b2c874923e1380b8b6aae941e764486b3c0026cefc5bd922d9e74da1fba16153

Analysis

max time kernel
131s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 05:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e9d435326e987e922f3ec23b83efd20_NeikiAnalytics.exe
Size

72KB
MD5

8e9d435326e987e922f3ec23b83efd20
SHA1

dd4f0624d093ece1942f157def119e24be7d48a8
SHA256

b2c874923e1380b8b6aae941e764486b3c0026cefc5bd922d9e74da1fba16153
SHA512

7114abcc6f80c2ffd58c81e8af563709789d107898c95f48de1b3d70e9c89f71ef688fe3bbef86005a9edbb47307eb5e6e944b2a6aa8d3862392a0ffe488ce95
SSDEEP

1536:H3gL3ZVbNFdy+530vy6DkINTmj7IBgX7CM0PgUN3QivEtA:H3gL3ZVpXy+B0vy6DRTmj7Wm710PgU5T

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkljak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elgfgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdgdgnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdqba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkalchij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbbeade.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllfkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbgqohi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdlnbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcddpdpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfbibnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eocenh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdqgmmjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickchq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klimip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbiaapdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibqpimpl.exe

Executes dropped EXE 64 IoCs

pid	Process
3824	Cklaknjd.exe
2776	Cafigg32.exe
2752	Cknnpm32.exe
1036	Cdfbibnb.exe
2012	Clnjjpod.exe
4904	Cbgbgj32.exe
4292	Cefoce32.exe
2128	Ckcgkldl.exe
1268	Camphf32.exe
640	Clbceo32.exe
4196	Doqpak32.exe
5036	Dkgqfl32.exe
3428	Ddpeoafg.exe
624	Dbaemi32.exe
1068	Ddbbeade.exe
736	Dkljak32.exe
4144	Deanodkh.exe
680	Dllfkn32.exe
2384	Dedkdcie.exe
3044	Dhbgqohi.exe
4588	Ekacmjgl.exe
3560	Eaklidoi.exe
3224	Ekcpbj32.exe
3056	Edkdkplj.exe
1640	Eoaihhlp.exe
4932	Ednaqo32.exe
3996	Eocenh32.exe
3572	Eabbjc32.exe
2760	Elgfgl32.exe
540	Eofbch32.exe
4340	Edbklofb.exe
948	Fljcmlfd.exe
3028	Fdegandp.exe
1072	Fkopnh32.exe
1420	Faihkbci.exe
2124	Fdgdgnbm.exe
3800	Fkalchij.exe
4312	Fdialn32.exe
3280	Fhemmlhc.exe
3900	Fbnafb32.exe
5096	Fdlnbm32.exe
1248	Flceckoj.exe
1676	Foabofnn.exe
464	Fcmnpe32.exe
4284	Ffkjlp32.exe
4128	Gkhbdg32.exe
3444	Gcojed32.exe
320	Gdqgmmjb.exe
2152	Gkkojgao.exe
3332	Gbdgfa32.exe
4796	Ghopckpi.exe
5004	Gcddpdpo.exe
3300	Gfbploob.exe
3652	Ghaliknf.exe
1028	Gkoiefmj.exe
1308	Gbiaapdf.exe
2628	Gfembo32.exe
1788	Gmoeoidl.exe
3452	Gkaejf32.exe
2044	Gcimkc32.exe
436	Gfgjgo32.exe
2536	Gdjjckag.exe
4912	Hmabdibj.exe
4328	Hkdbpe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddbbeade.exe	Dbaemi32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dbaemi32.exe	Ddpeoafg.exe
File opened for modification	C:\Windows\SysWOW64\Hihbijhn.exe	Helfik32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cefoce32.exe	Cbgbgj32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Iehfdi32.exe	Ibjjhn32.exe
File created	C:\Windows\SysWOW64\Jpphah32.dll	Jehokgge.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cknnpm32.exe	Cafigg32.exe
File created	C:\Windows\SysWOW64\Fkalchij.exe	Fdgdgnbm.exe
File created	C:\Windows\SysWOW64\Gkaejf32.exe	Gmoeoidl.exe
File opened for modification	C:\Windows\SysWOW64\Hmcojh32.exe	Hihbijhn.exe
File created	C:\Windows\SysWOW64\Enoogcin.dll	Hbbdholl.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kfckahdj.exe
File opened for modification	C:\Windows\SysWOW64\Mdhdajea.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Gbdgfa32.exe	Gkkojgao.exe
File created	C:\Windows\SysWOW64\Icifbang.exe	Ipnjab32.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Gfgjgo32.exe	Gcimkc32.exe
File created	C:\Windows\SysWOW64\Leedqpci.dll	Lpnlpnih.exe
File opened for modification	C:\Windows\SysWOW64\Ligqhc32.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Gcojed32.exe	Gkhbdg32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Gkaejf32.exe	Gmoeoidl.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Jlbgha32.exe	Jidklf32.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Keoakjca.dll	Cafigg32.exe
File created	C:\Windows\SysWOW64\Foabofnn.exe	Flceckoj.exe
File created	C:\Windows\SysWOW64\Hkmefd32.exe	Hmjdjgjo.exe
File created	C:\Windows\SysWOW64\Camphf32.exe	Ckcgkldl.exe
File opened for modification	C:\Windows\SysWOW64\Clbceo32.exe	Camphf32.exe
File created	C:\Windows\SysWOW64\Dllfkn32.exe	Deanodkh.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Kcdgpfak.dll	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Lfkaag32.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dedkdcie.exe	Dllfkn32.exe
File opened for modification	C:\Windows\SysWOW64\Ffkjlp32.exe	Fcmnpe32.exe
File created	C:\Windows\SysWOW64\Chdfonda.dll	Gdjjckag.exe
File opened for modification	C:\Windows\SysWOW64\Ildkgc32.exe	Iifokh32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8756	8264	WerFault.exe	406

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklaknjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckjacjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpocg32.dll"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoaihhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhcgeja.dll"	Gfgjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedeph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghopckpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejjde32.dll"	Eaklidoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eabbjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faihkbci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddoeojd.dll"	Dhbgqohi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgmha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlednamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8e9d435326e987e922f3ec23b83efd20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picpfp32.dll"	Cefoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cknnpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdphnlp.dll"	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faihkbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffkjlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3824	2280	8e9d435326e987e922f3ec23b83efd20_NeikiAnalytics.exe	83
PID 2280 wrote to memory of 3824	2280	8e9d435326e987e922f3ec23b83efd20_NeikiAnalytics.exe	83
PID 2280 wrote to memory of 3824	2280	8e9d435326e987e922f3ec23b83efd20_NeikiAnalytics.exe	83
PID 3824 wrote to memory of 2776	3824	Cklaknjd.exe	84
PID 3824 wrote to memory of 2776	3824	Cklaknjd.exe	84
PID 3824 wrote to memory of 2776	3824	Cklaknjd.exe	84
PID 2776 wrote to memory of 2752	2776	Cafigg32.exe	85
PID 2776 wrote to memory of 2752	2776	Cafigg32.exe	85
PID 2776 wrote to memory of 2752	2776	Cafigg32.exe	85
PID 2752 wrote to memory of 1036	2752	Cknnpm32.exe	86
PID 2752 wrote to memory of 1036	2752	Cknnpm32.exe	86
PID 2752 wrote to memory of 1036	2752	Cknnpm32.exe	86
PID 1036 wrote to memory of 2012	1036	Cdfbibnb.exe	87
PID 1036 wrote to memory of 2012	1036	Cdfbibnb.exe	87
PID 1036 wrote to memory of 2012	1036	Cdfbibnb.exe	87
PID 2012 wrote to memory of 4904	2012	Clnjjpod.exe	88
PID 2012 wrote to memory of 4904	2012	Clnjjpod.exe	88
PID 2012 wrote to memory of 4904	2012	Clnjjpod.exe	88
PID 4904 wrote to memory of 4292	4904	Cbgbgj32.exe	89
PID 4904 wrote to memory of 4292	4904	Cbgbgj32.exe	89
PID 4904 wrote to memory of 4292	4904	Cbgbgj32.exe	89
PID 4292 wrote to memory of 2128	4292	Cefoce32.exe	90
PID 4292 wrote to memory of 2128	4292	Cefoce32.exe	90
PID 4292 wrote to memory of 2128	4292	Cefoce32.exe	90
PID 2128 wrote to memory of 1268	2128	Ckcgkldl.exe	91
PID 2128 wrote to memory of 1268	2128	Ckcgkldl.exe	91
PID 2128 wrote to memory of 1268	2128	Ckcgkldl.exe	91
PID 1268 wrote to memory of 640	1268	Camphf32.exe	92
PID 1268 wrote to memory of 640	1268	Camphf32.exe	92
PID 1268 wrote to memory of 640	1268	Camphf32.exe	92
PID 640 wrote to memory of 4196	640	Clbceo32.exe	93
PID 640 wrote to memory of 4196	640	Clbceo32.exe	93
PID 640 wrote to memory of 4196	640	Clbceo32.exe	93
PID 4196 wrote to memory of 5036	4196	Doqpak32.exe	94
PID 4196 wrote to memory of 5036	4196	Doqpak32.exe	94
PID 4196 wrote to memory of 5036	4196	Doqpak32.exe	94
PID 5036 wrote to memory of 3428	5036	Dkgqfl32.exe	95
PID 5036 wrote to memory of 3428	5036	Dkgqfl32.exe	95
PID 5036 wrote to memory of 3428	5036	Dkgqfl32.exe	95
PID 3428 wrote to memory of 624	3428	Ddpeoafg.exe	96
PID 3428 wrote to memory of 624	3428	Ddpeoafg.exe	96
PID 3428 wrote to memory of 624	3428	Ddpeoafg.exe	96
PID 624 wrote to memory of 1068	624	Dbaemi32.exe	97
PID 624 wrote to memory of 1068	624	Dbaemi32.exe	97
PID 624 wrote to memory of 1068	624	Dbaemi32.exe	97
PID 1068 wrote to memory of 736	1068	Ddbbeade.exe	98
PID 1068 wrote to memory of 736	1068	Ddbbeade.exe	98
PID 1068 wrote to memory of 736	1068	Ddbbeade.exe	98
PID 736 wrote to memory of 4144	736	Dkljak32.exe	99
PID 736 wrote to memory of 4144	736	Dkljak32.exe	99
PID 736 wrote to memory of 4144	736	Dkljak32.exe	99
PID 4144 wrote to memory of 680	4144	Deanodkh.exe	100
PID 4144 wrote to memory of 680	4144	Deanodkh.exe	100
PID 4144 wrote to memory of 680	4144	Deanodkh.exe	100
PID 680 wrote to memory of 2384	680	Dllfkn32.exe	101
PID 680 wrote to memory of 2384	680	Dllfkn32.exe	101
PID 680 wrote to memory of 2384	680	Dllfkn32.exe	101
PID 2384 wrote to memory of 3044	2384	Dedkdcie.exe	102
PID 2384 wrote to memory of 3044	2384	Dedkdcie.exe	102
PID 2384 wrote to memory of 3044	2384	Dedkdcie.exe	102
PID 3044 wrote to memory of 4588	3044	Dhbgqohi.exe	103
PID 3044 wrote to memory of 4588	3044	Dhbgqohi.exe	103
PID 3044 wrote to memory of 4588	3044	Dhbgqohi.exe	103
PID 4588 wrote to memory of 3560	4588	Ekacmjgl.exe	104

C:\Users\Admin\AppData\Local\Temp\8e9d435326e987e922f3ec23b83efd20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e9d435326e987e922f3ec23b83efd20_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Cklaknjd.exe
  C:\Windows\system32\Cklaknjd.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\Cafigg32.exe
    C:\Windows\system32\Cafigg32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Cknnpm32.exe
      C:\Windows\system32\Cknnpm32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        24⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        25⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        31⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        32⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        33⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        34⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        35⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        39⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        40⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        41⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        44⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        48⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:320
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        51⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        54⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        55⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        56⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        58⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        60⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        64⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        65⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        66⤵
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4396
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        69⤵
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        70⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4016
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        72⤵
        
        PID:668
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        73⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        74⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        75⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        77⤵
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        79⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        80⤵
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        81⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        82⤵
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        83⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        85⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        86⤵
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        87⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        88⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        89⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        92⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        93⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        95⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        96⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        97⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        99⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        101⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        103⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        107⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        108⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        109⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        110⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        114⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        115⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        116⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        119⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        120⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        121⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        122⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        124⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        125⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        128⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        130⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        131⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        133⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        135⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        136⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        137⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        139⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        140⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        141⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        142⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        143⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        144⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        145⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        148⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        149⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        152⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        154⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        155⤵
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        156⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        157⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        158⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        159⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        160⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        162⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        163⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        166⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        167⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        168⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        169⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        170⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        171⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        172⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        174⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        175⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        176⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        179⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        180⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        181⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        182⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        183⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        184⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        186⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        187⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        189⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        190⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        191⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        192⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        193⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        194⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        195⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        196⤵
        Drops file in System32 directory
        
        PID:6884
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        197⤵
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        198⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        199⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        200⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        201⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        202⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        203⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        204⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        205⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        206⤵
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7432
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        208⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        209⤵
        Drops file in System32 directory
        
        PID:7516
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7560
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        211⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        212⤵
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        213⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        214⤵
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        215⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        216⤵
        Drops file in System32 directory
        
        PID:7816
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        217⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        218⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        219⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        220⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        221⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        222⤵
        Modifies registry class
        
        PID:8104
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        223⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        224⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        225⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        226⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7400
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        228⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        229⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7644
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        231⤵
        Modifies registry class
        
        PID:7688
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        232⤵
        Modifies registry class
        
        PID:7760
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        233⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        234⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        235⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        236⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        237⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        238⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        239⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7360
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        240⤵
        Drops file in System32 directory
        
        PID:7532
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        241⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        242⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        243⤵
        Drops file in System32 directory
        
        PID:7912
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        244⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        245⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7304
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        247⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        248⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        249⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        250⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        251⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        252⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        253⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        254⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        255⤵
        Drops file in System32 directory
        
        PID:7952
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        256⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7348
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        258⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        259⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8244
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        260⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        261⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        262⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        263⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        264⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        265⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        266⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        267⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        268⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8716
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8768
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        271⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        272⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        273⤵
        Drops file in System32 directory
        
        PID:8896
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        274⤵
        Drops file in System32 directory
        
        PID:8936
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8968
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        276⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        277⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        278⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        279⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        280⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        281⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        282⤵
        Modifies registry class
        
        PID:8272
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        283⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        284⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        285⤵
        Modifies registry class
        
        PID:8368
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8468
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        287⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8616
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        289⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        290⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        291⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        292⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        293⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        294⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        295⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        296⤵
        Drops file in System32 directory
        
        PID:9132
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        297⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8236
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        299⤵
        Drops file in System32 directory
        
        PID:7616
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        300⤵
        Modifies registry class
        
        PID:8388
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        301⤵
        Drops file in System32 directory
        
        PID:8516
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        302⤵
        Modifies registry class
        
        PID:8620
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        303⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8760
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        304⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        305⤵
        Drops file in System32 directory
        
        PID:8920
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        306⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9052
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        307⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9092
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        308⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8356
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        310⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8576
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        311⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        312⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8840
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        313⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        314⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8264 -s 396
        315⤵
        Program crash
        
        PID:8756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 8264 -ip 8264
1⤵
PID:8484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
72KB

MD5
7171dbd8cbaf3c1ec5f4dd987b8ab2e6

SHA1
fb6a27ce34d4aa5c40609dfcc4efa226d899f3bb

SHA256
86e1424ec9fa44b59d3c03ce4e118ac8bc7ea97f8e14dadb59b04f8da95ded73

SHA512
c3c723595729ac078d4e5d05cb122dae87ff1f3fee70a365ddba34313998c33f7e57ba640b8e9fdb7709c3f75fa6cfbe031e0e7d3570796da723f6085598a6d0

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
72KB

MD5
8749f4fc1a79fbcd726fb694767671f9

SHA1
f530626c77d03ae4db38e772de8445ca91b59a03

SHA256
4d10f9f4dd779293a0e45701dea71a4ac00eef2e83048393ff3e29b8d519173a

SHA512
bcaf04393decedb39cc525c6e7f8beee42a13c78685e7f58c25185d00bc0e89e3b0335b8baeb55ccbb7fa043e054ec7d3cdd2907e37895741f15997913fe9278

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
72KB

MD5
9f2eaac1c547dd273d9898be554883b1

SHA1
5f6f2be91726b3aa5ca5a4c53d39b0715f98d2dc

SHA256
f451862566af170856e33b6b4201bff794eab52ea94a0d7641409450a2064d68

SHA512
917dffe71aa2ab29e18d678356e425df18e61dfdc23fa902c3aaaaaf14f0719ccf9df8ef3560d4b481dab98d48420c2d3ad76f45affce8a4449ade0fcaa9ccae

Download Submit
C:\Windows\SysWOW64\Cafigg32.exe

Filesize
72KB

MD5
d92f74ce5b8c36349abfef7757499270

SHA1
7b6ad55743190d4db1d32e66f22309950422c538

SHA256
f8b5049144a04d5c5e088427b837f01f3ade4f92ad63666d4b7ef7f5e8e31cc2

SHA512
c2b6d38c86f9d76525e2e960f023bc5d9da5cc91de3185a54e5f511bf53f94d3182daf6ed8326b3906d02fcb2cc512b19c2393fd89b2002b329bb45ee5306b07

Download Submit
C:\Windows\SysWOW64\Camphf32.exe

Filesize
72KB

MD5
9c7f29390f125f6b11db8247589525c1

SHA1
1f1329e18567e0610b3db7ec1ffe93031a3c07d3

SHA256
b258681c681e893ef5bed42cc28649c513b7d991f01fc04931b6acf33bb32002

SHA512
655f5f6d7891bc691c5718ac55140397df77055d766bbd508a876a11f6122377a76354e9d3f01c481ecc79d15b8ec6d330b955e5f4c6c77758cdec4ff3e549d5

Download Submit
C:\Windows\SysWOW64\Cbgbgj32.exe

Filesize
72KB

MD5
1bd72bd4724a5df5f06cc607c1d6c0f9

SHA1
8960cbbd0b3b4849cc0d4e89e9073030a8a57681

SHA256
c0d1073c02bd7248d23a2ee0e6c05c4aaf3764af6ec3a84d9aad14ef06a22192

SHA512
1dd28c991a3106bb63ea50d9ad3fcd516f2681e835c73fedf4abcee066b1c8ae51e2309f3f78bbea94d6937d417f8d3c5f938e4a0e1fa4e45ce6e98e55ae82f4

Download Submit
C:\Windows\SysWOW64\Cdfbibnb.exe

Filesize
72KB

MD5
eb161db4e4e8585fe2e20843c5c20d93

SHA1
77d905f47b14fc4e0794df3b57eecb6b34b3dc70

SHA256
4b7ff157577c82675affd583b9321c775da96d76e3f4360aab8482854513ebfa

SHA512
cb1a6add067127d9dc92f066c316b37f0dc4e4b158b151121113dcd8a4adbb4f907f0d3d012726653288c12ac44b836d5724ed212d9397dbb6f9470b7518b381

Download Submit
C:\Windows\SysWOW64\Cefoce32.exe

Filesize
72KB

MD5
8db6687fae5312af4c7789342733d3d9

SHA1
4363731a8f57aa9d1ab867e0f04dc80f76d6b922

SHA256
8f92f782b9df78c38126eb3a856883c3e3e4eb035a65599acbd072619677c817

SHA512
c2fe5d21b0baa75ad9d889b40a891cd44786ebd8889de6d2c5b3602d8b061f00d445b220a4f90fb751d3ce0ac47ea5b95b9b5c495293d3cd13ccc3ec0f327b18

Download Submit
C:\Windows\SysWOW64\Ckcgkldl.exe

Filesize
72KB

MD5
5059d174ad28682461b8511d73ddc27d

SHA1
0ff1ff8d2ca60e284a78fd9439bc7e2befd7eeea

SHA256
52710a869c52912d6223e95f47b52f3826a35b5f8c4b5a00cc3230e15a326974

SHA512
4ffda88604ee544e5057d93a79e976be5d2462812d78f51e3f68b5dddfb2eb2023f44e72b3cefabeaf5e8a72e872ba7f453a269c2f50f750db8a9783f0bf5a39

Download Submit
C:\Windows\SysWOW64\Cklaknjd.exe

Filesize
72KB

MD5
f861fa583ef4f72e4bef8fbc0456e878

SHA1
a23853bd9cefd68fa00d34a116f7fbc154441871

SHA256
c0626b1e46e73d2517e9a0ab93d81d1975358e8119fef726d73c5c781cc70455

SHA512
b21650a1993df0f464fcd206227d329a70fcaaf3fe5e5f51583ce58c40962d7fb9e501910f966a9aac6d597b65c7fb71ab6994583c88d422bcd28c3d3cf073bf

Download Submit
C:\Windows\SysWOW64\Cknnpm32.exe

Filesize
72KB

MD5
779575da0fb1607c0ea9d75ab425110a

SHA1
f5fd1f9b4f76246c49da835e81498aac1961db1b

SHA256
db143d7856429357b2718a08a97fc3b1be52efcab44024bd859630dfb560c955

SHA512
51264603197890666f288b776bf6c9678b7b229a4f452230ff58ffcffb511c2143d7a0a3ea8a0624123ae7a979a49ca2504c8a57108db89b8311c9bb719538c5

Download Submit
C:\Windows\SysWOW64\Clbceo32.exe

Filesize
72KB

MD5
b35465b50c48f3da01449df549d3d127

SHA1
f8f08f88430d6b651cc5195caf55d5c148ff290e

SHA256
01332a4066edcbbdf85fd9672df45231edcf133fbfb399b3faeb0bb0c9e2145d

SHA512
ea6c71664ffc62a3320fb3bf1fd7b8474e39f0fa1506fd9505da8703c7355e51569b6c3fa80ec9a5c970fc48ea4ee9fcc576534d93965d2a6f530320587f3dfd

Download Submit
C:\Windows\SysWOW64\Clnjjpod.exe

Filesize
72KB

MD5
8254f3e99a095f07602448ea3907b02e

SHA1
d9494228103165051f10d2cd9462c67305a6d1e2

SHA256
c62976df4cf9ec073093bd2fe585c4bf7f08ca6f14c447cfb90634fb324de31f

SHA512
73170e629e1dc5a6ab22920de0fcc6c7d91c3936d92a7e766e8b65b0c7c9d2f98fedb266e72fd819d204e3290fe28fc37c1f8a0434ce1d4c1e007f5a96ce0db8

Download Submit
C:\Windows\SysWOW64\Dbaemi32.exe

Filesize
72KB

MD5
e8a1209ede3fe459eda11c068cc8db20

SHA1
2cc6677a0bf28e53efdd0c8964fcfa24b657bfa2

SHA256
ba4afee71086b806d58d9ceca752e29acb661ffe10ffe736ae85495e13cf02a6

SHA512
419e46cad1c33bb2c947ad748ea27c7d8ecbdfcfd116c5fd3147fb05a48903586dc3a1b239f3098183b8790afa12f44014df2516b34ae2f4c38b10a58295622d

Download Submit
C:\Windows\SysWOW64\Ddbbeade.exe

Filesize
72KB

MD5
5d7182a03d5e74b7c1abbb27624bf8c2

SHA1
b93a77e4d5a736ba0f472840eb018f3ccb748b04

SHA256
ea9fb0d6b2a2cf39ea5b081e9ff10b99ad42ba4b038b21a68673b2b72a93cce4

SHA512
989975c83b5f111bdee4ffedab79a6198092dcbe286affc48f2729b95bee821ba672997a2c861f6deeddef30cb6848f2b07a8238dedcddebc2c8754c4dfe14a8

Download Submit
C:\Windows\SysWOW64\Ddpeoafg.exe

Filesize
72KB

MD5
10cf7b44b00c884cde3e44560fb2b618

SHA1
0f0715fe14336bf4c30b61fb752e1d042b3ebbc6

SHA256
1fd4ccc17996098e9d8fc951e4a18936577528810d0216ab592f42dc64743bff

SHA512
d811fb4e260757f31340b90d0e3f01e7d12c3d9d809b347a5186b53329c81da7069662a5cb55ea103e983009ae11e58a0955f773de2e22fe7b7ca456dd0ff284

Download Submit
C:\Windows\SysWOW64\Deanodkh.exe

Filesize
72KB

MD5
162509c6229ca364c067d080a8a97bf5

SHA1
a72da56239cae933d7ed03d2293fa5d00d362f00

SHA256
44b5c835f17ca387a50e0cccf9112b244291ab14fc3e31bdd6d339b50e3fee04

SHA512
a776ab4690ea6c1cd08a2d2281ae49e4282bdef011d01561c9edc918516805b64708a9ee6fb011bddf590bebb269158ac5e6e9f6070594aaa12ef8110229a23b

Download Submit
C:\Windows\SysWOW64\Dedkdcie.exe

Filesize
72KB

MD5
55c36551db1dd4de61773109e54c8654

SHA1
2a481ba6cd3ad2cad4185806d89d066e57fc7cca

SHA256
e74a4744c17f87931fc58e6125b735e9dcdf61adf8035d2416c652a14910ecd6

SHA512
25d94699970ec964afbe91cb6f8109c1a8e97f841216ddf21e0ab3ab94329be40bf55fb915eced4e90ff59082a1a6d2f2ec4b246279489e1c1feb6eb66a3a2ba

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
72KB

MD5
d549880485a8ffcbd8857b63c8299b3d

SHA1
441157cf72fb94e358cd0d709548aee3d0f65628

SHA256
d1edcdb3b80ad7d894470503162afa137a799982989458228dc125396d982928

SHA512
1b163a58b3fbfcfe4d3e7e121b8ac31f910227fdd753e0cc16a34a067663a1f46046bb727c9e3dc4057b9bb6e2ab91dfa1aa49ad4e809214c986b17483212b38

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
72KB

MD5
0440f3aa07a3f61a5ae98c34359d6025

SHA1
585c8ff9125e8fcf0653070976a39f6d43cbeab3

SHA256
86b540cb445290a4dbf0d44e545c478002530710842e3fa734dfbfefe7551558

SHA512
70f308fe7e48bbcca629c08c1ac92920a18746c1fa89668be6c3164747332161e8f0961774192be6520eec18bbabd44dac603d89767f47361fb91b73fa0aed4f

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
72KB

MD5
eb187e91a80186a52e89d83104744f6b

SHA1
46e712c2d523ecaa8e712efb2da5c8d18a505e5f

SHA256
3573fb09580d9af18216f99b1f183246c16307b44420431da95a2d8e21051ab2

SHA512
ebfc42875fbf89eee1867ce43f543621f61e02fb6dcfc0a19da0175e717fe67617aa9893fd6068bedec8512ddc9547b67d365256e67fa5ea369e8d19f23eafa4

Download Submit
C:\Windows\SysWOW64\Dkljak32.exe

Filesize
72KB

MD5
1d081de50e920200f10b892d514421f0

SHA1
8e5215edc3b5d43bf1c573ee6e95afc38ac49926

SHA256
1b0a3bca9769f09916e2b94d924ac8579c58dee697e2b894ead89437faa73d67

SHA512
1e7475ab909924ffc189410d16f39314e475e24bc70e5574a8b8b33af8e07af8c3a34e707252c4b02e981f6b72e2548bb12dc314c74bab5524c5e5fbd6645a16

Download Submit
C:\Windows\SysWOW64\Dllfkn32.exe

Filesize
72KB

MD5
5e614f0114f1ee089d74baa5748b1928

SHA1
1b1f2fdb8c6164bde59b9b85132bb6d092e01455

SHA256
7a3151838f6eafe32d30b0b18a7539bf198f49801a5b51c1ee3fefa88faacb29

SHA512
7bfdec32582f6174755612e9cba564a38d5b9d15fc7d8c62b41b9f6503213e53a82656e0d61677b230b205e3ce161d78cc904c1bee4b5c2bb0611b127b479edc

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
64KB

MD5
2d2086ae5bd657a0db78d3f46416f7cb

SHA1
00107be5a54577f679ab663fd33d32009bf3e5f5

SHA256
20b86b3185d3caf8fe5c2e194955760065c5017472be5c26e4e00a1071a46df4

SHA512
f974a39c674d3c1b9e9fed7cc271ca91e83aa7f43cd182f153cd693145031b5f6398782c143aee6818b41e2ad906ebc1cf3c5005fa61baea8717b229bc3c2e30

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
72KB

MD5
ffb686ddbad9696dbd8c0310e84f8ed7

SHA1
ee5cfb6da320750c105c727bb680f2d3050d5d50

SHA256
deba64f2dd65ca0a69b0bf2fee8845f24a45270342f037cb651c4a2da070bc8c

SHA512
035847f201453707fade398b0729127fbfa366b2852186f9b48631ed36600e94340b8c3d168f7134e9eb6d4d62e1de2d889ba38b78604bc7ec21a1d52183920b

Download Submit
C:\Windows\SysWOW64\Eabbjc32.exe

Filesize
72KB

MD5
27a530929d8b144744af8da887ed4ffc

SHA1
bae4a60a7ae601ba2f8db7d33dd40600e2242db2

SHA256
0e86b3a32b01cb4864479cfb777ae0e735ad4b970e9587f4d382ea7350291bd5

SHA512
03022a58803ee8ab9a97da65db902b10e27a7b95077c42b621c9ab979c1ba1dba2fc26a68e62effffa1e8b2e2990577e66277ff4a1b37a6886f641f42e1a0ec4

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
72KB

MD5
e734a98c6d14032e3b6e1ea274deb3bd

SHA1
d271b0244afa1db37ada00d385e79b142e591180

SHA256
186ea75c624c4b554a37af809ab1a463bd998bff5fecffbe7c70d53d8f191f73

SHA512
221bd7af6c7bccddad5923a5d249caa39b40a8e9fdbd2740711f67cd20941df65adf1f129e2fa7c471d92ed1778fb245632e53d66391bea189af6e3c7dc7fbcd

Download Submit
C:\Windows\SysWOW64\Edbklofb.exe

Filesize
72KB

MD5
52255ab2c6c13aa14c1335e7e3de29fa

SHA1
3557758a9dd623689e67d301c86e27db97958be3

SHA256
d84eb18ce9981f9d06131b68763bec30832b4ae3d0d930033963080277cd7216

SHA512
ffa4176c323d00e41c609fdf9943b0e0fa0bc2dd574f3057cac001d52de670048323bb318862ee8d460e033394fbcd796e1dbd49d5384c69609a316646b8de64

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
72KB

MD5
3c1b100a8724ff2c7cdb19ac2ef2611f

SHA1
6f86a5953c40140bc0692c271c9fabea832d743c

SHA256
ff71aadd3b911de2f80e0065675c38a23fdbaed8d20934a12bd2abf36d6df52a

SHA512
666bf475fb22809b8b778e6ac0607c86fd081a28a45e642041c61dbaa7042722af0ae6df0e2692a05bb5acc28893bf6ff25fd97dc1be481b260f517b15b5ff6d

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
72KB

MD5
0c146893b4653c6c5fdd11caba1c897c

SHA1
d85ccc2e5259274d9625ccd2893995d5c59e36ab

SHA256
b7c51297f261a609736968de9a6e6569ff442965c5f949baaef08afa8c8da9f9

SHA512
34f4f17e8dfded87a3767cd9f1517edfebe58a35190ea4fe56569b41d8340228435a0d425f540c2f9cd5aea5320fa8be09819c1bfaec689e0818118095eb399e

Download Submit
C:\Windows\SysWOW64\Ekacmjgl.exe

Filesize
72KB

MD5
a2f0ee784cba77f6bfc3b110c38ab127

SHA1
98e75ce54e2de0c7de32414d82dca4a52a5982f5

SHA256
ec39b3bfd22cd05889fa866ffadc5e3e1f195fb8891774c3bbb850cb1a158e86

SHA512
8d30118a7b63f381de78cec1785c81a5b20a87751371f13c1fc84eb93748cb633776219de572ed3eb9bd8faa800d0a08332f94c911597bd9a73c9d8d7a9669dc

Download Submit
C:\Windows\SysWOW64\Ekcpbj32.exe

Filesize
72KB

MD5
f8321c228cca68e239d3829115320836

SHA1
1480d49b1e4208f9d689e381a17e3405325c8445

SHA256
45689a032387377dde689b10991fc3bdad2907467cc41cfcc0061e163f90e58b

SHA512
21efbb5e5b1328bba814de9221b7dd1e1a95f8637789554003291111edfdd1a5221296d4c27b419cf5148447212d05860aa385839887fee6ee8d1b6c73241fcf

Download Submit
C:\Windows\SysWOW64\Elgfgl32.exe

Filesize
72KB

MD5
5510a88088b625da4a333dc03a63a858

SHA1
c2146d8119c0333db18b84cb81ea0f95fada9055

SHA256
ef62ce9f716611ccc15455b906e7b6def19c9380f87365f677a42551b7a985ea

SHA512
c89d1522e2ef11894cf14c2b629b83979af9fd2a7c6692cafd30a66179ede637467a1f5b510b7afcfbed95b51415ace50f98c3a607c56fc15636d9a35fceae14

Download Submit
C:\Windows\SysWOW64\Eoaihhlp.exe

Filesize
72KB

MD5
95bc873af1fd4086b8d45d05991c04b9

SHA1
bd225a687fa2ea424b32a7df4fef51a0828f3227

SHA256
4200054f404970172a66c003c1be67baab76eec7b2772e07dada32ee8109c9e5

SHA512
d87685004b517aa3684d93d544c3f146130db03a7eace2ef91a9cd9f9c07cb35af34e0516b98369a559680de1dcc11e565785603f9ceccb10fefb4d74f8a069e

Download Submit
C:\Windows\SysWOW64\Eocenh32.exe

Filesize
72KB

MD5
9606e646f063b919f263a68ab3843582

SHA1
3f54c6dac91642fc358de9a2c373494d1cb8dfcf

SHA256
36871012a43c8c03f14b682a3fed202b9480c97af45ee224a5c4957e675b6df4

SHA512
00d7141058b8a9d52040cbe3e438f05154df80bc1ae62e20346f46d3afce2512a8691fb10a85032bb8d937fb7144c52984a492be79ab3834f80bb90feea1a5fa

Download Submit
C:\Windows\SysWOW64\Eofbch32.exe

Filesize
72KB

MD5
c9709c2f8e78eba27ab5aec8bc358ed1

SHA1
d1d9e32bc405485dc8059ffcf62f68890c396cf4

SHA256
841ec12e1796ffa5a29198817051f466257be3d1581f0a2e4bc29cbd15deaea0

SHA512
28e2098d3ffe22809d7388a011a0a880e04a1408983d6e95264dca3184994317404d74bcdb31d432fbb7d2d233fae4e5be51812b70fa73e53f4d428b385d7f56

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
72KB

MD5
aaa9921e409575e839a0c4874ce3a7ef

SHA1
8535db8ceaac90386808d6cc5767d8f438bc85b0

SHA256
243d295fe2e30e2c76b071f1b0960cd3c387e86f98b9e34a34dd1cd0f0b0a0bc

SHA512
ab98de6d9688c9cef72dca451a26cd9c99caf4ebea0356e2c0e2c12e92f5eec347c00411a93e8795f70b154d756daf875bf0668f357ecb2639ebf3ee09520ea4

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
72KB

MD5
56a09bdde2595b918a7244660ea7c42c

SHA1
5336d689bdddfecaeb0de4628a653fcd1ec40b84

SHA256
27fc24249a2e0d759d080bfbfd74ef05db6e93a375e5216536760f55e18a5a5b

SHA512
02ae889e99d9dd8c69569e93c0ddd5cc2f7391fdaf8408f7a18cbb1d1e2bbc0b9f8f0146996ab6782c44606f5c1eb6b72caff67738d2cd402cdb10d7eeb085c1

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
72KB

MD5
5ae9b9053ac03cee04f0b5fbdf513099

SHA1
655dfaf6a198b009a248dbb96d4b313a83a44d78

SHA256
1a9c02132e2fee252e0f2f0fa88e11f4b937b32421e910b491ba7a758dd541cb

SHA512
5a665126278c308b332b81ed422209856a97b91dd709d5695bc1523c66e87ae9cfedc2e6a54ace02f3da9a0c9655983102be7b63cfb5fc3e22b40ccf682fe8a2

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
72KB

MD5
f14b899ffbc87d339ddab89c40f2be63

SHA1
de4e4d35fef120fda436b57fcd7bad00e1cadf10

SHA256
8fb54adee0f833c5c9bdd8886e5974cfe5f2d5b18e98d154e5ec4e0f39f48596

SHA512
18ec8c07baf7c4b25518d53c50b7866bf6ca4d5ff6e255ee2f600a8ea1330700b7f2f495e6ba533968470f32b5e47f3c7ef64b3b7a83049928ce151d967dfa90

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
72KB

MD5
6307f31e47bed375b3749741ade80eed

SHA1
e8084447d1058187ac1635e1f223d64ce03874f0

SHA256
a60a9605157a7edd33f125e22a81a408e802d83075a571b1a3f7eb5032b7585c

SHA512
794bfbd878d35064b0e8592c6974794f3dc182464135d7aa2958e474e704b8efca32d99442743d91bd74d050d2c0fa87fc775f654a21e82c6daa39b8af759bb0

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
72KB

MD5
5b9119fe2a8a314c36dffe3701bc7134

SHA1
5b00251dd03fc029cb3725d91e1641182e8863d8

SHA256
0ff9a76479992b54cc2af287eb81c0fddde8e378b45255dd0b6e0fe8be8aaf99

SHA512
a3a4db03670365970b299c84643d1bf9e88f790c55f670c5b08e64b4932e8641b423ae15328795ad2ac06a6d4873a251c57237ad3754390e164065edcc5105bf

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
72KB

MD5
4747dc9b6b44fbb31443fc59fd3073ec

SHA1
68406bf032ca3ce93ae94deb347cf03ed929b868

SHA256
83b76b966ec17510648f6b12b3e22f786cb665331ed88700ec12e0f1dfc03d05

SHA512
a3bd698dd27f7b73f2e2a7ec653a25516cda02cc690a58b27836cc61f68a610d5fe6623e347b9193ff16cb19ea7ab1ea6e448c2ead4631b660a4879dbae6f68d

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
72KB

MD5
16ce097b55d3990aa084cafeb809d863

SHA1
24074c27e89169809c7b79f48c9f4037c834315d

SHA256
204c4e9489b0896309da6fce360ea223232c3c15c92f7aaa427fa198bace5900

SHA512
ea89abed50136ebfe9c67d33d25ac6ccdcf1045495f7ea6c6991d0f3dfb813e93efe9d10c017fbdfeb66d019bebb25d9de77a6aff076031e975b3a0c07707dd8

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
72KB

MD5
782d53816d64cad2dc058d6eaa81a480

SHA1
2c6e52b628e3d8310d4e37ae0d689ccad955d2d3

SHA256
ac6a6fcb09ba40ad8809a6997d02e03d7d101d10618598157a0eb1f718905a83

SHA512
d04d20371677bf500164a9cd9d176984175e1f13fd5ff946d32566d2aec0c6612569f608f10265a79dba9210ee616b3b8df3886b38492a7bfb41bd11d2935c8b

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
72KB

MD5
9285b6b69d6396c9f4ae9aeecb4669e7

SHA1
8f0c9a1eaf2dfbe3696be8755913afb40e8514dc

SHA256
afab15f3e386f0b91fe146a1be2fa104dbdb1582799ee0893df70e8d583c1ce4

SHA512
880050327a4712f5b1a3555571f315de311b840c69df2326e99f30a6784076caa10f08fadec63451e695a02f5e3d949af58fac9f47e3df452ff597eae122f07d

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
72KB

MD5
9abc52d8c9f744f878341f6c90a40238

SHA1
a004c00de889bdda2bff76cec62c0f8dc1fdc958

SHA256
d92fd1478b1210895bb333e24c67c3697b23a4fa677e16706ba95b5350bd301b

SHA512
ebab2210b44b16bace51966d031d88dfaa6baaa082724d78b683401b83d890723b2f17e58922d0eeba38b4180a2e9228dff363b7eb9af39bf1fcac0d0ed3711f

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
64KB

MD5
f8a0eda5230eee5469c9bcfc46b4612f

SHA1
361b876516b4476d09bd6fa3ea15b60f1ecf75b6

SHA256
666e17f3b3246cbb11a766064b4489484d5014557ef5295c8807c29e74d5544d

SHA512
aaa10251b23ea9ae2e01c9b958dc805637b0a2e0eee30f613c403ac1f694d6a9e197c04c731e8476ab1f650a55c97d06c04edaba9f714724f94fba4215f47694

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
72KB

MD5
0d5de1e79f0a3e9ba36c3464ee10eb16

SHA1
01e162fe7ca4f04ded124b11d4bcd44330db74ab

SHA256
75d34955ed4fea6d8eae5c25a96608d6babe2825d636381b9d611c21b2f9b931

SHA512
012474963d6a6bdb810a1dbd2ee1234985988b1e71c9e064669daff58f5ed9bdf849303393bbbb33fc251b4915deee73a17cafd9fed3dcf1368d388a52f8a091

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
72KB

MD5
7019e45b35743185bdfcbefe8eb67145

SHA1
b8b2b2b2fadfd6b06d6b8b1ca5ecea3ceea8443b

SHA256
e58c760cc3b445032e9a5b838afbae1fcc8f167b39988597ac71e9364139b38e

SHA512
45c6285b30161bdf7120609a95a0b5eb3d60d9da9a04938086b0bb4c99f9886ee0daf07d305d1d0de2a34e8fca05b98818bb37546e7f20f0be5b4d1a58a18f5f

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
72KB

MD5
e11a7b861139e468c33b10927158cfb9

SHA1
d2158735bbd296606ee51a3bc38c75f399dede8b

SHA256
cbb03147927cea94c934f3347bcbc9bfa1b8492d71cd4a6cc57fe8070526b659

SHA512
214b97cb9325febae8f8e6598a54d8c3ed33c9b5f0cd7ae3b73e0bace644404f0cf81da85416ba5ac6f7d188e9a2f20d3c13342a223ee8039e73eb9a4378807e

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
72KB

MD5
b043e2b471141124a3fb4652b8b6022f

SHA1
346833cb95495f909f05888d1e1c90b5ab04caad

SHA256
5ccbff33d4d086083937bccb4398060aba62f8d139ad113371ad8b2cf4edbb86

SHA512
0fa85b1516491bb5bf830b9b13140f071ae26ceb4fe6c01b5d874644cf64356695b001790c5e00a9af4203a7bf69386fbd517a78f9826345ed82da80d66eb1aa

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
72KB

MD5
5d1afb5c155818317333eee14ba709f5

SHA1
4ee0a69b38337d3eb1baf1e28d6c50992091ce23

SHA256
e5f740329145005e5499f9e6c08b8ce6a9207e18f17d0e73ab35df54a8c09aac

SHA512
0a22cba726bf3b101b60dc42189a1791342cdae1dc96dae1b92206d86f1efb2701964ff759865e6547c639b74870f1b12dcd57d67ca55d2c97d663cc0df9f3f1

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
72KB

MD5
8e39446eb65c680a07370a7e1d4e008d

SHA1
fb7e628df872e9b92447d3baa9d8c08dea53a434

SHA256
efc9e4e2a09d5bc4bc457c106ae859374b355e305301c0ff4947dafceeb687cf

SHA512
2956be43b74c7f8b998b7278ff2993a7a3c5fb0e5aea0f9c19e2ce47e54c5721647673a1bd46e0fb9dc2d414c09d300a4c702abf153f19c069607c1c6085f679

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
72KB

MD5
3068a4e40dedabe107ae486b6682a8f0

SHA1
c6b8d4cd259b712ff26df7cc052d6fbbd9f66b76

SHA256
89c132f12ba5d2e8d7fe2e73fa3b7384420a6c0be7e52c99502f8f3b688ac3a0

SHA512
1c21dfe795f80ed454123cdc9e0d26947481ccc1be86259d2a99dac254f118c501f96bef42f6636d454248c12fc7b2d44a38e6f2da87b65de4e66fff03c042c6

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
72KB

MD5
c2f4891420eeead77a30c4010596fb77

SHA1
64ebf6749ba81f6080b69f94d512514e15f40e3d

SHA256
e5d6e475c2ca5ae781e6c83b565b20403678adcd773a19a210dd9d2c67b046ff

SHA512
de671ecc4bffaf5a646e8d3256cfaacc706c68fd99b9f60d07b5080251eeb57a985fb8ea4e3ca03941725afce3789c7aa233fa0c81ee494a1130e10807ad78bb

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
72KB

MD5
ed96d71a91d002b99e5bd5934e94b37b

SHA1
a64aa97e4ee45dd46f3ec152ab0293d1dae1b151

SHA256
4d50b7c8a8ae445eea6d9fa6ebdb764f1cee99f3bf56c63523ae1839c5d7bbb9

SHA512
2a3f3632a8f05bede486c86ad376d7f09b7c5d6f25eb20723f2f0b9fb1516411dca50c109f9a57e8f7efcb202dc432a4095f8a4f9cf6c0d19bf192126b11c6ab

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
72KB

MD5
6cb469f088fa39b2b44cc1b997fabb4d

SHA1
0390d515bbce48f5f20e69f68ab0dc3c6a280a44

SHA256
9d6c7344baa895de5e01a6a5c59ef1ce6d7a63b1e90cc0ea1cc5ad59156e7627

SHA512
6bb56e6da3f1a2d759753d3d72597e49329860ae1bb1a297d8b9ec80da69b417a1c33e86a9e5e887fb8e387dc10cb2cd01e226bbfb6b622bbad108b7f7026621

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
72KB

MD5
0145494c1b2bb28337ab66427f37ff8d

SHA1
208fbd454e064da7415c477e4e159d08b46a0da9

SHA256
ecaf6a8c7c6eac8d1256e21792382abacfaaa3a4ad53378966d26ca7aa629bb5

SHA512
b3006529130a76577c03db51a1040f003ee3f3d1fcb336465cd28b6d482f229fbf07367119922391ef9f2796580d5ae69f6ccc07a39e64dcd6738ad94d8006df

Download Submit
memory/320-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/464-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/540-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/680-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/680-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/736-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/736-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/948-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/948-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1028-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1036-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1036-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1068-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1068-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1072-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1072-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1268-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1268-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1420-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1420-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1676-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2124-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2152-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2280-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2280-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2384-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2384-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2776-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2776-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3028-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3028-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3280-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3280-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3300-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3332-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3428-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3428-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3444-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3560-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3560-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3572-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3652-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3800-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3800-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3996-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3996-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4128-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4128-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4144-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4144-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4196-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4196-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4284-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4284-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4312-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4340-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4340-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4796-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-52-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5004-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5036-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5036-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads