c5d935ed141f84fb944f1f671f4544b4f91158c891574057dd71317c82f848cd

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc9458d07a5f3f2801d87bdb25ee6c0_NeikiAnalytics.exe
Size

80KB
MD5

6fc9458d07a5f3f2801d87bdb25ee6c0
SHA1

adcb221980ecbdffe41a89bf407a343119f1c7e5
SHA256

c5d935ed141f84fb944f1f671f4544b4f91158c891574057dd71317c82f848cd
SHA512

6fd5c0bd5a59ceb2fc299fe1f30f081b62e32b94b521827318d80d02a54190b99533845aaad9faa97c38fd0884207a74f7bb37fb6e58fc9c3f9e91ffaae4f86a
SSDEEP

768:Q0r2aPIFwbmpHX0bVn3X93w8MUmIuGPilXaa3CacFR18z2MPKZlHo/1H5vjXdnhz:3hbC23Xp8bsOrPqlHiVhN+zL20gJi1i9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfbibnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fojlngce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eleiam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flqimk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbdgfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6fc9458d07a5f3f2801d87bdb25ee6c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekhjmiad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecandfpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnnep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoaihhlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehljfnpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehljfnpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe

Executes dropped EXE 64 IoCs

pid	Process
4388	Blbknaib.exe
808	Bopgjmhe.exe
3600	Baocghgi.exe
5000	Bhikcb32.exe
4428	Bjghpn32.exe
1832	Bbnpqk32.exe
816	Bemlmgnp.exe
4440	Blfdia32.exe
4376	Cacmah32.exe
380	Cdainc32.exe
1988	Cliaoq32.exe
3164	Cafigg32.exe
3052	Clkndpag.exe
4268	Cahfmgoo.exe
664	Cdfbibnb.exe
4028	Colffknh.exe
2968	Cefoce32.exe
464	Chdkoa32.exe
4684	Ckcgkldl.exe
1948	Chghdqbf.exe
4364	Ckedalaj.exe
3852	Daolnf32.exe
4956	Dldpkoil.exe
2184	Docmgjhp.exe
4116	Demecd32.exe
3972	Dlgmpogj.exe
5088	Dbaemi32.exe
2260	Ddbbeade.exe
728	Dhnnep32.exe
4964	Dlijfneg.exe
3948	Dohfbj32.exe
4328	Dllfkn32.exe
1220	Dceohhja.exe
232	Dahode32.exe
3068	Ddgkpp32.exe
2756	Ekacmjgl.exe
3388	Echknh32.exe
5016	Edihepnm.exe
2792	Ehedfo32.exe
3392	Eoolbinc.exe
1756	Ehgqln32.exe
2252	Elbmlmml.exe
4460	Eoaihhlp.exe
5104	Eekaebcm.exe
4108	Eleiam32.exe
4456	Ekhjmiad.exe
2888	Eabbjc32.exe
1100	Ehljfnpn.exe
1032	Ecandfpd.exe
3636	Eadopc32.exe
1720	Fkmchi32.exe
2944	Fafkecel.exe
3656	Febgea32.exe
2708	Fllpbldb.exe
3040	Fojlngce.exe
4060	Faihkbci.exe
4124	Flnlhk32.exe
2788	Fakdpb32.exe
3604	Ffgqqaip.exe
5108	Fhemmlhc.exe
2860	Flqimk32.exe
4064	Fkciihgg.exe
5024	Fbnafb32.exe
2996	Fhgjblfq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Canidb32.dll	Kedoge32.exe
File created	C:\Windows\SysWOW64\Ejckel32.dll	Jmknaell.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Demecd32.exe	Docmgjhp.exe
File created	C:\Windows\SysWOW64\Paihpaak.dll	Ffgqqaip.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Cdfbibnb.exe	Cahfmgoo.exe
File created	C:\Windows\SysWOW64\Bejfanad.dll	Ehljfnpn.exe
File opened for modification	C:\Windows\SysWOW64\Fhjfhl32.exe	Fbpnkama.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Gcimkc32.exe	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Jmmjgejj.exe	Jefbfgig.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Jlednamo.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ajdhcbgd.dll	Baocghgi.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Cafigg32.exe	Cliaoq32.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Kiidgeki.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ckedalaj.exe	Chghdqbf.exe
File created	C:\Windows\SysWOW64\Fhgjblfq.exe	Fbnafb32.exe
File created	C:\Windows\SysWOW64\Bjghpn32.exe	Bhikcb32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Bjghpn32.exe	Bhikcb32.exe
File created	C:\Windows\SysWOW64\Jcpfco32.dll	Ckedalaj.exe
File created	C:\Windows\SysWOW64\Flqimk32.exe	Fhemmlhc.exe
File opened for modification	C:\Windows\SysWOW64\Fojlngce.exe	Fllpbldb.exe
File opened for modification	C:\Windows\SysWOW64\Ieolehop.exe	Ipbdmaah.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jcgbco32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ophfae32.dll	Fkciihgg.exe
File created	C:\Windows\SysWOW64\Jmknaell.exe	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Edihepnm.exe	Echknh32.exe
File created	C:\Windows\SysWOW64\Pacghh32.dll	Iihkpg32.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Mgqddl32.dll	Cafigg32.exe
File created	C:\Windows\SysWOW64\Linjpeof.dll	Echknh32.exe
File created	C:\Windows\SysWOW64\Lgmlbfod.dll	Flnlhk32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7280	7812	WerFault.exe	370

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbifaej.dll"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oalnaifk.dll"	Flceckoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejfanad.dll"	Ehljfnpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhclmi.dll"	Gkaejf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiknll32.dll"	Febgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpqdba32.dll"	Bhikcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcimkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalojih.dll"	Colffknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flqimk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkmchi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbaemi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpfco32.dll"	Ckedalaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmaef32.dll"	Dlgmpogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Echknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpjp32.dll"	Foabofnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eleiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnnep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhemmlhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4388	4560	6fc9458d07a5f3f2801d87bdb25ee6c0_NeikiAnalytics.exe	82
PID 4560 wrote to memory of 4388	4560	6fc9458d07a5f3f2801d87bdb25ee6c0_NeikiAnalytics.exe	82
PID 4560 wrote to memory of 4388	4560	6fc9458d07a5f3f2801d87bdb25ee6c0_NeikiAnalytics.exe	82
PID 4388 wrote to memory of 808	4388	Blbknaib.exe	83
PID 4388 wrote to memory of 808	4388	Blbknaib.exe	83
PID 4388 wrote to memory of 808	4388	Blbknaib.exe	83
PID 808 wrote to memory of 3600	808	Bopgjmhe.exe	84
PID 808 wrote to memory of 3600	808	Bopgjmhe.exe	84
PID 808 wrote to memory of 3600	808	Bopgjmhe.exe	84
PID 3600 wrote to memory of 5000	3600	Baocghgi.exe	85
PID 3600 wrote to memory of 5000	3600	Baocghgi.exe	85
PID 3600 wrote to memory of 5000	3600	Baocghgi.exe	85
PID 5000 wrote to memory of 4428	5000	Bhikcb32.exe	86
PID 5000 wrote to memory of 4428	5000	Bhikcb32.exe	86
PID 5000 wrote to memory of 4428	5000	Bhikcb32.exe	86
PID 4428 wrote to memory of 1832	4428	Bjghpn32.exe	87
PID 4428 wrote to memory of 1832	4428	Bjghpn32.exe	87
PID 4428 wrote to memory of 1832	4428	Bjghpn32.exe	87
PID 1832 wrote to memory of 816	1832	Bbnpqk32.exe	88
PID 1832 wrote to memory of 816	1832	Bbnpqk32.exe	88
PID 1832 wrote to memory of 816	1832	Bbnpqk32.exe	88
PID 816 wrote to memory of 4440	816	Bemlmgnp.exe	89
PID 816 wrote to memory of 4440	816	Bemlmgnp.exe	89
PID 816 wrote to memory of 4440	816	Bemlmgnp.exe	89
PID 4440 wrote to memory of 4376	4440	Blfdia32.exe	90
PID 4440 wrote to memory of 4376	4440	Blfdia32.exe	90
PID 4440 wrote to memory of 4376	4440	Blfdia32.exe	90
PID 4376 wrote to memory of 380	4376	Cacmah32.exe	91
PID 4376 wrote to memory of 380	4376	Cacmah32.exe	91
PID 4376 wrote to memory of 380	4376	Cacmah32.exe	91
PID 380 wrote to memory of 1988	380	Cdainc32.exe	92
PID 380 wrote to memory of 1988	380	Cdainc32.exe	92
PID 380 wrote to memory of 1988	380	Cdainc32.exe	92
PID 1988 wrote to memory of 3164	1988	Cliaoq32.exe	94
PID 1988 wrote to memory of 3164	1988	Cliaoq32.exe	94
PID 1988 wrote to memory of 3164	1988	Cliaoq32.exe	94
PID 3164 wrote to memory of 3052	3164	Cafigg32.exe	95
PID 3164 wrote to memory of 3052	3164	Cafigg32.exe	95
PID 3164 wrote to memory of 3052	3164	Cafigg32.exe	95
PID 3052 wrote to memory of 4268	3052	Clkndpag.exe	97
PID 3052 wrote to memory of 4268	3052	Clkndpag.exe	97
PID 3052 wrote to memory of 4268	3052	Clkndpag.exe	97
PID 4268 wrote to memory of 664	4268	Cahfmgoo.exe	98
PID 4268 wrote to memory of 664	4268	Cahfmgoo.exe	98
PID 4268 wrote to memory of 664	4268	Cahfmgoo.exe	98
PID 664 wrote to memory of 4028	664	Cdfbibnb.exe	99
PID 664 wrote to memory of 4028	664	Cdfbibnb.exe	99
PID 664 wrote to memory of 4028	664	Cdfbibnb.exe	99
PID 4028 wrote to memory of 2968	4028	Colffknh.exe	100
PID 4028 wrote to memory of 2968	4028	Colffknh.exe	100
PID 4028 wrote to memory of 2968	4028	Colffknh.exe	100
PID 2968 wrote to memory of 464	2968	Cefoce32.exe	102
PID 2968 wrote to memory of 464	2968	Cefoce32.exe	102
PID 2968 wrote to memory of 464	2968	Cefoce32.exe	102
PID 464 wrote to memory of 4684	464	Chdkoa32.exe	103
PID 464 wrote to memory of 4684	464	Chdkoa32.exe	103
PID 464 wrote to memory of 4684	464	Chdkoa32.exe	103
PID 4684 wrote to memory of 1948	4684	Ckcgkldl.exe	104
PID 4684 wrote to memory of 1948	4684	Ckcgkldl.exe	104
PID 4684 wrote to memory of 1948	4684	Ckcgkldl.exe	104
PID 1948 wrote to memory of 4364	1948	Chghdqbf.exe	105
PID 1948 wrote to memory of 4364	1948	Chghdqbf.exe	105
PID 1948 wrote to memory of 4364	1948	Chghdqbf.exe	105
PID 4364 wrote to memory of 3852	4364	Ckedalaj.exe	106

C:\Users\Admin\AppData\Local\Temp\6fc9458d07a5f3f2801d87bdb25ee6c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6fc9458d07a5f3f2801d87bdb25ee6c0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\Blbknaib.exe
  C:\Windows\system32\Blbknaib.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\Bopgjmhe.exe
    C:\Windows\system32\Bopgjmhe.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\Baocghgi.exe
      C:\Windows\system32\Baocghgi.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Windows\SysWOW64\Bjghpn32.exe
        
        C:\Windows\system32\Bjghpn32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Cahfmgoo.exe
        
        C:\Windows\system32\Cahfmgoo.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        23⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        24⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        26⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        29⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        31⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        32⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        33⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        34⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        35⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        36⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        37⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        39⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        40⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        41⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        42⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        43⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        45⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        48⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        51⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        53⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        57⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        59⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        65⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        66⤵
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        67⤵
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        68⤵
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        69⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        70⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        71⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        72⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1724
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3892
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        75⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        76⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        77⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1968
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        79⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        81⤵
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        82⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        83⤵
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        84⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1840
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        86⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        87⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        88⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        89⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        90⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        91⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        92⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        93⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        94⤵
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4788
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        96⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4584
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        98⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        99⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        100⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        101⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        103⤵
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        104⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        105⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        106⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        107⤵
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        108⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        110⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        111⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        112⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        113⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        115⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        116⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        117⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        118⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        119⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        124⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        125⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        128⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        132⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        133⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        136⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        137⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        138⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        141⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        142⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        145⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        146⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        149⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        150⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        151⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        152⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        154⤵
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        156⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        157⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        158⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        159⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        160⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        161⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        163⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        164⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        165⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        166⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        168⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        169⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        170⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        171⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        173⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        174⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        176⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        177⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6336
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        180⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        181⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        182⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        183⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        184⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        186⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        187⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        188⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        189⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        190⤵
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        191⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        192⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        193⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        194⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7048
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        197⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        198⤵
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        199⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6408
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        204⤵
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        205⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        206⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        207⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        208⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        209⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7080
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        212⤵
        Drops file in System32 directory
        
        PID:7148
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        214⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        215⤵
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        217⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        218⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        219⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        220⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        221⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        222⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        223⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        224⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6820
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        227⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        228⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        229⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        230⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        231⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        232⤵
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        233⤵
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        234⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        235⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        236⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        237⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        238⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7252
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        239⤵
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        240⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        241⤵
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7432
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        243⤵
        Modifies registry class
        
        PID:7476
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        244⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        245⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        246⤵
        Modifies registry class
        
        PID:7608
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        247⤵
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        248⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        249⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        250⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        251⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        252⤵
        Modifies registry class
        
        PID:7876
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        253⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        254⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        255⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        256⤵
        Drops file in System32 directory
        
        PID:8048
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        257⤵
        Drops file in System32 directory
        
        PID:8096
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        258⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8184
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        260⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        261⤵
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        262⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        263⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        264⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7548
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        266⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7700
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7768
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7840
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7916
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        271⤵
        Drops file in System32 directory
        
        PID:8004
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8060
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        273⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        275⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        276⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        277⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7616
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7728
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        280⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        281⤵
        Modifies registry class
        
        PID:7952
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        282⤵
        Modifies registry class
        
        PID:8036
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8168
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        284⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7488
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        286⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        287⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 404
        288⤵
        Program crash
        
        PID:7280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7812 -ip 7812
1⤵
PID:8124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
80KB

MD5
748539db64bad9bf3f8c6facd7086fb8

SHA1
17a5cb3dab227fdaa02c447e9304bd2553d8f1e2

SHA256
da855a650f7a290b9063df6d9896951d7f2bbae1c8b9ece3fd27494302c2c692

SHA512
2def1aa8641704c769b946caaf7e9aeb9d40dd774ef2fb098c6ce6ee3dc702b9fad90940880caa3ccb291dafd5349791b3cb53e848ff60c19be06dc9ca7dcbf6

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
80KB

MD5
b857951fa8a8d4605fd15be910e5f693

SHA1
cc6e859f0ce930d5bd1f443f791b23e823487a43

SHA256
eb523601ca4ccce9cdc485582b1ac4b4c503a0f2defe09442c3110caf32160fd

SHA512
4235804574eeeb4b1635e7bde5ea65acf2fd2119cb5791f66990c08aeca0bc505c7e1be32728407bded73765be5dfb90c0fd6dc0c476c494613f932b90f61891

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
80KB

MD5
fc91ed8069ae7d685ca711c7fb775f61

SHA1
8fead0f9d4083a77c3d1d68f6be150759c04bc31

SHA256
8fd1c2c62edd3443b62182767063149a93dd2251aa646507e1b81eb838bb64b6

SHA512
5cd1f8802c48ddf3db75ab40884826f659a9c94676a2ee6ba826e39f301ff0f0743107de1fe2ac5484a84f6133d8f7626905527d159447330000cdc7d31bc8ff

Download Submit
C:\Windows\SysWOW64\Baocghgi.exe

Filesize
80KB

MD5
6ae156939cbb9ba6743d28e60ac564c7

SHA1
861d69384506c113463e4b7fbc16154d1b485906

SHA256
51c91fab59849be6b049fd316ec68371e29e311c460988121c6800d599789fb6

SHA512
8b59fae0c4cd37075bba283521baaa2dec5d0544f0c4a2f11d2aaf6fcdc8983fe519d992a69c1a7c57596646221942d8dde3941e58f6b5d01ecf83ea5ebd1ba9

Download Submit
C:\Windows\SysWOW64\Bbnpqk32.exe

Filesize
80KB

MD5
504be5027c7de64d74750a4f0bdfd59b

SHA1
dab6f44644b22505125cf9d9ae72cdd689ac6cdb

SHA256
4ff455c76e95e484ebc9b80731c1e0f9377b4f5a6e54fdebd6f3fad4d1343ea9

SHA512
a573a9d55e0505de45187fd73d586bf09ec8067756957fb363d272086546e5fcc7ee58763edf90a6c99442e56abd78e1819391221f565a106481e61f754a975e

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
80KB

MD5
f341557eb32f92736de8fc6f499625c8

SHA1
5062a9bfff46618e03511ef538700f49241817df

SHA256
ac14b5874dd12627a8848e6f2563a5831bcc1facfeb5625ffc6131cefb45a2df

SHA512
aafe3a45df1ac09539a59a4de099fdcb14d2b54c58baf76393a59c626d009824f33d829cb0e44f9fc154cac18b23acd47e37dbf4b6044f3ad8e20f800990c270

Download Submit
C:\Windows\SysWOW64\Bemlmgnp.exe

Filesize
80KB

MD5
6be4b19b2174fee8b6a517b092c386b1

SHA1
6b3b13fbdffb21fc76f503937967d4384d0ade55

SHA256
872c33e76d9ada9fe3b397ff05577108972ca94697c09bcbe2d6ae923bb95c7b

SHA512
ab89333e15b1449496e48fb84a6a1a7a72db019794578120d8719e6366f207b3b19b87917fbf252b1d298df0532588e0e3d297e378c62691281ec660224e0945

Download Submit
C:\Windows\SysWOW64\Bhikcb32.exe

Filesize
80KB

MD5
61b362c5215df2b1bb474c2c16308a81

SHA1
bf689ffcbd42cee021446845c39cfe66f01ab456

SHA256
02e3933134b1f4e55365633f8e1791bdb2bb0a50b2cd65729607f2cd72d37542

SHA512
be15726b5c448203911d956704a0aab72987233ce51de8236bfaf786486895ce4ef45dca8703746f11d5c73ca7b534c44690cbdfc19686bd12ad5d00cc22f9f7

Download Submit
C:\Windows\SysWOW64\Bjghpn32.exe

Filesize
80KB

MD5
c4a2fe1690b3f38e495a32d7200fd7e2

SHA1
297a20e232f8dac77b6b7e17fc28da58339b0495

SHA256
0d2cd2ce060f76e58dbaab58fd7548ca288a7e9e7271b8e59082db79330ba630

SHA512
84f61ef12d9d51c18838c742db52adae143b4edf18c2da05a709e7957c82db17d268edc675f6582b008d1b7e4c57178aff2dc05ce5a24d997c9604076656e71d

Download Submit
C:\Windows\SysWOW64\Blbknaib.exe

Filesize
80KB

MD5
9c7acdf2303782d55ab3ba76695226f1

SHA1
05d9eaa8b6733d1e67ea2f7b088241470d66876d

SHA256
28e00573642a11ed603244b290386dd214d2687c529845dcc539adc03f38c573

SHA512
539b731cb30916b0842847550a6f934b901e049ef7afff6b4a7385bac921701806937a54c458868463149df8f0bbadc55d51d21f578ca76c62f92cd278f140b0

Download Submit
C:\Windows\SysWOW64\Blfdia32.exe

Filesize
80KB

MD5
1db94394b4699d9eeb31879d29c7cdcc

SHA1
afdf61a393e1ffbc0c16e0aee4ecf4b4f7a9c193

SHA256
fd0a27556e92493c125fa233b0cf8ae11663edb729ff3191f410eaabb3f500fe

SHA512
7a3e637b6625464ed1ba61af9a399908c98630b886d1cc4393e60ac23c8a95688f967de489f6adbc5a7eb58d5085954232b2f6de723ff46a7ce63b3241009072

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
80KB

MD5
ce7b0f3896c973d0b3e79c405916b46b

SHA1
66afd5d548477203a5708876fba5b034995dcfcd

SHA256
6a489f4fa18bc74e2556b6b0c44076ea5b2492425698c76a03e1337679b8eaf4

SHA512
94c9bb88a476e08c8d681aaaf4b6448a7129c247dacefa8b4b429b9b50b260134b97597e4624d6e1a28df6827864fa135e34eac5992e9ea807725733b0fbfbc8

Download Submit
C:\Windows\SysWOW64\Bopgjmhe.exe

Filesize
80KB

MD5
9e0f022d88f8b37e940c5ca6fc78bff3

SHA1
ca450e0dda1bb51559b44f78d93a4e0a395b3ddc

SHA256
ba2638f49d0e0be96505457bb676bf1ed48bf7cbfc6434524e7f467f6469ea61

SHA512
a675f9c9ede883383a56bf145223a486de22b52d48ca4e9bc61f63be59036980a0854babdffec7047b68eae988bf8191adfc2dc5299c30a87a1233835782c2b9

Download Submit
C:\Windows\SysWOW64\Cacmah32.exe

Filesize
80KB

MD5
810421785b7ff72092abcc08f5364ec7

SHA1
3487a26fb3610e049e0ce281d4c1d0cf061aebd5

SHA256
193df46ee3108c37118a0c37650a2f959e5ee4344230b68f1c79dd8014acc0b7

SHA512
3276bea8751a6bdde88ffbe754a190dbb072d11ca29039032bb80f052c4cbcadac23073ecee77a8d38b04f6140e6ab4956c4ac841f41ce20e1f5a5213640bfb9

Download Submit
C:\Windows\SysWOW64\Cafigg32.exe

Filesize
80KB

MD5
44416d786b826f70adf15c9972eabae3

SHA1
6bbade320763062b99c2c56b520edc64af88b549

SHA256
3db02e2cf7ff08a34c33a69055e42299104c89cb1f342a6e4e76deb50262d8af

SHA512
3404a833d1301bcc4f43fc56cea1333d47e8be8f45044455703a0f06a2ff7e40eaf628fec408aba0f45b6feb13a4422986e0d63833193d70df99dff2b024c749

Download Submit
C:\Windows\SysWOW64\Cahfmgoo.exe

Filesize
80KB

MD5
b0a803c3e5845c278a6ef35cc93079fa

SHA1
358915103a87547cf1c02ccd34ee612883a0e00c

SHA256
241b90665b8d6b934e9abea36319fe47ef51a45ce75a9f0a287ba8a1ba06df49

SHA512
d8f48d601fd928b5f212c5fb4b43d5406f106e22d42b659c863589f6799ae4ef9fe15b36fa9418eec41cc0a6fd647f5ebb7dd4e3fb95fd042b8f0e40c984e019

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
80KB

MD5
cdde2850e0d711d311eb1ae6c3ef3fa5

SHA1
a72ff31301800a5a3abfe9831213a451c411cdb0

SHA256
f93f01c291f24ad465091cd0fc387f056f692a90298174cb5ae15bad1772814d

SHA512
1ad7bfb1a916591e2444dcfd0a8b3a25ac739aff858dcdb8e5e85778fbd958f56be4b9abfa68a4edaa16b8e36523b51270987d058664a5b93fd99977d0457611

Download Submit
C:\Windows\SysWOW64\Cdainc32.exe

Filesize
80KB

MD5
31a56b64301d248ca2f348fec52af224

SHA1
2624293bf26e7efb01afaaf809e8a04f3102b024

SHA256
cec24f8027f77816969b81c07521f3aa0480fe5111ac6b01731ce7a3329ba809

SHA512
d5f081d56c44321ae1d3916e8e18d000f7de6097425aa3113cf817979f983b02a69fe3208db8f08c9a80ed0f844ddaebee1e0689ea8627958de3b3130f2606ee

Download Submit
C:\Windows\SysWOW64\Cdfbibnb.exe

Filesize
80KB

MD5
0884e965529aa050c91a877133690d75

SHA1
55f6c227cf82fd4ce87a75de0b1580ee2d92652f

SHA256
9bfc202ef5805b08bb0fba1476312983ec6604c0bdf7c8ee35b7e84be8c79fa0

SHA512
e4de82e06f4a0cae99da2d74e1fd0296bc3bc405ddbf61ae19d05f8bb222d60c82b2ad44c4dbb0e15a5db4d4b47de723bb2b261710a456e64fad2a636f85f00b

Download Submit
C:\Windows\SysWOW64\Cefoce32.exe

Filesize
80KB

MD5
8409ea100e63499953c1701e44d44906

SHA1
37c33beafb9d0527ec8cb4ad55d07b7790408f47

SHA256
6cdd59a6b55e05d10d1651ed15eaf6329d11ec8c53b872f12a0d8f8e324a13b2

SHA512
f713baf08c56f5159352104c6d774c74eeac99db454d2665ebdf4c7c3a4c18fcc4a33ee9af1a3f3c3400236aedec5edcdfcd6a6250dbca4e22f22bd2b241a249

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
80KB

MD5
b64775fa7c58f0553f5c055426d57daa

SHA1
f6f50e82059de03250b0f0375d676d64a5d376c3

SHA256
451b7baa89c68b1dfed379d2179eea394912ca36b83d163387086ef2d6259988

SHA512
0f475ac0fdd95472366d29070b83727c3a87053468b755af6829579d4293b0de6bfb272438d3f43b6fc1bacc6eed94e54281bf5584074533b0a3c264e84e860e

Download Submit
C:\Windows\SysWOW64\Chdkoa32.exe

Filesize
80KB

MD5
8040c494aa9b68d6d0801e98cd5ed189

SHA1
4b6b3e8754ed4453cfdc83f79ff438b166edc4c7

SHA256
9390fe1d19e389334437ee857b59c0c395386c3ec91a7bb8f3fb3845abe27fb0

SHA512
c96654bd49739bbf2bf087f9d0c058c4d3271fca16eaaef2cef3425d081e2474b8dee8f093e144a2aab71368d7d1a842b5b29490c6a042626ce83fe309733962

Download Submit
C:\Windows\SysWOW64\Chghdqbf.exe

Filesize
80KB

MD5
786d4f28a1ebc2776bc9fbb116396c6c

SHA1
99403d894103a7efa4961fd2c5968a79dc1ea7cf

SHA256
511c5e533fd80497795b8dbe437ffd8a39f509fbb43315608eb97c92a40e6fb0

SHA512
58f19db0256b37d19208dcbf25237bbf8ddb17055d22d0c88e17a40495ee9127b19babd1cb94d43071137087d6c5e9ccac299290191154a7c8ae3b4a4424f371

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
80KB

MD5
8f509a9316ced10a8cf98808a6651a4b

SHA1
6d2fd70c91cc8155b6b522bce918fa1c68a58113

SHA256
0d5c9ca8881a33a17c9cbd3e7ff442367ef44ed44ad6fc6df6b71ea6696ae6d5

SHA512
06c68535a6e4f59dd6f6ff2dd2c0ae333130cfcae65488b5cfc3e36a29cbbe0748f512f375d5494132be3d779fa9a1bdfd477165f388e95ac21a0e472741093a

Download Submit
C:\Windows\SysWOW64\Ckcgkldl.exe

Filesize
80KB

MD5
cb828ba4c48383b290ec64d582cbe827

SHA1
d27a73272b53bfcc56b714b20d650956e58b6a7e

SHA256
e639aeefad1533a44670128731b723f27ec79b9521050dc257c7951f480c3b06

SHA512
e97c0daa07e7415cda4eb8910e1473369f3c2806f5c9049f0e9b74a1dde36f550af3984161c6ff519f92c38578e74f36e2d0a9c4ad44a87c8ce8ae22c7f842a4

Download Submit
C:\Windows\SysWOW64\Ckedalaj.exe

Filesize
80KB

MD5
49281e6f861af8ce6dcf9acaa3d4c5b3

SHA1
10fb903c1d23f3433b1439357438a0ee35277023

SHA256
0655a352cd77beb16e1b07ae684f266f7e1f12524542674385beba991d5cf51e

SHA512
e450f2165a182db663c2b810a4e4eaf820c09557608f0bc246d4977b5fe5351015427a31e08fd5d248d3161e66f9aa3743a5a0c0c0f7f889e88bbb648d4faed9

Download Submit
C:\Windows\SysWOW64\Cliaoq32.exe

Filesize
80KB

MD5
09c83712f3e456dd857b7c558efa68db

SHA1
f0dbc7f594bd3f4e247e09777efecb8e67c33720

SHA256
83f7000318309459b700d2acb8a458887a3bee0fa3e18dda0f01fc31cbf7bb4e

SHA512
853dbd27f000a7847a8fb271ee4270312b1c685dbb65e227a518ad489eebb674de389173048c35b0f9dfcf4475c392019f8dbe2c2452cebfb0631f4c9ef44ef2

Download Submit
C:\Windows\SysWOW64\Clkndpag.exe

Filesize
80KB

MD5
8636d13d781597ed3a550d2287188845

SHA1
073787bbcf8f4a22519b590a6e4514088cef4b00

SHA256
38061ec1afa118b9d22c30269e68c5424093e9bd7fb2e4dabd5a0432dc8672ab

SHA512
f2fc622f8017368ed5afd7d08da7a3668a90efd64b94a7d83e492404010bc63a6a03ed71582b7d0107f9d760e7a1296cca02e896a4927812db31be893b9b921a

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
80KB

MD5
54626bb83266e40213b8f04dddce6fab

SHA1
b56f5b85234877c8fc32c5149b20c1dbd1b20db5

SHA256
9420593bdc69ddf04af95987a74188b73f68b9c859c65f012b76ec45868c9950

SHA512
ce842ed3f13d4f87a7d3dff9cdf22e0ba7eadb23f89d1dd6208f44afdfce3f7570dbc28e0a66d1df9e1ac8635b3122735d747a36f36d1675b4ff714d36b3462e

Download Submit
C:\Windows\SysWOW64\Daolnf32.exe

Filesize
80KB

MD5
7195763aa3eb1e7914ca8f930ebdf68e

SHA1
b59681a9d3d250f68009a9f1788f192f60dda925

SHA256
247a46763498200c297d4507f5f29e236bdb81799b2f221cc9cba516c235d4d4

SHA512
bba487715f8755e54f970e86590e3201bc6b914a3ba32de45eb1bba6183f937248b12edbdeb767e941a5d38cc8769e6c19d07a9e8be0a9836a2d96868c160e87

Download Submit
C:\Windows\SysWOW64\Dbaemi32.exe

Filesize
80KB

MD5
aae4f0ea8097e64ad27feed0df3dcfc2

SHA1
8861b6277327c98003d60ddc045931dadaf28a56

SHA256
ed5e5b9ce80d58c5d9c8dcf547e796c77b7782bf553d6736fa231699f780cb72

SHA512
40208457463abe6b2bbafb56259ded0d4f9f3e2f55bee67909380dd7ad0a677e6f58c7cd9c7ca44ec2a58a2b75f4360eb196e6e5f57bae403c262d70541570f9

Download Submit
C:\Windows\SysWOW64\Ddbbeade.exe

Filesize
80KB

MD5
16e2aa28a72f5c187fcc6f12613b1bb4

SHA1
322eb6914e865092064a19b7f5d298ef830668f5

SHA256
5cd816c3b9cca92ea4f4e1c2d4aad127eafda4205de6fbdf12e5c81d968ba7e7

SHA512
79c277ea1c0b0858e6d3aac11f222092568ea21ece74041e7dc267dff268e81cfadc0e9b8872eb3e74ae531ed1dca4b105a0e16bcdf390c2efe7264206795e00

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
80KB

MD5
8b8d5eb61c60ce50645ae82da6220a4a

SHA1
49e365d1249c2355adcb08665654a61b6576534f

SHA256
e35ffdb536640e7df79945460a8ae9aa96839fae8a91333afc352abfd52c35e8

SHA512
bd816d376a6c9df5db5359003a17247481e3174804ec52ac9670ecaa193ecc4323560b071f3d273a43c16c0a65ae155e176e6e54e2844ec259f2f5588da0c800

Download Submit
C:\Windows\SysWOW64\Demecd32.exe

Filesize
80KB

MD5
9e2782fa5f26b43cfd5f1086ae1d4ec9

SHA1
6344248c5f9b234ee678abbc60481e769c6e3335

SHA256
fbb9c5aef596af974c82ed43789fbce8b7218540e926aa8a57a21d8e10b39188

SHA512
dc5c97faed7f990457aa926a36bdc7e88a1d77a0e948ceade11a58ce820090869a8fbf8b6becdaba7d22343ac4443abc334e75f59023ec523d04d5133a68dfd1

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
80KB

MD5
ea4e5aca0f79449fc03cda92971d24ea

SHA1
9748ab9f5ff8142f7b454ef030b3c640b4ab7c24

SHA256
bc84bcb889a9e3b45d529d9d751c496f483b75ed551866e5bb057c36546d7c00

SHA512
dba8e57bfac3b1a4fdd61b384591e6ba41b525440bb00948ca0969a5b69978f610d669c36f8ed6f6122176d9977c2a93bbd2d80f5cd474cb26655fe6f8205ec5

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
80KB

MD5
1ab528e3e36db0ccb76287c1f7f6345c

SHA1
987d2c7befd9e1373418b2f82e17020484357423

SHA256
47eaadc92d643362f166c9ce908886538fb28ab268c977f2767fed3810195963

SHA512
ea40367d1b438fb5e4924c57d3b3c086edcd89482162d57a65ef1b35c7d00f45dbbb1579b514f174c90441f6cf603f01a427d5a110b58976adb31eb4587b11da

Download Submit
C:\Windows\SysWOW64\Dldpkoil.exe

Filesize
80KB

MD5
f43c5f7843ef91a400af9edb8ac7abf3

SHA1
a523bb42948ed7aefa2d384ef10fce2491b5a0f2

SHA256
689cc055ff2e81d9342573e06bea4ed498898652b162317e62060976c22f2cdb

SHA512
752ff04c3fd459097f085ea41fdcb9d623b5b61e4f7751e28dcf7a88060d8e47a184522367333423d02eede30b5d401f178fcbf45945a2b48342afe0c4817e2f

Download Submit
C:\Windows\SysWOW64\Dlgmpogj.exe

Filesize
80KB

MD5
7c5e6e8e6792257824f4a5f4be7bcfd1

SHA1
72a19935aaf830eb94ac5f197d64849c1f350712

SHA256
6c6e7f8a87d738935fd471cd633eb7e1f98d26599b37ee627005ffb2ace814e5

SHA512
7779d3675c1b4a01229f177c52553bfbbe8cd5cc5fc696c878e8d47b5a84c050b821d944f7e057766804e1488e0f8364993513a83c226471c3d86d1756dfa357

Download Submit
C:\Windows\SysWOW64\Dlijfneg.exe

Filesize
80KB

MD5
3d238faabe08dde186d4f67b90c6196e

SHA1
5367aabfd640970cc763959cdd7b7536080ec679

SHA256
920daaaee8fd8eadabf7d9c8c1edd270c0f280bf96bfa9a1087ec36396644acc

SHA512
1550ca15a4db5364b366a620930529d7cc1a26d739f11596c3bff18fd5ef8d0c96b47e86e95da871d58203b51d3f53038c4edf5607095d7d515d4fb6ce23d37b

Download Submit
C:\Windows\SysWOW64\Dllfkn32.exe

Filesize
80KB

MD5
c791c225965d7b5d57047a65a7706fff

SHA1
7f37075b73b434ae4090c192a332857056f429de

SHA256
d729fe62a2329f62dd86e5b49aa89dfe77619f0c6f4b7f87ab8b4580d6c04b91

SHA512
f2c9c11f7878cd8b9e7cfe71ee916e2be6e084e64f6966be1d8bbc4f640b9eee2f24b20fb36162703372a7ab6662390ca3b58c08f2faa1ccb01fc1946fe3b010

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
d32e0fb1dcf96f588dcccf9f4085be0f

SHA1
b645cf8bd61aeb21112de061fcc499731dd46a56

SHA256
f65130da685b649cac2e72f9a1228abf9a496f6136ca2d46c6c949b73ea9212e

SHA512
1471eebe0bc86eb231628f25d3054afa96b28584b832b4a5a8d551f38532deb33fd39eabd077b09c5e76675228580a7456d3694e25b2a69a9117131180564b4c

Download Submit
C:\Windows\SysWOW64\Docmgjhp.exe

Filesize
80KB

MD5
5e12382003f615b452ec0fc0590ba5ee

SHA1
b80e4f8225e223980429e55e42a00a9d31bf781b

SHA256
1c94b3209927aafa94f7963be49fbacd50ea4bd5b04720adec9deb8344b2a679

SHA512
c3e6418b63fc365bb08d281a732b1bf9bfc183ac7b3d8131ca1822d30d1d0e08dfdb2b36d1644f1d3838dcbb0fbea8bf4804d2b5739873f6afd53174a3f3c835

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
70a4480c3b36e691b29801f8ce4ff6ca

SHA1
8e7a64d468854a68e2d8f8a2efc92b0a035bc1e9

SHA256
3ca36a8b689cf8dfe5b70408357c8a2b42fed3ea4ca470f3e7e0ddf7a406879a

SHA512
c4bb0c5083626e37b1f62966fd157d7e22c76b9dbc83f44eb681df82ef316cd03196961311e13e0821c4551c9c369a0bf73330a22351f460abdb09f9ce285889

Download Submit
C:\Windows\SysWOW64\Dohfbj32.exe

Filesize
80KB

MD5
a3d9cec73d5d2dced0f8ae77e84d0d9e

SHA1
269cbc94c9d2d9fa6fbd425e7afcc5d70952c06a

SHA256
aca89676ba2d4e45bcd9c0a059af0a219b198e42e0d81f992450f998d41eb7da

SHA512
06d6f7a52025f1bf13166af3e8f2f764d9dccfcfae9c1fc5e349cf21be342c28b55a276713356ef2ead06e589529f7c5d9ce7683684351f118e962e89e124db8

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
80KB

MD5
e607c086df130bc2f73e35f8260efcd0

SHA1
dbcb0332bdd3c7999c70fa584b04b6ebdd4920f8

SHA256
7d456839a1e4e708e497d131bd6631fbfc465671e68e724468fd579035cf33c3

SHA512
f83838c89feba609db7100d00e243fa8c8d9deef3ed7838afe2bd7b8e73524d8d2d783715a61182b36cbb276073e887ded8ed48a5522593812af8bb00c321e4a

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
80KB

MD5
fb8183ad1f63688b08302be6686ec5fa

SHA1
c1ef5a5c1bcdc96740a497f29080aa3238f40ada

SHA256
2a311f298d01398b754fa7d1f21cb01151cb108b503c7f518477532835c6f51d

SHA512
c8409c677ff9a8222949903480f03045817a76e26f2dc130a33b729e4f7b4853cd6a99b3c55f49098ba23c0b427a2d0318c266502455e81f5bf0e53421e3a783

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
80KB

MD5
37d0030039189c3d96975787e6ddeb29

SHA1
4da7047b173c9b66d384365cbe0e0a3f6681d8c8

SHA256
8bf6b135d0dba3e57d6575d7b259deacd6397b310b1498f2f6b7e98201703cae

SHA512
c6359047ca1401e8e08e8b4e8b97fb01ed2c4bb08475430f9c8ae86a8a675da78a188743bd6bcd2b3db72d0e633819960d634d50079d7df8080d8fdc9f46981c

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
80KB

MD5
980554a22735fb4c7e7bac459f517f3c

SHA1
a83c2c57efe80e7931f0a3352a62d65f037ec5d5

SHA256
10b45042cb49d24e27c1d6a0861d27fdd913a26eb3ef30b56e6c663e11925c39

SHA512
cf6134cb08cf1841e9077035df381bce5cd2401d55dd7903a1199273b2d3f47fede18593055f1d1604cb1661eb5421a0907eff626ce470e79697b3f6301116cf

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
80KB

MD5
deeeab3e1100a9b654d5182bba1fa05c

SHA1
918cae81f5ed4c07585eaeb73b4ad43756801498

SHA256
b46e90af803f1d9363e50163c9be5f5bb51031d8ae7fa5f8a32ed0b670a84ce1

SHA512
21c0be58ce42c7f271809b57f25c0fe2efaae32df458492b98eecdade146ef2c70054277e933ad9122de3a9aa152c8498627e39936a1306fdc1feb0aa9dd1127

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
80KB

MD5
457edd50e7a89014a29a1048ec3bc33e

SHA1
4c528bf73b1a2bacbcbf1d54c407b63f1be7eab3

SHA256
89b2d1398b8f21845f67c062e207b3fbcf2e16380d13748a7d11f4dcfa2e4791

SHA512
28e3f92c9131a82bce3178b131693f6eaad0ea85685728b3337853662b2312025aa8bc81753db010fcb8917a36de61c215cd1cb46042ff4c0d4221fa965e6c52

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
80KB

MD5
edfb42d6088357c8cc9e28c1b75ed95a

SHA1
809ce5c14e4b3972fb5828628db3e53801dcd7b2

SHA256
e0299356037ebbb647cb75575a53e42f92e4c94b73ae1a50ebef6533bfe13187

SHA512
914605d433a3b8a5d55c6bf9ed1b258e90663f64c004699781fb618e1f2573eef62f8eece1d9fdd8462a2d455a2dff252f40e1b31f6e93e83f345eac5a196679

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
80KB

MD5
77eefb3ae2401dce09119871d3798fc5

SHA1
8c58a8eba89ce06a7faacdb84a7a5eb42d596a61

SHA256
cabef2b1a543a11ed41f42a6978143ece4e1aef7eeff58f218a8b73991f398c1

SHA512
9bc25cee520330bbd7c972aedcb11f98dc645df13f48c2a60f99b3b64a21f68253659d73b65e1acb1cfb7281444dd1965f6df592b74c64417efff27a0f634fac

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
80KB

MD5
dc6d9a500ab81a855ca432d8f5657b30

SHA1
c8a7812ca603cce3baf9ba9169abcd044eaac173

SHA256
482fc63b6351344217f5473a03c713e55b7f13375feb805e8d11d80a44981636

SHA512
c32a78cb888b04194186388f2aede1de363f12c4a9628d019407a4d37ad6d4963a8f43277cd9149f11f79140c1520d307fdfa51186781754a827c21af990785b

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
80KB

MD5
d28538c10e6fd341849eabef66723c02

SHA1
7a542f3fe3b1fb3cee486fe950648f9eb42d9bd8

SHA256
da209be7e886e1dd0919e1d04a055fee4442a60ac4e768067fa2c64381a60357

SHA512
dfff103f1dd5293122c872a0611480c5cd01b8426d3137e0819706c237f20fa4dc94f5f4f9ce4f7171d79df9c5f576fb24b844d5681e81fc04950b6101c68ccc

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
80KB

MD5
1aba2ae074a1a305f41223680f9d2aca

SHA1
a36337ea2141c8560d89bda648fc09bc71559040

SHA256
82f8c6a85c92a87a8d31bd0677fefb83e7eecca7f6bbda0ce3683f4273f7d797

SHA512
0e062fab5534656422345ced1ac20a351600c5616bfd066cfb38519e6371bbe8aa32b148cdbc539266c91564dcc56f75d19632773d57925bcf518738822091eb

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
80KB

MD5
313c1f0fed67bb4be694364f99473d56

SHA1
87bef34c8b15133e10f4d4e427dadd03bbaa05a4

SHA256
314b2714982d0221aa2cc75aad3ab6cc87fade4514a78690755ff3f1269f6535

SHA512
ceaa6546e90d9b9b919911272601fc8946bd0725cd89f63e35a5764fa806bca9e355fdaebcbcdc966fed4a9ac03ca17a5f1f9b7d532a09766c40a1eeb75ebc3a

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
80KB

MD5
56b9e55f1888c2084bbe3262920cc594

SHA1
528e9f05fa8ab143f0a4eb8a92806917f3b2d568

SHA256
4a73274e7ed46c8959fe8b4ab191613474f9d8cf87c6f05eda30a355820b944d

SHA512
17f452beeead52da81074243bfd68c82198f207b45fe4b539f70c0a668ca69bc199b5c57ec63988243090cd9f695056ce65ebffa4e5346b8a9f00fd8ad6e053a

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
80KB

MD5
743c6a7f0613f645500602ef739cf4cd

SHA1
9f4a601d67460c1ad3c93d0cdb4f90d62ad20a11

SHA256
357f8e0b4b5689bcbd16f7853ce3eabe7bbee1a0b42fe203ac8f800d24260b3a

SHA512
2d4f5b9901930765aa613f51fe03add59c3e19f16000d001be05191aa9ed243b4e37bc246f28548c4754a4a23cbe3cd3fa5bd168aed2d5c2fcd9f59b8f8f24ad

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
80KB

MD5
878f8e4cf920485c04412d3ab2142a6e

SHA1
4086db13ab6914b17e43a272f6dfed6efa049615

SHA256
337f90b3971214ed149b206f64ad68706e0bb0c6981faeed9a15f42e4b5ee623

SHA512
47214c1c41da6db98731d72ecd5d28a31758787b3441f01248d925c10e05e9dac1449bfaa5130fc8818cdcb8e4caeaed18b608cfe890f8fa1c9be5c5b82ef220

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
80KB

MD5
98db2501b8029fda7826960e0766e30c

SHA1
5a3cd3e2350845fb0c527dbbe58104ab5b12fcf4

SHA256
123a7e0f0905dc2a3cba129e31c9a120f6cfc6407837766bdbb0aa13b012789b

SHA512
11bc68c07e1e2f5663b66c5ef5efa3f2464670fad8057cc74f0b08d7ef419bf0907c66db5fe891a1918170b2b83787afc31bc23d1de8ff10060cfc75e33bb531

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
80KB

MD5
75091bde0d08f93ef2517dc186a428d7

SHA1
fb5814fd668c42a568c30fe3d442ae913c663c87

SHA256
6b69d6e0f1fc1d8381b88fef4e824784b99410c6a589a80a0da1f05542fc7d79

SHA512
c544926bef1cea9e491e5e89f257b1962a1ff88a51dd33364f0906036155516b5d9b79c82ce700a1e4449ca873d04c894e5ee7391c9a933bbc1e9e81158b6703

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
80KB

MD5
8ceafc882e08dbf207d97a742bcd116f

SHA1
90ad0967922c11c2688b37b42e647d3645f7872e

SHA256
9eb4965199a01d20949631b02cede6db289dafc547d20fca2cd0d0339309c8d9

SHA512
059f7d672d4b58e76bb0e5e5f14d91b267323c25905958f521f5e1a3ba04db1ec4fa5929e2cc57a083bd21a2370cbab473d92aa2f1e4a6580a50140aa9a8d003

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
80KB

MD5
2255a0a43096d5acfc8bb7c4cb160751

SHA1
77a1ad9b80595a52cbf093e5ffebeca90cae5c8b

SHA256
2feb329ffdb3106f3af1c0dd1d5036f41bc100b6cc1b47a2770da470d5014e53

SHA512
5ff5df97577bb6d3a47c25abbbfdc0dbee6f26934f5891b828aadff6d9795c9bed8583ccf0b799e15092c50e2da7adbb2df4f4bd4ea174bf0a098e81bdbe358d

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
80KB

MD5
48a77752cc6411f4fba7cbc6e70c14e8

SHA1
73c27724a43e64a7c0de369eed3daeccc491dd3b

SHA256
aa801046b7bbd5d00432db6b10916d9f7714b3e74ae263b2899fabd9e570b017

SHA512
923a9168dfd7c245547c4aaae24925f99033b226a4059bf921a6c729eae81fd414a06e00fd38a97dc9fb8805c8b1c951618bbb9c1e2e1f78d73a68923b4e86ad

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
80KB

MD5
c6fe387e3194bfcfccf8c6893c15793d

SHA1
31638f39718bfc9fa3e952831a292d8e6fc7b363

SHA256
c6027ed2b6c12321d9a4be8425790748ea79d05f46e7cb418e4956084b0f9bf4

SHA512
11872a2921103567e2bb5d18c61a711b36ae0075d21f24745a42cb1fc77e4822a3bcd44b0492fbf8564dde8c83b2372930168c4acd0ec242009a4b30cbc01a9e

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
80KB

MD5
f2645aa04d62d90cd2ad52abba0a2fbc

SHA1
6ad76d025a85476f9cb3170328aa5fe339ac702e

SHA256
874988a52bdfa17518d7491f15edd0e64474e5d66fa8485ef586bee1bf5edacd

SHA512
571f1fb0b4a0c8308fc40f2d5d25dca6e8a99be7607998b7aad18e8d5dded5b117a74783b0f9cf2a25990025ef1f0524ba7c9b425e7b898b141b867f7d95163b

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
80KB

MD5
4925418aada742014852a5d934c871a6

SHA1
20a324925ce8c9723479070ff51e279e58ae9b19

SHA256
7086bdbc696cc81f5759f69d4b2908fc42161319d58861e0c1150a4d21b6d3a9

SHA512
81e2c9b4e35cb1fa87c43bee3eba50b63299092df4ef4b07f1f08e307ebd33a9bd62b6bb78067f332353b74d1d36458a0765d3310d83b5a224c55612736836da

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
80KB

MD5
531d04b0bc3b3fc4d3b5a22d468f6c2c

SHA1
5700a977f30c24a98ea4a7cc0a74d9efcdbb3068

SHA256
c449a118e89e4b12ae70170be8c4f3d7e2f109b03df994ac5f12a81dc5d6218f

SHA512
ed8b2d679d5e7ae6c57adcb3849c648eb24d4d84b46c9d3d43a7e687a4741caed39faf330859e312942ef03ec6af00e5164f36073750a74c8ae74b4b28ee9211

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
80KB

MD5
197d16059690d3af580a2303c452b145

SHA1
d3ed9f3a566b96060e7e4a66c9344dbe42356934

SHA256
ac5ac57c5299b05fab0fef77e328694d0aefd0463ece8a298f0f25f47aa53b98

SHA512
b402cde670082e0dc535f20193f0e3e1d5a1396dcadc7578e55702f551d240647648651407bf8c38dc34b9de1b5d687a520be63a36166d9054068ed2ba0ef0d8

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
80KB

MD5
8d0196430402d7c7bc1a4560604b5848

SHA1
4de40a1167ea36f0bb44b7c055496859571bb903

SHA256
58d5427870470e62471d4019b74c01dfe99d049ca6f610ac3849ba77052116f4

SHA512
6f5271d00adec05de99d614cd16a8d5c8fc63484dcbc8439d33b8b9937703f49b6f019ec0070cb3fab111731f67fe1bdd60d46248445fafa547052ba8dd9e7eb

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
80KB

MD5
6b3641d872abd4ad24b422e9551728ca

SHA1
4e530a2803090ede07ca8431f9aa2e05837b21f8

SHA256
e53fc25bf3537f42c1f6282f436055b7b4c19b46433e4e36375cb3fbff041d7f

SHA512
d84be5963fe62b3a12d914f788f23498dae0e9c68b47eba9234a2759917da8c7ec8e796ea7ee9ad6a5077fd3f102691957ba6d4f1763124e67e3262967ab09c1

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
80KB

MD5
6c92c9c9d9c545d1b830c9ff0848ea82

SHA1
89ce14650b03f4bfd8ca4a5e35b69423d4becaf1

SHA256
3d668853a597e4527934b0dd0c9aac5c3768440264d24b4681a9d366adc4cf91

SHA512
603c8204e3749035e2aa2f31f65fb400fe92da93d5f690bf2c2697c071ff8f0cd4833c90f9d80371392cf23ea5649fb2fc101591f1f8c10836d541144a61b901

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
80KB

MD5
0cd736f0b462be4bf458a7cc37897d79

SHA1
cb9eaca4d983abcfa8d60a575913ed7b95ce905a

SHA256
2ca3c1ba6fbe97a6d3de657736e6142a7258b7779c8a1d691785247b1154aef9

SHA512
4acddbf87c310b945ee20e46c8a9e9fa5e4b6b1e18f5a1f7e4d39b0fb276f94973d445f1f72348cdf4e798c68991551b679ae606f15fe66ef7d39502991f7a1f

Download Submit
memory/232-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-131-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/728-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/808-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/808-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/816-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/816-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1032-390-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1100-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1220-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1220-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1720-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1756-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1756-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1832-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2252-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2252-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2708-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2756-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2792-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2792-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-444-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2944-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3040-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3068-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3164-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3164-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3388-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3392-396-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3392-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3636-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3656-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3852-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3852-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3948-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3948-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4028-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4028-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4060-438-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4108-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4108-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4116-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4268-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4268-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4328-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4328-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4364-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4364-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4376-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4376-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4560-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4684-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4684-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5016-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5016-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5104-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads