06183ad4dceb6096c4df5be5c309a70cdab5e1637e66e4a8da05b9ab281c5c59

Analysis

max time kernel
146s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06183ad4dceb6096c4df5be5c309a70cdab5e1637e66e4a8da05b9ab281c5c59_NeikiAnalytics.exe
Size

352KB
MD5

a4a16361d8a66ad4075e38941c19cbb0
SHA1

972457a65f44158b59b63471b978ca0867863886
SHA256

06183ad4dceb6096c4df5be5c309a70cdab5e1637e66e4a8da05b9ab281c5c59
SHA512

1cd1a1997e3d58a8e44dc5c15f0a5a541953af01ac522ebf039e8121582f8bf03a930e16be95d0479416b3913c4e9b460efdcaff676dd2b58e822c381b98232b
SSDEEP

6144:opyLaKz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:WEUsUasUqsU6sp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebdcld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blielbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnbbqpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmlkhofd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjmba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqdcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiildio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emmdom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnqfcbnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blielbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhkdmlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcjpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flfkkhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koodbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpoalo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lopmii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njhgbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bllbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmfgek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbchdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paiogf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emanjldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eppjfgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdgged32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnknafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flkdfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lokdnjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgeakekd.exe

Executes dropped EXE 64 IoCs

pid	Process
3720	Bnhenj32.exe
2604	Blielbfi.exe
2988	Bohbhmfm.exe
1696	Bnkbcj32.exe
2940	Bafndi32.exe
1284	Bddjpd32.exe
3328	Bllbaa32.exe
4952	Bojomm32.exe
3564	Bnmoijje.exe
2692	Bedgjgkg.exe
4864	Bdgged32.exe
1312	Blnoga32.exe
4148	Bkaobnio.exe
2904	Bomkcm32.exe
732	Bakgoh32.exe
416	Bffcpg32.exe
4896	Bdickcpo.exe
976	Bheplb32.exe
1336	Blqllqqa.exe
1328	Coohhlpe.exe
4800	Camddhoi.exe
528	Cfipef32.exe
1440	Cdlqqcnl.exe
4192	Clchbqoo.exe
4592	Ckeimm32.exe
1308	Coadnlnb.exe
1672	Cbpajgmf.exe
3952	Cfkmkf32.exe
3428	Chiigadc.exe
3688	Cleegp32.exe
864	Ckhecmcf.exe
2196	Cocacl32.exe
5040	Cbbnpg32.exe
3112	Cdpjlb32.exe
1692	Chlflabp.exe
932	Clgbmp32.exe
740	Cofnik32.exe
1628	Cnindhpg.exe
4560	Cfpffeaj.exe
3052	Chnbbqpn.exe
3468	Cljobphg.exe
2576	Cohkokgj.exe
988	Cbfgkffn.exe
916	Cdecgbfa.exe
4364	Dmlkhofd.exe
816	Dkokcl32.exe
3432	Dnmhpg32.exe
4640	Dbicpfdk.exe
1656	Ddgplado.exe
432	Dhclmp32.exe
4576	Dkahilkl.exe
5160	Domdjj32.exe
5196	Dbkqfe32.exe
5232	Dfglfdkb.exe
5268	Ddjmba32.exe
5300	Dmadco32.exe
5340	Dkceokii.exe
5376	Dooaoj32.exe
5408	Dbnmke32.exe
5448	Dfiildio.exe
5484	Ddligq32.exe
5516	Digehphc.exe
5556	Dkfadkgf.exe
5588	Ddnfmqng.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cocacl32.exe	Ckhecmcf.exe
File opened for modification	C:\Windows\SysWOW64\Eehicoel.exe	Ennqfenp.exe
File created	C:\Windows\SysWOW64\Adfgdpmi.exe	Apjkcadp.exe
File opened for modification	C:\Windows\SysWOW64\Lflbkcll.exe	Lcnfohmi.exe
File opened for modification	C:\Windows\SysWOW64\Nceefd32.exe	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Flhkmbmp.dll	Ocgbld32.exe
File created	C:\Windows\SysWOW64\Bdagpnbk.exe	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Cqmmqg32.dll	Emanjldl.exe
File created	C:\Windows\SysWOW64\Lokdnjkg.exe	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Ffnknafg.exe	Fbbpmb32.exe
File opened for modification	C:\Windows\SysWOW64\Bkphhgfc.exe	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkqfe32.exe	Domdjj32.exe
File opened for modification	C:\Windows\SysWOW64\Feoodn32.exe	Fbpchb32.exe
File opened for modification	C:\Windows\SysWOW64\Aggpfkjj.exe	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Oghghb32.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Cjceejee.dll	Paiogf32.exe
File created	C:\Windows\SysWOW64\Lmdnbn32.exe	Ljeafb32.exe
File created	C:\Windows\SysWOW64\Qbdadm32.dll	Omnjojpo.exe
File created	C:\Windows\SysWOW64\Ehcplf32.dll	Dbkqfe32.exe
File created	C:\Windows\SysWOW64\Ipbehfom.dll	Lnjgfb32.exe
File opened for modification	C:\Windows\SysWOW64\Ocjoadei.exe	Opnbae32.exe
File opened for modification	C:\Windows\SysWOW64\Eecphp32.exe	Ebdcld32.exe
File created	C:\Windows\SysWOW64\Fdllgpbm.dll	Mqafhl32.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Hemdlj32.exe	Gbeejp32.exe
File opened for modification	C:\Windows\SysWOW64\Ljqhkckn.exe	Lgbloglj.exe
File created	C:\Windows\SysWOW64\Jcleff32.dll	Nflkbanj.exe
File created	C:\Windows\SysWOW64\Ocaebc32.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Amnlme32.exe
File opened for modification	C:\Windows\SysWOW64\Emmdom32.exe	Eeelnp32.exe
File created	C:\Windows\SysWOW64\Filclgic.dll	Geaepk32.exe
File opened for modification	C:\Windows\SysWOW64\Kjjbjd32.exe	Kgkfnh32.exe
File created	C:\Windows\SysWOW64\Oppceehj.dll	Njjdho32.exe
File created	C:\Windows\SysWOW64\Lhdbgapf.dll	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Pjmjdm32.exe	Pfandnla.exe
File opened for modification	C:\Windows\SysWOW64\Ckgohf32.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Bllbaa32.exe	Bddjpd32.exe
File opened for modification	C:\Windows\SysWOW64\Camddhoi.exe	Coohhlpe.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Nceefd32.exe
File opened for modification	C:\Windows\SysWOW64\Fbbpmb32.exe	Fpdcag32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpcdg32.exe	Modgdicm.exe
File opened for modification	C:\Windows\SysWOW64\Bgpcliao.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Adfokn32.dll	Geohklaa.exe
File created	C:\Windows\SysWOW64\Dolqpa32.dll	Lmdnbn32.exe
File created	C:\Windows\SysWOW64\Fmfgek32.exe	Feoodn32.exe
File created	C:\Windows\SysWOW64\Gnqfcbnj.exe	Glbjggof.exe
File opened for modification	C:\Windows\SysWOW64\Oanokhdb.exe	Onocomdo.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Jfegnkqm.dll	Dbicpfdk.exe
File opened for modification	C:\Windows\SysWOW64\Dbbffdlq.exe	Dngjff32.exe
File created	C:\Windows\SysWOW64\Fbgihaji.exe	Ffqhcq32.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgbld32.exe	Oaifpi32.exe
File created	C:\Windows\SysWOW64\Pjkmomfn.exe	Pfoann32.exe
File created	C:\Windows\SysWOW64\Jdgccn32.dll	Ennqfenp.exe
File created	C:\Windows\SysWOW64\Fnnjmbpm.exe	Flpmagqi.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Baegibae.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Cohkokgj.exe	Cljobphg.exe
File created	C:\Windows\SysWOW64\Bnnkgo32.dll	Kpoalo32.exe
File created	C:\Windows\SysWOW64\Fefedmil.exe	Fbgihaji.exe
File created	C:\Windows\SysWOW64\Glgcbf32.exe	Gihgfk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10064	9892	WerFault.exe	435

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgplado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffqhcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojenek32.dll"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bddjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Felbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodbhp32.dll"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlbhekk.dll"	Fbelcblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjojj32.dll"	Njhgbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmadco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpdcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gblbca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Camddhoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifpa32.dll"	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifomef32.dll"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahfmpnql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiokinbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll"	Nfaemp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbbpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpffeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkgo32.dll"	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjokon32.dll"	Mnegbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eecphp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekodjiol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efblbbqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncilb32.dll"	Cleegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbpjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbdadm32.dll"	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll"	Bheplb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emmdom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqadgkdb.dll"	Dmlkhofd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	06183ad4dceb6096c4df5be5c309a70cdab5e1637e66e4a8da05b9ab281c5c59_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kngkqbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejain32.dll"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhkmbmp.dll"	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	06183ad4dceb6096c4df5be5c309a70cdab5e1637e66e4a8da05b9ab281c5c59_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 3720	3436	06183ad4dceb6096c4df5be5c309a70cdab5e1637e66e4a8da05b9ab281c5c59_NeikiAnalytics.exe	90
PID 3436 wrote to memory of 3720	3436	06183ad4dceb6096c4df5be5c309a70cdab5e1637e66e4a8da05b9ab281c5c59_NeikiAnalytics.exe	90
PID 3436 wrote to memory of 3720	3436	06183ad4dceb6096c4df5be5c309a70cdab5e1637e66e4a8da05b9ab281c5c59_NeikiAnalytics.exe	90
PID 3720 wrote to memory of 2604	3720	Bnhenj32.exe	91
PID 3720 wrote to memory of 2604	3720	Bnhenj32.exe	91
PID 3720 wrote to memory of 2604	3720	Bnhenj32.exe	91
PID 2604 wrote to memory of 2988	2604	Blielbfi.exe	92
PID 2604 wrote to memory of 2988	2604	Blielbfi.exe	92
PID 2604 wrote to memory of 2988	2604	Blielbfi.exe	92
PID 2988 wrote to memory of 1696	2988	Bohbhmfm.exe	93
PID 2988 wrote to memory of 1696	2988	Bohbhmfm.exe	93
PID 2988 wrote to memory of 1696	2988	Bohbhmfm.exe	93
PID 1696 wrote to memory of 2940	1696	Bnkbcj32.exe	94
PID 1696 wrote to memory of 2940	1696	Bnkbcj32.exe	94
PID 1696 wrote to memory of 2940	1696	Bnkbcj32.exe	94
PID 2940 wrote to memory of 1284	2940	Bafndi32.exe	95
PID 2940 wrote to memory of 1284	2940	Bafndi32.exe	95
PID 2940 wrote to memory of 1284	2940	Bafndi32.exe	95
PID 1284 wrote to memory of 3328	1284	Bddjpd32.exe	96
PID 1284 wrote to memory of 3328	1284	Bddjpd32.exe	96
PID 1284 wrote to memory of 3328	1284	Bddjpd32.exe	96
PID 3328 wrote to memory of 4952	3328	Bllbaa32.exe	97
PID 3328 wrote to memory of 4952	3328	Bllbaa32.exe	97
PID 3328 wrote to memory of 4952	3328	Bllbaa32.exe	97
PID 4952 wrote to memory of 3564	4952	Bojomm32.exe	98
PID 4952 wrote to memory of 3564	4952	Bojomm32.exe	98
PID 4952 wrote to memory of 3564	4952	Bojomm32.exe	98
PID 3564 wrote to memory of 2692	3564	Bnmoijje.exe	99
PID 3564 wrote to memory of 2692	3564	Bnmoijje.exe	99
PID 3564 wrote to memory of 2692	3564	Bnmoijje.exe	99
PID 2692 wrote to memory of 4864	2692	Bedgjgkg.exe	100
PID 2692 wrote to memory of 4864	2692	Bedgjgkg.exe	100
PID 2692 wrote to memory of 4864	2692	Bedgjgkg.exe	100
PID 4864 wrote to memory of 1312	4864	Bdgged32.exe	101
PID 4864 wrote to memory of 1312	4864	Bdgged32.exe	101
PID 4864 wrote to memory of 1312	4864	Bdgged32.exe	101
PID 1312 wrote to memory of 4148	1312	Blnoga32.exe	102
PID 1312 wrote to memory of 4148	1312	Blnoga32.exe	102
PID 1312 wrote to memory of 4148	1312	Blnoga32.exe	102
PID 4148 wrote to memory of 2904	4148	Bkaobnio.exe	103
PID 4148 wrote to memory of 2904	4148	Bkaobnio.exe	103
PID 4148 wrote to memory of 2904	4148	Bkaobnio.exe	103
PID 2904 wrote to memory of 732	2904	Bomkcm32.exe	104
PID 2904 wrote to memory of 732	2904	Bomkcm32.exe	104
PID 2904 wrote to memory of 732	2904	Bomkcm32.exe	104
PID 732 wrote to memory of 416	732	Bakgoh32.exe	105
PID 732 wrote to memory of 416	732	Bakgoh32.exe	105
PID 732 wrote to memory of 416	732	Bakgoh32.exe	105
PID 416 wrote to memory of 4896	416	Bffcpg32.exe	106
PID 416 wrote to memory of 4896	416	Bffcpg32.exe	106
PID 416 wrote to memory of 4896	416	Bffcpg32.exe	106
PID 4896 wrote to memory of 976	4896	Bdickcpo.exe	107
PID 4896 wrote to memory of 976	4896	Bdickcpo.exe	107
PID 4896 wrote to memory of 976	4896	Bdickcpo.exe	107
PID 976 wrote to memory of 1336	976	Bheplb32.exe	108
PID 976 wrote to memory of 1336	976	Bheplb32.exe	108
PID 976 wrote to memory of 1336	976	Bheplb32.exe	108
PID 1336 wrote to memory of 1328	1336	Blqllqqa.exe	109
PID 1336 wrote to memory of 1328	1336	Blqllqqa.exe	109
PID 1336 wrote to memory of 1328	1336	Blqllqqa.exe	109
PID 1328 wrote to memory of 4800	1328	Coohhlpe.exe	110
PID 1328 wrote to memory of 4800	1328	Coohhlpe.exe	110
PID 1328 wrote to memory of 4800	1328	Coohhlpe.exe	110
PID 4800 wrote to memory of 528	4800	Camddhoi.exe	111

C:\Users\Admin\AppData\Local\Temp\06183ad4dceb6096c4df5be5c309a70cdab5e1637e66e4a8da05b9ab281c5c59_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06183ad4dceb6096c4df5be5c309a70cdab5e1637e66e4a8da05b9ab281c5c59_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\Bnhenj32.exe
  C:\Windows\system32\Bnhenj32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\SysWOW64\Blielbfi.exe
    C:\Windows\system32\Blielbfi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Bohbhmfm.exe
      C:\Windows\system32\Bohbhmfm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Bedgjgkg.exe
        
        C:\Windows\system32\Bedgjgkg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        23⤵
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        24⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        25⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        26⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        27⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        28⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        29⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        30⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        33⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        34⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        35⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        36⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        37⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        38⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        39⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        43⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        44⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        45⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Dmlkhofd.exe
        
        C:\Windows\system32\Dmlkhofd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        47⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        48⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        52⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        55⤵
        Executes dropped EXE
        
        PID:5232
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5268
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Dkceokii.exe
        
        C:\Windows\system32\Dkceokii.exe
        58⤵
        Executes dropped EXE
        
        PID:5340
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        59⤵
        Executes dropped EXE
        
        PID:5376
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        60⤵
        Executes dropped EXE
        
        PID:5408
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5448
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        62⤵
        Executes dropped EXE
        
        PID:5484
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        63⤵
        Executes dropped EXE
        
        PID:5516
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        64⤵
        Executes dropped EXE
        
        PID:5556
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        65⤵
        Executes dropped EXE
        
        PID:5588
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        66⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        67⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        68⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        69⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        70⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        71⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        73⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        74⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        76⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        77⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        78⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        79⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        80⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        81⤵
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        84⤵
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        85⤵
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        86⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        87⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        88⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        89⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        90⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        91⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        93⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:792
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        95⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        96⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        97⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        100⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        101⤵
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        102⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4244
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        107⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        108⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        110⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        111⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        113⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        114⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        116⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        117⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        118⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        119⤵
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6676
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        121⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        122⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        123⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        124⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        125⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        126⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        127⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        128⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        129⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        130⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        131⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        132⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        133⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        134⤵
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        135⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        136⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        137⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1704
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        139⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        140⤵
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        141⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        142⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        144⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        145⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        146⤵
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        147⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        149⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        151⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        152⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        154⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        155⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        156⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        157⤵
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        158⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        159⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        160⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        161⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2800
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        163⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        164⤵
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        165⤵
        
        PID:900
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        166⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        167⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        168⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6736
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        170⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        172⤵
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        173⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        174⤵
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        175⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2992
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        178⤵
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        179⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        180⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        181⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4956
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        183⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        184⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        185⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        186⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6524
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        190⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2060
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        192⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        193⤵
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        194⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        195⤵
        Modifies registry class
        
        PID:7288
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7328
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        197⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        198⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        199⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        200⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        201⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        202⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        203⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7632
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        205⤵
        Drops file in System32 directory
        
        PID:7668
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7704
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        207⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        208⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        209⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        210⤵
        Drops file in System32 directory
        
        PID:7852
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        211⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        212⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        213⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        214⤵
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        215⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        216⤵
        Drops file in System32 directory
        
        PID:8124
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        217⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8160
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7220
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        220⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        221⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7356
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        222⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7424
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        223⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7476
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        224⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        225⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        226⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7720
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        228⤵
        Modifies registry class
        
        PID:7808
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7896
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        230⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        231⤵
        Drops file in System32 directory
        
        PID:8044
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        232⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        233⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8180
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        234⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        235⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        236⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        237⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        238⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        239⤵
        Modifies registry class
        
        PID:7912
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8080
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7232
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        242⤵
        Drops file in System32 directory
        
        PID:7400
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        243⤵
        Modifies registry class
        
        PID:7624
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        244⤵
        Drops file in System32 directory
        
        PID:7868
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        245⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        246⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7600
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7940
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        248⤵
        Drops file in System32 directory
        
        PID:7336
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        249⤵
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        250⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        251⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8292
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        253⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        254⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8452
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8488
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        257⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        258⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8672
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        260⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        261⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8788
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        263⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8872
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        265⤵
        Modifies registry class
        
        PID:8928
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        266⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9000
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        268⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        269⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        270⤵
        Modifies registry class
        
        PID:9108
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        271⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        272⤵
        Modifies registry class
        
        PID:9188
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        273⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        274⤵
        Modifies registry class
        
        PID:8300
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        275⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8476
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        277⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8700
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        279⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        280⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        282⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        283⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9092
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        285⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        286⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        287⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        288⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        289⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        290⤵
        Modifies registry class
        
        PID:8912
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        291⤵
        Drops file in System32 directory
        
        PID:9020
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        292⤵
        Drops file in System32 directory
        
        PID:9060
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        293⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        294⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        295⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9116
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        297⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        298⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        299⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9176
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        301⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        302⤵
        Drops file in System32 directory
        
        PID:9260
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        303⤵
        Drops file in System32 directory
        
        PID:9296
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        304⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        305⤵
        Drops file in System32 directory
        
        PID:9376
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        306⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        307⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9488
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        308⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        309⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        310⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        311⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        312⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        313⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9720
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        314⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        315⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        316⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        317⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        318⤵
        Drops file in System32 directory
        
        PID:9904
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        319⤵
        Modifies registry class
        
        PID:9940
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        320⤵
        Drops file in System32 directory
        
        PID:9976
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        321⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        322⤵
        Modifies registry class
        
        PID:10048
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        323⤵
        Modifies registry class
        
        PID:10080
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        324⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        325⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        326⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10196
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        327⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        328⤵
        Modifies registry class
        
        PID:9244
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        329⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9320
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        330⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9384
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        331⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9484
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        332⤵
        Modifies registry class
        
        PID:9560
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        333⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        334⤵
        Drops file in System32 directory
        
        PID:9692
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        335⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        336⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        337⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9892 -s 400
        338⤵
        Program crash
        
        PID:10064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
1⤵
PID:7156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9892 -ip 9892
1⤵
PID:10008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
352KB

MD5
c79dfd33c0c824e1dc5f3c6872fe6c1a

SHA1
0c4e52feddb076dbf14e30ee04c3e88ff66156e6

SHA256
644a25b2bcecd9a19a93411e15ef11187ec8558eb3e51863fed1248193d20e90

SHA512
9caeed211aa48174a142246da950905d9ee197e4d0c00ced9e77a0a9fdd702c1ac5d6cbd737493e8bd206c14b7d1dec9f3c2d798911466afcf0d77b34ec16d75

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
352KB

MD5
73f7ed1ab2f6e5c0401b93a553ae1ed9

SHA1
e3a490a50d60277d64ca2afdda2d743e48e9cb6f

SHA256
e14db4684f1a923ca5b0f7846f29c1888c49613599bc531188519cc42fdc2ac0

SHA512
92b16a582f5a4923edd29f4fbf58e6e85bbf0640182af2a92e94ffb5480441a2af042ab317a731b60009c1340b228edbde314905d693c68cef0ba56461e5ff0f

Download Submit
C:\Windows\SysWOW64\Bafndi32.exe

Filesize
352KB

MD5
eea065cc56eec181b2c17568f15f5197

SHA1
cc009f3d8baec4e26f45856d9f555f09916ae062

SHA256
aae35b2f823c63344c7fa2fafa59938e534818f3c757fbd2364b3d127a3a9f98

SHA512
4f1b1db6a7744e5a3e46daca2d00833f46dc3ae59726a3319e0e94098610afec14616d32f2115028a3b8fb8faed9d35142548c1a1da790d883c7f027a30c88cf

Download Submit
C:\Windows\SysWOW64\Bakgoh32.exe

Filesize
352KB

MD5
93928d074e4f354a660ff9b133dc9150

SHA1
fc0090d1591f5aca1ebcba8171da8e155bfdf2bc

SHA256
7d7398a4bd5d87de77126cdac9c1fb79c1e956a7b0f427af261318e7a70e1da6

SHA512
1a79755b78502b4dddd3061f8a853161888a4d049535a7341df7a14390904a70847888e1c7fb0ef313c170da240118b6496b8e0b1df74f17760a14a97813a29a

Download Submit
C:\Windows\SysWOW64\Bddjpd32.exe

Filesize
352KB

MD5
e694546853740142285004dab876536a

SHA1
319630b9772c38cfc85b29090520885695644250

SHA256
588c467ba5f682dd45b5124f4d3f7aba84d08e0c773502d914b7a21efc62a2a6

SHA512
4c6f73cfbfeeddcdbcc328414b4b2690a1fefccaa9db56516d9f5274870fdf28d22f373dad440f6d202fd52ba48211b100909f411f24c6153573ff39e0f66315

Download Submit
C:\Windows\SysWOW64\Bdgged32.exe

Filesize
352KB

MD5
6287a5444bdb511cd6fe9df35649e21e

SHA1
b963dc11654e65acc4feddf1dd8b3d230d87ca78

SHA256
0c80dccf82b0fc9c21afefad12df90057d76239942b2023daef8201cd383be28

SHA512
aaf8f90402f9d333e074c5c56c2a28eaf286d45917513879e0e4c7d3e5431109e9181f0cfb5a303414502ccc3fae267ed15b5df6b32019a200652246573c87c3

Download Submit
C:\Windows\SysWOW64\Bdickcpo.exe

Filesize
352KB

MD5
4315d75481f257983fa93e913b2d3e77

SHA1
d5dfc2426417f4aea76370be5f86e21bc7e6795c

SHA256
bf50590c7ebc2503a91f509e842de64f8ef393a8ed73ddb9c5fdae1c18cd05d5

SHA512
2db427c45ed0c9dc37beaebc054f1debf79ea13879bdda9a059b18066a09614605a4cca75e342841a562d8a58cd017bc7de7f0c0d9c55f2a24d0db66f9153862

Download Submit
C:\Windows\SysWOW64\Bedgjgkg.exe

Filesize
352KB

MD5
0eb604b10031a467cca67a9a88bf7876

SHA1
79168137a57cf38ee24ef579ada0304693198316

SHA256
b34aa5065605c9e624ba6753fedc5aec0db8571d7faf03b2682d7650332885eb

SHA512
9828fbf15894de8478f22179c2cf01fb1d4ba66f7079f48f6879ff2df411be462343b2b8eeef2a3d295946eda40c58f008f94d787dd2a51988aaf024e24067c9

Download Submit
C:\Windows\SysWOW64\Bffcpg32.exe

Filesize
352KB

MD5
374a47f15dbfa6f60799ddb55692c0ec

SHA1
ecb77932f9ea2bc4a2a965117a8ea828da430b21

SHA256
894e1da0bc7a5baba9442b9bd3bff860368ac81c4a78f99e7734bf2aa8917e0f

SHA512
cb61c87ad34059c9463be2ac2a0767fff63f05694dcf4ec69c3167fd9bc51305b2f34b317c09c82027782d6aa89364ecbc7c7dd79b4b455952e192ed6be2eab0

Download Submit
C:\Windows\SysWOW64\Bheplb32.exe

Filesize
352KB

MD5
dc22cf4c658513b1c91801cbb77810c0

SHA1
aaabcd5ac926391ddd2443b3114d1f72e152efe3

SHA256
7c2df8fa5a4e86275d0a3f4d651e1fd3145470e0e80ecb4efc8817ec024cc82b

SHA512
05c33a36cf0ab87dd4c686d84624961988279e67e2f35197eef5943b46b923346c6b10f233e27822c65a2ac155011cd6e3f980c7d35b059f4467aaecb2aec0a8

Download Submit
C:\Windows\SysWOW64\Bkaobnio.exe

Filesize
352KB

MD5
a7c3d5c1fa48513415cb98b9bf33dda5

SHA1
3f4b5086ab27cb6c72077918b5e81c167c2e9cfb

SHA256
e9e017d28ae41709f72f1fb37634c6d1c9b25a47377314f66b9556852a070f6b

SHA512
3647af3f118bd5ecdc22e026a6026acb632c2a0a7c1f504fbc8ed150327adab8025047fdc41905b87a4ed7f9a56a234888d6b1aa54818ab444d14c52e836d8b1

Download Submit
C:\Windows\SysWOW64\Blielbfi.exe

Filesize
352KB

MD5
1284ca5e859a781c158cca04622ce152

SHA1
cff75d91669d2a977d320a8cd11f12cb95262e7e

SHA256
953315a39afb6fb5225e143f0b7d73591e0c3c15dd561e901cbb31bae35e5d3a

SHA512
a93ea02781d762a5478149fa39381d3ca5edecc09704d901b026ce08e91bec6cf410ef6b3b838a931514264be02a8753a0f527b105054cc3cccb60dcc439a820

Download Submit
C:\Windows\SysWOW64\Bllbaa32.exe

Filesize
352KB

MD5
95aaea2e6fa3a1c5d365ba75faa1ce70

SHA1
581ed7999d5fe5740e738e8c5b72860696a036d8

SHA256
5756147a1d313c25a8bf909a4c5dc6a48b4e637c04367fa2a410717bc88bbbfc

SHA512
7d6e212344fb4c90f91c7ae0c7b21d01400ad7d8c46dc755118c917347a23293234a12f7c458406619652843b6826cfc78dbdedd4427fdc3a725b4ce9291e3be

Download Submit
C:\Windows\SysWOW64\Blnoga32.exe

Filesize
352KB

MD5
9b2acb4f2f2616143adc63de9bafc87b

SHA1
36ad85c5ed3c31bc6e2d4d3ffe0d017559ca2332

SHA256
e77cdeaae02f7d5620f7e766c78cc5275427cad37fceae0b71aeecd975567689

SHA512
1d83ec251535bada0a49eb7b6a4cb4d428f24fa932565eb6c242d1f75470229b49fa65a19fa49a7bd0fbe5a56aadad44116923fe73e2cbc469fe6854cba5318a

Download Submit
C:\Windows\SysWOW64\Blqllqqa.exe

Filesize
352KB

MD5
96f22172b37730401f6dcf507fdcbd07

SHA1
fd05e19db3b33500b9870273547faf8e352d9597

SHA256
52b62f04b2e1167ac6726ebcc5ec3a387c78e72f6ab780b559e16174e3c216b6

SHA512
5474037e1a1df4a49476dca89278e55d4c16443dc5a34ae1b65f7c22129f92eda31d49a0965dbed380a8d359479b1b2f22e93e86f06311a3f3204b4b9e7276bb

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
352KB

MD5
dd51580a44d53c378029b4c2e3825456

SHA1
dc3c0e11c77948fb7b468a6f468d636e48f6e55f

SHA256
8414c58319ea8e6ef9ea153a7595014dd592a6ab3506d452c56fe8b46289b65f

SHA512
24bfa7897620d98ee4a73e2139e638a179141943b17758f6c1d0a00051cc2ed7b7e51dbc691fc747e4786dbecec93350aa6cdba955e15e8b747662249da25f7f

Download Submit
C:\Windows\SysWOW64\Bnhenj32.exe

Filesize
352KB

MD5
a48d03ecdaa52d31849a8fa7e79d85cb

SHA1
67809c879436bb8c91f30e87c8ff846466added7

SHA256
03e570505e08c1d1796077671df6ee4e46cd7baa1d4c14e1ba539dff9b162dac

SHA512
49151a7151af4bb7551d33c4ed28b9235f18beb9a2bf29fc4d1aa09ca43c2afb8baf98cffc395769eef738a954f946d7eba14f85be383df9c1f8027f2a595080

Download Submit
C:\Windows\SysWOW64\Bnkbcj32.exe

Filesize
352KB

MD5
cbce5028482e98233178ed4e9991a392

SHA1
746e19ffeb113c49f1bb3a7da83cdbbeae567fa6

SHA256
74d6f583be5069f57858187a82e729b0cb425bd52d9003a33beaa7585a51c81b

SHA512
2a504673dd17f0d792cce5b3af532148e84bcfaaa9985f820b7ee9f3b16fea76b93fb96691827af05e28eced3288ebc9af8432124587db4a50c1c0288bdedc1f

Download Submit
C:\Windows\SysWOW64\Bnmoijje.exe

Filesize
352KB

MD5
0c9901664cc31cc9be0db7082eb4c257

SHA1
7da3e8b0c45520bc18d118ac2ec3d6d77fa9c5fb

SHA256
bc683c8cb00b2a2f7ddfbfc791a46e712668e1236aaf546048b7313b55517f05

SHA512
3b7ca5e559415fa63d35bd0f9e1e92dc549aa2297a8d8a46c8065734006f8019fc46c1d1ac18f29e91e7e8b99aacf4ad43abf47838e7e78eed3327143359609b

Download Submit
C:\Windows\SysWOW64\Bohbhmfm.exe

Filesize
352KB

MD5
862b796ca7391aa8c0da12d4e9ad9e02

SHA1
062c2463d8325bf0fd660d754f1535a2a7cf0f71

SHA256
f9c3f3f55a2a9d657062341b6fc2fc2b5bbdbe19d868b57da19a52b7a627f9f0

SHA512
2c3c8a376dcda847ac3d205538b20815222a230e4d4233e1f56c01ea800958d3acb2d81cf8162eca0c8a85399570df6ff08822fe44f860b97cb290404ad64ed3

Download Submit
C:\Windows\SysWOW64\Bojomm32.exe

Filesize
352KB

MD5
7e45b4606e45cb8e67264d3efa776f97

SHA1
c618f1c16f7747e6e0be6857ea5834ad5cc542b3

SHA256
d0264dfc0a69bfd05e6c1e1228dc576e7b73b8b99937eafed2688face2cc65ac

SHA512
54e043b1031a0ae2528941ab0d2e1b7bf4efc6dbebf90a5d8ede15eb99af2fb36fae68247bad92d59448e6bf59db88b37e0e1e66e2b57c6464a2760113019b05

Download Submit
C:\Windows\SysWOW64\Bomkcm32.exe

Filesize
352KB

MD5
cb22a867df47593d111cee741b8d9dc7

SHA1
dcfc35ea12bd86e35d79ab72adc97067ce455260

SHA256
c03eb5365d8f0ceb62e72a2a8e1004a6ff35f1bd5185b6272cf003eaeeee2018

SHA512
2a71111874c5e9c19b5ddd59171030ddc61a77c6266bd6d26c74f767d29bc8dfa3e16e2a737e884e57288042fa9c591725b012b59e265523975bc659a062e9fc

Download Submit
C:\Windows\SysWOW64\Camddhoi.exe

Filesize
352KB

MD5
b23a87ae9d4271bd6cf7524a4d6c95d3

SHA1
e9c032fa496addd63b1773c702c61c9fa62d33ed

SHA256
da31de4f1d8bfcdf444284b5b8e6b2384d71cc2ae543163ecfed18fb57fbe00f

SHA512
6697cfef740ffe1aa581fe561568cd8be2b6325610539a6713284b53b61cec5dfadcf8f08623c36f55b950c266e08aeda28ec28eb4e90d7f72c8b906ef6dd4fa

Download Submit
C:\Windows\SysWOW64\Cbpajgmf.exe

Filesize
352KB

MD5
a0f23478016a44c3382251eb109f3280

SHA1
6b3e0ce86475a4ce25486295a241c6d4af22c490

SHA256
5d8f99cd26e988a0e75c2af31f998b41eac513e7b1142fffc5857bc7f7d76801

SHA512
1fbb3ee77f0c628dd09ebd864ad2b8c3a46d9f31d1930e451cdef0f5542774589af8d8018748123c3ca77c79ab81705d60f760729e495352a2e33f786016d1f8

Download Submit
C:\Windows\SysWOW64\Cdlqqcnl.exe

Filesize
352KB

MD5
fb8b42749264820d04b33ad15428dd8f

SHA1
089fdebf9d9c19211f5599fadc9c9ade898936a3

SHA256
7eaec351153e0273122fc219e69cc3f5bef00e5cf66e2870cbec610a04c181f9

SHA512
63c492f6a564f492202716a99bc36a79708c9da5c2ba22fd8c20512c3677e67173ae363e684c0b1bcce8e18627469ee23402c389eb9049c67a0763096616c0dc

Download Submit
C:\Windows\SysWOW64\Cfipef32.exe

Filesize
352KB

MD5
943558ba9c0f3fc668e850c72cb599ff

SHA1
5f6c4968e58c893c47fd90bdd143260aa429fa11

SHA256
a59c1fbc65a6ad9c2ac65a5e2c89f90f56d0ec4a380d2cccc84cfceab9ccb948

SHA512
ac7004f2cdc8321739d2a7bc4f759db3c21dc9abc2337cbb51d308ebb92ad04339c4070da6caf1cb3fd98b52dcadac97fc61efa01fb85896e115193652f659ed

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
352KB

MD5
bcf05fdeaf906d8afd96608d2c62fd35

SHA1
2a47653f16b87c0ab99e5de292d7c09abf3b707a

SHA256
cbfa99294bf3272f4cc2c519cb1389588964cf8a2537c0d6cfb62f1fc19780b5

SHA512
31688ce55506862cbdaea4923f98796ee3fef570d6d4474c39598c1e295233e7f5808e70f884e47b67ee3da8bb10d02df9771a01e49b6ef413ba414adbe76ac1

Download Submit
C:\Windows\SysWOW64\Chiigadc.exe

Filesize
352KB

MD5
a373d3b574d4dd9bed8d7a0ee343398e

SHA1
e2db48b6795a5a13cea793441df078639bd14294

SHA256
d25b9b1629179d29a24f6b02007ea4ca8a5758923ad491e752103242f6f5b8ba

SHA512
443a995f02634194ffc838f8eaee8b2fd730f0bbd29b431340927d3588ed01bcc43b7be03350801e450aabfadae24904e239c94656eb98644253eaae7fa9eb64

Download Submit
C:\Windows\SysWOW64\Ckeimm32.exe

Filesize
352KB

MD5
b1a737175b0023b980a44e9f5487bacc

SHA1
be2df1f9c3106f0084de2ca8e3ec6ac391ad92ac

SHA256
bb5178e4a9255c3d5d57a87df00cfe3b598c11b7ad78a4aa409350628cec2a3a

SHA512
b21db47c2b13b986e180f808251dfd666242e184029f86620c916359e114c09e4f194cace7d8ced988b5d3a3d99d70ebcd4f5ec90b5df7b315278cb2258bb74c

Download Submit
C:\Windows\SysWOW64\Ckhecmcf.exe

Filesize
352KB

MD5
5e535742ec90c9645d583340c0735208

SHA1
962f70d67fca7c1a70bf397e962f706f9963c452

SHA256
bd5f41b7781a0d7b4e2204921a5496be5ed0f725fa9623cf7cd31e6be8ab4eb4

SHA512
645d1cf6120231ec5135f735c0e31bac86f3a5c45dbd3d6f98cd058ad9bda11f83be47917deb2144ccd3328a7a22f68e22c088c89f68d74a5ddd21758c90fd50

Download Submit
C:\Windows\SysWOW64\Clchbqoo.exe

Filesize
352KB

MD5
830d5e75510e9b0cee200f8a0ed2149d

SHA1
8ec81e57838f640788b5290f092cebf6af1d0d0a

SHA256
b59e5cc7db9fd661b61500fb784a16c1d8c112cab68ad40a16c46358d9053aea

SHA512
bfd3fdd00c34880b31aea06f43c630f21b859e40c662bb249228d4e188b95e30c0288c28f7be310d8e18e5a81d5e4688279e2d1039c04dbfcb82a8a30349631f

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
352KB

MD5
5e2f80ab5b9a33beb0157c8c6b903561

SHA1
d028a2ff68043dfee248a4629b4c58b96673d5cf

SHA256
03c70aff2f4bb1f0f1d203704a1ccaa1c447027899dfdab70ba0f8f9d4522e0e

SHA512
e7d64f9a9260c3cb07941f8b90ac190eec4a7a967457c206a2506bd0b3f672a40d875bd2dc5c3d6e65af28e0a48d0161e3b6242ef2fce0ea453ea9d7f950ad6c

Download Submit
C:\Windows\SysWOW64\Coadnlnb.exe

Filesize
352KB

MD5
05c8904a68032f068d5ff478fe304673

SHA1
b844c6007f3933794cea1e085f19cfcea7a2ee3f

SHA256
845b48ddf23530ea976a4b74a62382e5c88f92772a8ec49e552b1d11436b5919

SHA512
8652c64458276377c52a81d97794f13d0642366fcf81376c445a106a215eeee85b35f2868ab5fe35f3dbf0fce8ac08607bdd82ed70c08d686e2e12862a740bbb

Download Submit
C:\Windows\SysWOW64\Cocacl32.exe

Filesize
352KB

MD5
397118bd777bea6edab6b91f0b033ee8

SHA1
8981b9a54cbd6cb9969886f836e6f0a4843f94dc

SHA256
eb8d6082d898e155e713bf08ccb91d2511b94c60a951b416a1be29be43dfd28b

SHA512
564a486ce6a24f7eb92491c3b9e8a2fe7a6157f4facf575ab80f8108b3a27138b91a32f7c5c6c07135019d8895d94ec5480131f331ae788e1a12b765a10e1bfa

Download Submit
C:\Windows\SysWOW64\Coohhlpe.exe

Filesize
352KB

MD5
0cff31bd719602ca1199f6c2c4762a09

SHA1
463d593803342d9f6a594ac725b2ea9b0231aed3

SHA256
7adf816ad4a79f15b6df2233d292f838f3e1856c75cd4a13c4f9aa17425fe8d9

SHA512
79558cd4819ae0365ab8d2dccafbad5901cca251c9ef9252c947fef5d3d99cab6e0ac57e848f5eff1bdb231a99822f0036aa6d76596e4c2c25de8591364a10f7

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
352KB

MD5
c2497383760a65cd6d6d9e5f8335494e

SHA1
a40a2bca6ed3f875e8d864ae2bf008e1b8a7038f

SHA256
82c01a9f866ef296447ac21c51e782bf53f4b3125147c47a493a0a3c1b5c8bb3

SHA512
507ed520ff8c05332ecc4f5b24619819b1b0ff8c58937c32aaf1056aa10a5c6e2afb005b60a6a81c3bf647562be44fb0dd9ad29a7aa1dd565463e0c44a51c10e

Download Submit
C:\Windows\SysWOW64\Ljqhkckn.exe

Filesize
352KB

MD5
ccae94170efb616a260db14b24e27b6b

SHA1
740d88cbe546cb90479a1f8b0a5e127511856247

SHA256
f0a3a2635b9225e2821c63d167196eaa2d3b1bfc683a9e191b747b706d9063bb

SHA512
957481a9fd6cbaf38846a4ccfc7a112ce69871b2350fe2c9021c67956a7fc490948e520081d7c2e4ccd1e063f12f0c773688fc16aeabdd254b11355ef4bd5dc4

Download Submit
C:\Windows\SysWOW64\Lopmii32.exe

Filesize
352KB

MD5
be2da61d00ff317b59359ad902799ae3

SHA1
ccf25ae4027bd43a35484a1152df023df2a112de

SHA256
82dccbdb49eabcf3c494dea175ba800ee424e1f9b9987f8658e4b26ddec29608

SHA512
8fb3547f9714fffa26db2ee88d72a271ece74143dd2f9092dc660f3353dca3b43781164194dee57a11d3562a45870d8a7e0c893cab2783266f4a6ec28542c992

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
352KB

MD5
9cd988decf8e0f13f2ed1029a2b19d3c

SHA1
917a251259db5b07e158fa6eeff46b1dd972d184

SHA256
1282049f904a9976921fe674d06159b856e01bd018c1e449d25e868077a75a6c

SHA512
ce381938712e085b43d870b6b1eec16d660a5c2cc6c7edda3b643b24b779aabd43b0167809e8f2b26e294e05375269c953a695b8454ab44c8dea8ca0d1fec015

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
352KB

MD5
36019771da0bacaa54f22d5ab5abfa31

SHA1
a0e519c481f4e8d9fc94ba84ebce11d3fd70d48d

SHA256
080c413fb04ad6eddd2bf75e54bd3ee5f4c1a7cdf8e319fe39974d0c5cfba963

SHA512
084dfed894cbecee34378a30629965a0a5fc06fe8c286aa33aac7cdefadef1cc34780d4f8c322c505dd8c5f3383bc49838dccca47dce3688483bc7060503c06f

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
352KB

MD5
d1e0f78f6ff89f343b22b62a5229c6a1

SHA1
c1bfe2ee266a9baad79ccc19235274cf4f63bad1

SHA256
67df8e5a78d7129d23cafd9860fa4b2736a5006f0df423b4e2c9742187641302

SHA512
c1ba5ad60f6d45e3830a8f40b8c9b7697837112538717f7bd9a3e03fbeca007e4d9f0799ad7eddfce0f3fb77eadcf12601c5057c570d9e3d23612f3f236d7530

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
352KB

MD5
cefaa8a5338ae5b3a451857d26645287

SHA1
f213409c5725147c478d36a4304da79d39ebf7ea

SHA256
82e1e057fce706d900c8ad5f476500d1962d1aedf4a474e5b43126091f6eb58c

SHA512
b7ac15fcc5036e301c48076417aab60907015bfc354ec464de0ae0d5665cf8186f5243850399ee30a8506772c8b6b8d14e762485ff91860d0116e8299eafdd7a

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
352KB

MD5
a9796d4e941314780262129965fa71c2

SHA1
5276b94ad611290a51e343ad46190bc33e72c76a

SHA256
acf184b4d19345d2d1cbd784466431f529612d37b2b031d044d79eb0aa29b7d6

SHA512
a39505243c091433684a0d054223e259fdf147f7781a018abf7fe81c890228df762cb00c850243774c3c52be2308b911195bf71b80dab07ce2fafd6077be29ac

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
352KB

MD5
eacb42bb04351d9a2539bb84aa404fb6

SHA1
86acea7ee7e5e86b5270097bc18f7e0a72291466

SHA256
4c333ae01cf252bf7d23ab67e827c96cf489962d074e5dc90d9ccae95cf2034d

SHA512
d3bfbb6c952cc268e471ae9973ddc51affe8727e03b34edfb71828a3c6cc42320111cef84c7ad6963df14c37b57d4b6db34ba8ffeb2dce4cb390077e827a36eb

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
352KB

MD5
a433e68cdb5b9791246b25984626f0c1

SHA1
4afd0ca541c11b4058b748a50dbc503b78321ea1

SHA256
6fbaca23464e4ad4579d4e2aba23d09bef649e1ebabc047655e02709aacd3cf3

SHA512
ceaec776dda04cd7f9a3228b3214a463453c3f792f6cda27434985347126b7319ce9f560a445404e89ef163fb931c0bb2a8e0a02ee7d096e85b91f71f5d1f8a0

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
352KB

MD5
6931fec7e6c726dc090897806479d22f

SHA1
57a2714829ad51287cd6511209f6af681dca8ffe

SHA256
5c1e788f3f164ab4720c28d9d8d80db8f9611d2e9d96879a0a4c8baa21577838

SHA512
314f85c4c040ecd7d57d29a60195f024802318bd270e1a6144b7a0c6852b7866fd11b717d693e6b75ab59325322a23a8a66ca9f0c37ddd3c74224a7decdfcdb5

Download Submit
memory/220-837-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/228-845-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/416-501-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/432-2335-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/732-500-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/792-829-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/864-646-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-653-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/932-651-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/976-507-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/988-652-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1284-491-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1312-2412-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1312-497-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1336-509-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1360-874-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1656-654-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1672-637-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1692-2366-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1692-650-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-871-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2196-647-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2204-840-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2408-838-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2432-821-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-867-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2604-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2692-495-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2904-499-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2940-489-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2988-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3112-649-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3224-881-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3264-820-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3316-868-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3328-492-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3428-643-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3436-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3436-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3564-494-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-644-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3720-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3808-939-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3952-642-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4008-875-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4148-498-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4192-636-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4244-846-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-812-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4484-811-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4500-809-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-2334-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4800-514-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4864-496-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4888-808-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4896-506-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4948-873-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4952-493-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4992-2121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5040-648-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5112-817-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5232-655-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5252-880-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5268-656-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5332-819-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5340-657-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5376-659-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5408-663-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5472-822-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5548-827-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5576-828-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5588-665-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5664-2304-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5692-831-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5736-2300-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5804-670-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5956-872-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6028-869-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6072-806-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6072-2282-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6100-870-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6112-807-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6120-839-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6156-847-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6188-2221-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6188-848-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6228-849-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6260-850-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6272-882-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6424-938-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6520-2095-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6628-922-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6644-852-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6744-921-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6752-853-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6752-2194-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6788-854-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6932-855-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6956-905-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6968-860-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/7000-861-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/7032-899-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/7040-862-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/7072-864-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/7108-865-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/7148-866-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/7220-2015-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/7424-2013-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/8160-2018-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/8196-1904-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/8200-1910-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/8340-1950-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/8488-1947-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/9224-1902-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/9692-1869-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/9812-1867-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/10196-1877-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads