a93c6

Download Submit
C:\Windows\SysWOW64\Daaicfgd.exe

Filesize
78KB

MD5
0a0305bc1297e89f60499476398e8378

SHA1
aff5adb01732e777029b6b54278bc336d99c0861

SHA256
030e38f187e061b5a1cca46bc009ee4bece1202c6a27f85b765de8a79d49df7a

SHA512
0378c96712f556e6eab32cba0a5dafea82156b9d15f91c774d43210878245fe485ba1d8f5985d4a4cfd02035877a590b5a564c9ce375a15d834e924af74e0b24

Download Submit
C:\Windows\SysWOW64\Daolnf32.exe

Filesize
78KB

MD5
c22f374d6c3c7e47875835b271f8c4da

SHA1
08dc915848040aa57685558218533d655daeca32

SHA256
42c259bf170517fc7dc00dac5b204970f971a300b04cb1fd28062a68dc9c94e2

SHA512
6e0d2ef56595e95b2f4feb7c83caee7197ece1e2f0bf780c6d6f0c21967e0dbdb3032d62cd8d65f198d46e32d068947eb8687a040f520673bb503c25e1df7332

Download Submit
C:\Windows\SysWOW64\Dceohhja.exe

Filesize
78KB

MD5
c1a32021e92cb19714f1b7c7ce8b2cef

SHA1
c1fd6864ab78cc7eeb3c367c5dba36600ac39a54

SHA256
d1aa27364b50a19bd2035fd0e622e0cab2bc7c99996941c2003246c2cc25ef3c

SHA512
a3016171afa59e3642db79bc9545ec35bb90ed2e60c86b2309c1f97cc4a4eb98bdba078c433b14a4a5a7d9390872961d5437bfa5afa0754460a436b4a4d284b1

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
78KB

MD5
8d41c138bf6da5921649cadb0412cc34

SHA1
ec61648523abf7dd72468f72fe04d07c211a8f2f

SHA256
0f81ab12e4552f03de8ab181791bf965ff85a51df1b1e55e13efd6129480ad9e

SHA512
924fdb1293a384bdceacce1df8e00f0c65f89e74408a493278c87eabba632d9af03f88b891afbf4361820435d5363c48d733653f14b15628a9c3165d71ee4025

Download Submit
C:\Windows\SysWOW64\Dedkdcie.exe

Filesize
78KB

MD5
cfb9c93ab7a41629217760d9895b1419

SHA1
6ab2c4a7a8ce99b56b55fbd3dd143143cb1342ab

SHA256
a96c32f2100401f1181876bb443971426d9936ffdd47a935d256360485efab7d

SHA512
9e546497edddebf10ee114ed3d650824ac6a9053dccbe4b12caa0e1d8563c5d4cfb3461b642f76a970840042e6a7800f4444ce033bbc076bd292ffcb31592391

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
78KB

MD5
bb7d8c5226ebc614b08fdfba15f1a4fc

SHA1
0f9f83d5300f2d6d697dcc700b77688ff7ec6d7b

SHA256
fb9e127b40d6318bd7ac51f309e7b6f9e8b928b0ce3a839bac2ad6c118271d8f

SHA512
c6cef99de8f6af98e45b028af8f57ae9746787461cafa76583d641eb7bf975c8b56e31139efc80d1b56e4948e4382e707844fc77ff708caef5c643f505f47f9b

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
78KB

MD5
5fecc8445e708968074ee6212533b736

SHA1
2813dae84e4e70dba4cb2055abf8e98c81ce8ab4

SHA256
925ab0e2608173d57bb5ccb03e3ff219681ee9395ee2f3427260d179027cb708

SHA512
db89740362e57dddcc71de9278609832f74849433365376e5d3b4e521a728d6ae7bb5b550ce3550b54b105ba6ae0cb774cf4fa55bc6b645cde1a6bbd0f4f0e3b

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
78KB

MD5
6f6034161203bf87b91b118fb39c03c3

SHA1
cb4b82e5fac18fd944dd0401760935a6a22b259b

SHA256
7ad085313888703922990d6b99d4c776ef4aedb04828cd82f2a760438a7f3f0f

SHA512
5310c3eb34b42b6551cad2ff4a719b790b79cb5aa68b4e9ac2c1b036a956cb49aae3f78518dac9ae824aedeed901be3dd1abc28783f6921070c0ca1b89310e65

Download Submit
C:\Windows\SysWOW64\Dhkapp32.exe

Filesize
78KB

MD5
de93228c1f031b25719b1fb87d82f370

SHA1
4b4ebe472760d5b40c847f56dcd9fa7e29681d62

SHA256
fb702bcdb61be9f083108dca7a2faf0fa4393e3902386f7497be62443b4ffeb4

SHA512
d10a49622cc61b036afa1f3a13807c3b586a6bcd8c51056c6d7050a0d4d675b1a20fe05dbd15aac3312ae7344932d83b8ea1dd4706b1c52147b47aeaafe260e3

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
78KB

MD5
39a64e5b16724a92035290bae72acbe3

SHA1
62ab8b0a308051c34e1f9099af13d1953dd01514

SHA256
db313e18b5623a887e89afece9998ee2664a764f148b5d9d2d832b364bbd1265

SHA512
8edee7d96af6dc2e9849bf75a211032dbd85970e01becb1e068561738eceaa3f5af23e14c9ed46ff1677860da74436ba02725dd039fab8889c879c065b6de929

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
78KB

MD5
9cbad39bdf324818890f9c809e86d72a

SHA1
568c1e1d9f9c23e5a646bd03314a10f4925ccc91

SHA256
18f890697c6a3f9de35fc7cddc31d42a0cc7e038cd3f45cf9b8258e6f75d014c

SHA512
08abda29696abec31c522d953c6bbbcc2114e795e349e8f6d0975e514ab63430859413457e03fba96209843948cdd509aabb3dd7c8bf6d5158f6d5d98d29bc8b

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
78KB

MD5
84758f1a6cd2282e0855e680aaefe318

SHA1
87c8a59c70b993f8a03903690e6af2e029637898

SHA256
5c810b9f1acf3c781a78246151f53026025378b2f2d378e55967e1f777262b53

SHA512
014a9ef23503e79f75f9995e6d74c5b4ebdeef115a173022bc0933f1a1e2051d5c18f20a4085070f76cba3a1a90d460f0e19156008335275565953db6fdcb5db

Download Submit
C:\Windows\SysWOW64\Dkjmlk32.exe

Filesize
78KB

MD5
188cb4a575ca29cc87d3c7da34bd9e87

SHA1
1500c3a72d918cbfa02dd07960ce4f936d9f74e6

SHA256
94bed024cf279aa81adeb58cf0ed9671bf54d830dae51a8a89a7d5b3705cd258

SHA512
ea19c45edabd34cc94bd9fdb26ddb8924b578491792bff8f7ec03ac41aa8c78d97425d5714d71d96f124fa9e7a3211d6804b17b59a72a381b7b58d6472846afa

Download Submit
C:\Windows\SysWOW64\Dkljak32.exe

Filesize
78KB

MD5
a0c4d986eca99215ea6beab6a2b2da3d

SHA1
2eaa277e6aafdbc3730e9fddfbc43196f68ce5da

SHA256
731ed838113ebb9dee81ae2376418c25a47f00b6fe2457336b7c76279ab8ce2d

SHA512
59248c36ffa86ed84f6336434b3fcd27a2b2ad05464e5510410286b54c0d2658fd925adc9d03f9e6aebf48c2cd1a9b3ff71ce1097705243a35ae734a74a222ec

Download Submit
C:\Windows\SysWOW64\Dkoggkjo.exe

Filesize
78KB

MD5
97b01c678ccd8038843815d001175058

SHA1
38e0962bae4595c716bab0a4814ac6cfb3538a98

SHA256
56063ff4b49f95d9683c903245d6aaf0a563675453794a6d4163a28d886a5dbc

SHA512
70c20a7b8092f131dc15b2ffc5100a6d8cff9af82663d7ab65e53e65dc109879d9ebfa78f109e9ad7115f6d13e6621f7e754d6dd3b62e3a974b5cdd11963d344

Download Submit
C:\Windows\SysWOW64\Docmgjhp.exe

Filesize
78KB

MD5
a40993e5dc1855a6afbc1327b5758197

SHA1
0450743f5e1f48ab889eedcd7671a6689e4a2173

SHA256
e64fa6fbf9bec6adbec20911d25fb59dc0177ee7af16d43038c9504102ebbf8a

SHA512
094b4679d5bd6677526d77c9b70d6a50e87e63696170c46810e0ba2ead4689fcbc044a521b696f58917a69e74de88b724950dcb5d42fdcf6fa52ad825a54db9a

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
78KB

MD5
6da9424cbb059585935fcf85aac2b94f

SHA1
f30afce101f78ff124587b54026aca8040c44e3c

SHA256
8c5b0f8b7a59c95bc49a33ad8f33dbabfc2f1b7b7ac5ffc51dc1fc69bbb6a018

SHA512
9f51f3044a378b050f2d1555995ac1df78dc3096256391fb37c9fccf43127b1de6bb01a1883c92b5df4cf4c69bde6612a2e82df04eaa27a3f3cf9c29cb3d8e7c

Download Submit
C:\Windows\SysWOW64\Eamhodmf.exe

Filesize
78KB

MD5
92c20d4603832292d32d31d6da064989

SHA1
b26ccf9be2acde91fb9d5bb14d74775c94579524

SHA256
5a917cfe5aad15a991ef37d5952d4e9c26d7c923babe95b085009c5c8fb65011

SHA512
85800d310fab1d2a6bab84b3a4cb64d904afe0241ee425e22796e16b02f10631e7ebcce893a1860c0a5b3d8c1a7e45d3ffe34b691a742a9c26d79b00be449c77

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
78KB

MD5
45d97ddd7bc718572de26575cc3ec979

SHA1
eb6a41ccad4d11113a95eec8965a8de0c5cf6053

SHA256
a91c9d57cc34bbc5e656ad790f779d75893822c0a3085b65c96e090fae2853c8

SHA512
6a1fbb4870eee73b8adf36e95c4ca136b6f90b07e4cb9ed8f4d9e2e2a191429b1e48d617a02d4422049dde40e85b4f07d8b05749c23f72e0f6d257d8d7944bc9

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
78KB

MD5
32e21d98a2d86885898dda7f8a7c2748

SHA1
078291c3f5b519a6cbab36563b5d429269e53b72

SHA256
7df0031f82449857d2c543e4667310dc9fb3d3c85b7b6cd14208d6acc46da400

SHA512
0792e52ca679d059822d2bb39a1576366e4271f01176c8ab02fcf50b2b689ade6913cd2745ff1b7a2246c6fc61953f14e8b75f7595e65529a58173b9ecff04a0

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
78KB

MD5
c621185982f5b22c29a898ede61c3444

SHA1
99db52194928822aa83922283aeceec9feb26e2c

SHA256
1f3624257a178d588e164c97afe387cd6b2acdfbf5ee7f095e60bd7876710d9c

SHA512
23bb136dea3870e7ac4979d9ac8a1ecc82645f73a5c6d56a3b5c46930540e7e41baa9b9a2fb363f18b8f5a0500040f6cb78f0a9a1f23aed82ed9285821dcc302

Download Submit
C:\Windows\SysWOW64\Edbklofb.exe

Filesize
78KB

MD5
4cf0d87c8e0133f7e86d21ee6947f3b4

SHA1
fc0fda63d44e997b7877db3a2c46ad48da0602b9

SHA256
650744ae4df93fca82d748c32796c88fa18efd45b4499a9fe3d475a79cbffa4b

SHA512
31189511eed113f32d7af58cdf50e8efbc1e62917c4976fa1f2a67b7f7a4280506621aba05b5df91944af88a908a239707c784eeb7e84b6aeaaa25104dc8aa64

Download Submit
C:\Windows\SysWOW64\Edihepnm.exe

Filesize
78KB

MD5
26aadfc0271cf67a6353e5203c37d61e

SHA1
c3aecd478ed2ac34a030ca79cb374ba8b4c9ca1c

SHA256
2a560ffaec6592159b9a847681b3f63db092d799632e883a5da3a2e64de50f40

SHA512
39f4cff68122e52e3da058ef2c63c95636e569940ea8d64f73427b36a2fb4440d05e46f1052732b444208b0214529bc2ba0094dccede7f257ade26cb55bae982

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
78KB

MD5
0309a8a4f0764ef2c7b939ec5d8ef628

SHA1
57ac2d65de9f10fcb0997f3a733075561692216c

SHA256
4cb1cd80560a253ba31a98f63ca80fb700b005c0995829e054419300a2282207

SHA512
d1a60bdf4995537c9bdd221a2228880771c0bdd24924f67a446ec216f4e65eb41d7839840d6f0de8939c86e2e518d6d7588c0259baea0bc1eb3a9cd9d5934dde

Download Submit
C:\Windows\SysWOW64\Edpnfo32.exe

Filesize
78KB

MD5
736c3ae83c378812a4bee95103510a6d

SHA1
d92848e97414afd924d8554d13563a584ec8b5f8

SHA256
7bfeb83ad3b0962d7a51d4b12181f6846d2350c8956452003399e09d09398b47

SHA512
ad2a6a3158584be0c6edf952bf3fc0e00526e959c35327f739ca89213e341d1aa8f7684b27322e4a5672c927194c48991b69412d01c4558a60af03d36e7dea7d

Download Submit
C:\Windows\SysWOW64\Ehgqln32.exe

Filesize
78KB

MD5
6133c54c209a7207316347f099abefc8

SHA1
b12902fdcb80d2fdcfdfedb2060d6e5abd0d35dc

SHA256
dfe7e5532baf98ac372c14dced6d670458b994ff11faae1dc0719d2d0eb06176

SHA512
4879e737ee486743e37e357ce29f885cb71570d0b9f50f06fab61a8d946f9b2ededdc1ad7a73615f2c6b9cbef8aa56612f68117d5361d3e58813d6dd7443b44d

Download Submit
C:\Windows\SysWOW64\Ekemhj32.exe

Filesize
78KB

MD5
7cbe38cf5dc9fdb9ffaf6ca1fb921f78

SHA1
05f8c103dfaa1deb0ecac13ed930f4eaa3e86c7a

SHA256
5a487ff5557fc64b36095114cdd13d2fafdcfd40d63d3a53453decc9140d6ecb

SHA512
18dfbd2cb1e154186f4b5678e7ccbf094cfd5ab3d8f5b353caaf634431b8f24ad7323f97c4b16825c3428bde2ced939d8504385f7034db917fee4a34add22edf

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
78KB

MD5
d0b052a3d2cce432538c26994cfd9c06

SHA1
be50827c89255c4e97d7ff15b9fb6f89d6ea8cef

SHA256
5074f58e343e4ae49d53469a1b6bbd06bba40d61b866c0efa8de50c1e9e4f9d4

SHA512
3319f9bfb3ad83de3cc35425cadeba983da59f64a8174ab96791ef9e673b0cbf3c685e42b5dffb8d76a099adef32385fac4dcd4aad9fa8918f2ee6cbcf57c470

Download Submit
C:\Windows\SysWOW64\Elgfgl32.exe

Filesize
78KB

MD5
12c4424d0285b06e6028de1966cd8361

SHA1
0349402dfbab499cf909bd7f77578cc02fbff461

SHA256
13067f4ac9d5b044fc93830910125ccc1c1ce5d3c65c4eb2c36e18b8cd8d5ec7

SHA512
c7a1285641a42bd81ec772f7b48a9c484c3eed5dcc526375c34c9f5e8297e979e1d87ebcbb8cc045acc8befb89426928d56f95bb6e32b92b3c4b868214c4430a

Download Submit
C:\Windows\SysWOW64\Eoolbinc.exe

Filesize
78KB

MD5
74ffe3da93ca21d7c2a4c892586d5e4e

SHA1
51d394bb2128b22d362eaafa78ae44421ca049c4

SHA256
a53b5e26386e0be41dc8de8ff1b6911d59939564d4e87df3bb22adae960a4e97

SHA512
2b5cdb7344faaa4417a6200f990938db0acac9d4091ebe40a1f0868453efcde2cfc4843829e339835de4b18030b303f1893d6ee299ea1f803771f831430f4c03

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
78KB

MD5
500a496e46b5b9108a2a87a2bb3af1e0

SHA1
92b96ef4fd2dd6dbf60902299d33bb1bc9ac47f0

SHA256
567f34bc8b9c907d6016537bc5975ab49231a6dd9caf60828de4c2fec5750577

SHA512
ab3dad7fcec360f39ae4c6a2d156053206bf0c980cb79c06f4e1a162334f222257aebcee4c1b7f34ddcb10c591294fd4c4e237907f83a31f680f791fd97a1644

Download Submit
C:\Windows\SysWOW64\Gdcdbl32.exe

Filesize
78KB

MD5
aaec0dfb462156887078b4197cf7e889

SHA1
24840096ad24695db22a973d32b4cfea0fb2fccc

SHA256
f2475841060050b4a9bc844a5988bb1a65666dbabacbe0c8cfb40bfcb46c0bee

SHA512
23adb8cca406916d59276975d61896046a524708a3784b1f65e96dc7a4f5b8bc5e489ca05fa9e9504774b09819b215a999fafba66c278f1be901b431deddace5

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
78KB

MD5
db19dd126c95006a9e0ebd1a0730a7be

SHA1
e573644a838a485c91487d4839db324b26e0a6ed

SHA256
b0847180e08391f3a6c30ab3acefcc8649f9785d24f830814f4a17516ad0d7ca

SHA512
14016e00602a22d5301e8cb191082568128a872cf7e7bb4215b1dff4f701771224f0faeba05d568e379e94b866049e7c7aa08eaaccb437a26d4d21df6524222a

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
78KB

MD5
af02dd18dc89ec49571f73fac55c8dfd

SHA1
e5704a9d36909a4d03c5aeedeb6c8c59466890f5

SHA256
7e7d29f5fe267a58f49cdcd87198658ffb53a23545c42824163c7d5b5a4f8d18

SHA512
41cf48b489d28438558840497f11b2f248229dc3d43f25806f944129b1cfdb8ffb12b1d7f24271883db75cd452d95d903a4de452cb1aa80ba86cc108f8c672f7

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
78KB

MD5
da200fbc53ce89286a7e657070df14a9

SHA1
bf92efdc6b4c4d7e9a892a3ae35a9c7206e775d9

SHA256
5d0677704e70daba265616bf235d87f0a66fd853e6580f7ac0130f48e7980ed8

SHA512
14403eae8a5402eb91232f3df1236ef962e4578eed7cc42cca88e5c341abd67281f1fc03aa728054ba43147df8b5753d83b53ef3745980b9f23d7814f9a2a540

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
78KB

MD5
282fcd7e0e84f67d757e447a3ce32381

SHA1
161ffa6c9c52555113aa21d4b60a31fcbba4509f

SHA256
6c22e15651694d5a4ce378eab90b2c4d7a94d2a98c58af63ff6f37b989c43a86

SHA512
45e51c23d563fa93dcc49531dd818d9e9a662e8ec0b2c229a0c0fdbf108f6a3e4069c2d0fe7b299695e21e592086a9b4f78024a9ce33306288fd2256df61b911

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
78KB

MD5
1207bd30b209ce1ecb39fe86f81e6378

SHA1
cd74c1ee5c9dce127b567412ef2fe85aa9ce2da6

SHA256
80bbd41481cff4dd7e78561029176e6661e41fcfc28bc1f849acc675b2aa6093

SHA512
69b314fb7a53508e9f3c065af8a82e06a5a723eba2ce61d7e0a6b31a42ba3f89d1f9252a2776867f80c9ba92a40bc1a04a4b600cecb8fb5c19044bc0c377254e

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
78KB

MD5
d39839986dede583cd97a0fd8b8fc93b

SHA1
88b917c5fab0c103b49e2c973575be45e46b43c5

SHA256
3e419d9ed07742be8f1740425cfa96c6fef3db3c1b2310e015dc67a2e0446a5d

SHA512
76558cdae15dfd1e0708704c0d6883bb51e759b37bd9516a04bee87f0bded1bba00b7778ee2cfa31ce6f776ee6129a701fc084b21d8a08f3a006f7f55a43804c

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
78KB

MD5
cd5e1259a9a673f7b6ac821b1687a42d

SHA1
e0a5d8258987782d2f05be29ec0e67875e315063

SHA256
ccd9ed9d1e378385ea687413f09257c3900d41a739c16ce756ebcd14da16f770

SHA512
012e67752a6d2a2d3a37039687f675f8c7f113fc84214d63f93f30aa4feb3eebe047bfb1e94e07a80e394fcfe149d4b929e1746690d8451f1223f403a3d5e27d

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
78KB

MD5
8fb037ad5a281a3c76f2d5ff8e5121b1

SHA1
db6dd2b8a5d4366eb5ee3ee85a224f7cda87b3e4

SHA256
164c17829818e7221122b752d20879466a1cd36b462a1dc16d8c26a21bc4dca6

SHA512
e8a24708e392de18e37626855847df1cf10ef81350363910a2a14181d2deda4ad3b823699ae2f5b0d3e7e3ab874eded28389f3d2bc0d3fae997ddeeb9ff5f47f

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
78KB

MD5
3783914bce3a46e75b4bcd784b4a6ace

SHA1
40272de2d8d11688c8d1f5bac7902ba5e76ab2dc

SHA256
83b83ceda7cda179e379426f14d2b463d4bde3ebd5c5df44be174a915df358b2

SHA512
284c49423b156ac324c2c370382089a92fd5bacb08a6e60d13dd2b820d2458220a01f6a840116e0b3edffcb3cfff9e016a0f890bc5e462d8b0d9950ee71cfbc5

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
78KB

MD5
4eb80ec858a87da35a85826ba66b9278

SHA1
8f48c99738c740fc7ef920373d3b4eedfac4ff37

SHA256
8c9d19feb2a9247ab2d4a5ca370abc059abdbea852b43e52ca3f2ba8e622213a

SHA512
acd6662b87059b35e80dadad0828b6bb58da8db4856796786dbfc6873dad6df83c3798f9c00f1beed1409b4f1722565d3bb702cdabbe40aecd7b31ae230e5ac3

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
78KB

MD5
aa7bb3ef8b4579ad038532e4c064ce2f

SHA1
41d4765949a8c1d7aa44a730d4b9707f53844105

SHA256
b643455bc2e0290c5a0a1c58c222c83a2a8e2f79d1c90c610dfa0d50c3dfdf46

SHA512
a777e15ed4adf5ca761fba63915c2da5d58f7803f1a3dc4c39937ffe9f33829a1c816c4ba5ae6a16fa81eedcdcb891fcbaf1ad028100e79317fb5790aa30c9e3

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
78KB

MD5
2c4502a11446df5719e8c106c6837b0d

SHA1
68d71c8b34dc1748274e9c45539b360952c895b0

SHA256
44ed28e5fe3f02371bb334eff2a69340d5920bc4093880dee9b54764f404b4e2

SHA512
150f7beedd754f602189c20f8c7c1c28887122da69affdf4cf18bc8e327fc56f84857a074547764d38bb53a0361357afe51b0b100dc67f4033a02cbd528afbaf

Download Submit
memory/404-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/404-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/696-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/696-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/832-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/832-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-458-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-390-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1080-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1284-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1468-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-325-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1600-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1828-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1828-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1844-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1844-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1896-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1896-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2844-393-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3020-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3060-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3256-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3256-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3280-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3280-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3468-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3468-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3584-427-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3788-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4200-131-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4200-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-438-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4628-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4628-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-203-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads