gozi | 50856cc7ad67f73eca1fccc6d3b3929dac47e74cbb5af2370e54bba7b65ce611

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0523691a25306211c4211f4c58689e20_NeikiAnalytics.exe
Size

163KB
MD5

0523691a25306211c4211f4c58689e20
SHA1

e3b7001956419c16dcd8e7413b8057f8622be021
SHA256

50856cc7ad67f73eca1fccc6d3b3929dac47e74cbb5af2370e54bba7b65ce611
SHA512

cb14a5e154efd6c271698d24f9e51a04a8ce17b592af67e444bbb9c51468d7b32a02fa39a291874ff28d1d7452f3881fcac658feea4454d40b94035e4758682f
SSDEEP

1536:P+MRMVuEPeiDIG8BKlFwwxwyvCTV5AYlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:WhF8BOFwwxwVTV2YltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dekhneap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iicbehnq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Docmgjhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhgjblfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhjfhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddbbeade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmabdibj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojcgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbpnkama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gododflk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Colffknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dccbbhld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dceohhja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdgdgnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlijfneg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eocenh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0523691a25306211c4211f4c58689e20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddpeoafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaikh32.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 64 IoCs

pid	Process
1708	Cbqlfkmi.exe
948	Ceoibflm.exe
4172	Cogmkl32.exe
3948	Cafigg32.exe
3652	Cddecc32.exe
2008	Clkndpag.exe
888	Cojjqlpk.exe
4292	Cahfmgoo.exe
4488	Cecbmf32.exe
1076	Cdfbibnb.exe
3420	Chbnia32.exe
5024	Ckpjfm32.exe
3656	Colffknh.exe
1444	Cbgbgj32.exe
2840	Cefoce32.exe
4516	Cdiooblp.exe
624	Chdkoa32.exe
1868	Clpgpp32.exe
3608	Conclk32.exe
3568	Cbjoljdo.exe
4144	Camphf32.exe
4404	Cehkhecb.exe
1840	Chghdqbf.exe
3860	Clbceo32.exe
3044	Doqpak32.exe
1300	Dbllbibl.exe
1184	Dekhneap.exe
2256	Ddmhja32.exe
2644	Dhidjpqc.exe
1020	Dkgqfl32.exe
1536	Docmgjhp.exe
4636	Dboigi32.exe
2944	Daaicfgd.exe
3888	Ddpeoafg.exe
224	Dhkapp32.exe
3616	Dlgmpogj.exe
5012	Doeiljfn.exe
4812	Dbaemi32.exe
5004	Dadeieea.exe
4396	Ddbbeade.exe
968	Dhnnep32.exe
5016	Dlijfneg.exe
528	Dkljak32.exe
4764	Dohfbj32.exe
4452	Dccbbhld.exe
4784	Dafbne32.exe
2836	Deanodkh.exe
1008	Dhpjkojk.exe
4732	Dllfkn32.exe
3324	Dkoggkjo.exe
416	Dojcgi32.exe
2568	Dceohhja.exe
636	Dhbgqohi.exe
3372	Eaklidoi.exe
1996	Edihepnm.exe
3412	Ehedfo32.exe
3444	Elppfmoo.exe
1092	Ekcpbj32.exe
3328	Ecjhcg32.exe
4804	Eamhodmf.exe
2856	Eeidoc32.exe
4684	Edkdkplj.exe
1416	Ehgqln32.exe
3564	Ekemhj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Opfkao32.dll	Ckpjfm32.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Leihbeib.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ohjgdmkj.dll	Foabofnn.exe
File created	C:\Windows\SysWOW64\Ilghlc32.exe	Iihkpg32.exe
File opened for modification	C:\Windows\SysWOW64\Jianff32.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Eekaebcm.exe	Ecmeig32.exe
File created	C:\Windows\SysWOW64\Fooeif32.exe	Flqimk32.exe
File opened for modification	C:\Windows\SysWOW64\Faihkbci.exe	Fllpbldb.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Clbceo32.exe	Chghdqbf.exe
File created	C:\Windows\SysWOW64\Eocenh32.exe	Ednaqo32.exe
File opened for modification	C:\Windows\SysWOW64\Dohfbj32.exe	Dkljak32.exe
File opened for modification	C:\Windows\SysWOW64\Fdegandp.exe	Febgea32.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ojdamdma.dll	Cafigg32.exe
File opened for modification	C:\Windows\SysWOW64\Clbceo32.exe	Chghdqbf.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Mpnaemnl.dll	Hkmefd32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcmom32.exe	Ipdqba32.exe
File created	C:\Windows\SysWOW64\Naoncahj.dll	Hkikkeeo.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Cojjqlpk.exe	Clkndpag.exe
File created	C:\Windows\SysWOW64\Oapgek32.dll	Cbjoljdo.exe
File opened for modification	C:\Windows\SysWOW64\Fcmnpe32.exe	Foabofnn.exe
File opened for modification	C:\Windows\SysWOW64\Gcimkc32.exe	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Jlkagbej.exe	Jeaikh32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Gkaejf32.exe	Gicinj32.exe
File opened for modification	C:\Windows\SysWOW64\Hopnqdan.exe	Hmabdibj.exe
File created	C:\Windows\SysWOW64\Lphoelqn.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Dccbbhld.exe	Dohfbj32.exe
File created	C:\Windows\SysWOW64\Kipkhdeq.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kikame32.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Gicinj32.exe	Gcfqfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ipknlb32.exe	Hbgmcnhf.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Pcbdco32.dll	Cdfbibnb.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Docmgjhp.exe	Dkgqfl32.exe
File opened for modification	C:\Windows\SysWOW64\Hmabdibj.exe	Gcimkc32.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Edihepnm.exe	Eaklidoi.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Cefoce32.exe	Cbgbgj32.exe
File opened for modification	C:\Windows\SysWOW64\Cdiooblp.exe	Cefoce32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10032	9952	WerFault.exe	440

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidpnp32.dll"	Cogmkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdgdgnbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkikkeeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjqehkaf.dll"	Dhkapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckajehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0523691a25306211c4211f4c58689e20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalojih.dll"	Cbgbgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakipgan.dll"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhidjpqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmehcnhg.dll"	Iblfnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agkbbg32.dll"	Ddmhja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linjpeof.dll"	Eaklidoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edihepnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbjoljdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dccbbhld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqoieqhe.dll"	Ekemhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eekaebcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnnep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eekaebcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eocenh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdalf32.dll"	Ehnglm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dammlf32.dll"	Hijooifk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clbceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll"	Edkdkplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1708	2328	0523691a25306211c4211f4c58689e20_NeikiAnalytics.exe	83
PID 2328 wrote to memory of 1708	2328	0523691a25306211c4211f4c58689e20_NeikiAnalytics.exe	83
PID 2328 wrote to memory of 1708	2328	0523691a25306211c4211f4c58689e20_NeikiAnalytics.exe	83
PID 1708 wrote to memory of 948	1708	Cbqlfkmi.exe	84
PID 1708 wrote to memory of 948	1708	Cbqlfkmi.exe	84
PID 1708 wrote to memory of 948	1708	Cbqlfkmi.exe	84
PID 948 wrote to memory of 4172	948	Ceoibflm.exe	85
PID 948 wrote to memory of 4172	948	Ceoibflm.exe	85
PID 948 wrote to memory of 4172	948	Ceoibflm.exe	85
PID 4172 wrote to memory of 3948	4172	Cogmkl32.exe	86
PID 4172 wrote to memory of 3948	4172	Cogmkl32.exe	86
PID 4172 wrote to memory of 3948	4172	Cogmkl32.exe	86
PID 3948 wrote to memory of 3652	3948	Cafigg32.exe	87
PID 3948 wrote to memory of 3652	3948	Cafigg32.exe	87
PID 3948 wrote to memory of 3652	3948	Cafigg32.exe	87
PID 3652 wrote to memory of 2008	3652	Cddecc32.exe	88
PID 3652 wrote to memory of 2008	3652	Cddecc32.exe	88
PID 3652 wrote to memory of 2008	3652	Cddecc32.exe	88
PID 2008 wrote to memory of 888	2008	Clkndpag.exe	89
PID 2008 wrote to memory of 888	2008	Clkndpag.exe	89
PID 2008 wrote to memory of 888	2008	Clkndpag.exe	89
PID 888 wrote to memory of 4292	888	Cojjqlpk.exe	90
PID 888 wrote to memory of 4292	888	Cojjqlpk.exe	90
PID 888 wrote to memory of 4292	888	Cojjqlpk.exe	90
PID 4292 wrote to memory of 4488	4292	Cahfmgoo.exe	91
PID 4292 wrote to memory of 4488	4292	Cahfmgoo.exe	91
PID 4292 wrote to memory of 4488	4292	Cahfmgoo.exe	91
PID 4488 wrote to memory of 1076	4488	Cecbmf32.exe	92
PID 4488 wrote to memory of 1076	4488	Cecbmf32.exe	92
PID 4488 wrote to memory of 1076	4488	Cecbmf32.exe	92
PID 1076 wrote to memory of 3420	1076	Cdfbibnb.exe	93
PID 1076 wrote to memory of 3420	1076	Cdfbibnb.exe	93
PID 1076 wrote to memory of 3420	1076	Cdfbibnb.exe	93
PID 3420 wrote to memory of 5024	3420	Chbnia32.exe	94
PID 3420 wrote to memory of 5024	3420	Chbnia32.exe	94
PID 3420 wrote to memory of 5024	3420	Chbnia32.exe	94
PID 5024 wrote to memory of 3656	5024	Ckpjfm32.exe	95
PID 5024 wrote to memory of 3656	5024	Ckpjfm32.exe	95
PID 5024 wrote to memory of 3656	5024	Ckpjfm32.exe	95
PID 3656 wrote to memory of 1444	3656	Colffknh.exe	96
PID 3656 wrote to memory of 1444	3656	Colffknh.exe	96
PID 3656 wrote to memory of 1444	3656	Colffknh.exe	96
PID 1444 wrote to memory of 2840	1444	Cbgbgj32.exe	97
PID 1444 wrote to memory of 2840	1444	Cbgbgj32.exe	97
PID 1444 wrote to memory of 2840	1444	Cbgbgj32.exe	97
PID 2840 wrote to memory of 4516	2840	Cefoce32.exe	98
PID 2840 wrote to memory of 4516	2840	Cefoce32.exe	98
PID 2840 wrote to memory of 4516	2840	Cefoce32.exe	98
PID 4516 wrote to memory of 624	4516	Cdiooblp.exe	99
PID 4516 wrote to memory of 624	4516	Cdiooblp.exe	99
PID 4516 wrote to memory of 624	4516	Cdiooblp.exe	99
PID 624 wrote to memory of 1868	624	Chdkoa32.exe	100
PID 624 wrote to memory of 1868	624	Chdkoa32.exe	100
PID 624 wrote to memory of 1868	624	Chdkoa32.exe	100
PID 1868 wrote to memory of 3608	1868	Clpgpp32.exe	101
PID 1868 wrote to memory of 3608	1868	Clpgpp32.exe	101
PID 1868 wrote to memory of 3608	1868	Clpgpp32.exe	101
PID 3608 wrote to memory of 3568	3608	Conclk32.exe	102
PID 3608 wrote to memory of 3568	3608	Conclk32.exe	102
PID 3608 wrote to memory of 3568	3608	Conclk32.exe	102
PID 3568 wrote to memory of 4144	3568	Cbjoljdo.exe	103
PID 3568 wrote to memory of 4144	3568	Cbjoljdo.exe	103
PID 3568 wrote to memory of 4144	3568	Cbjoljdo.exe	103
PID 4144 wrote to memory of 4404	4144	Camphf32.exe	104

C:\Users\Admin\AppData\Local\Temp\0523691a25306211c4211f4c58689e20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0523691a25306211c4211f4c58689e20_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\Cbqlfkmi.exe
  C:\Windows\system32\Cbqlfkmi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\Ceoibflm.exe
    C:\Windows\system32\Ceoibflm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\Cogmkl32.exe
      C:\Windows\system32\Cogmkl32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
      - C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Cahfmgoo.exe
        
        C:\Windows\system32\Cahfmgoo.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        23⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        26⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        27⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        33⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        34⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        37⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        38⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        39⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        40⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        47⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        48⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        49⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        50⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        51⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        54⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        57⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        58⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        59⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        60⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        61⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        62⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        64⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        66⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        68⤵
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        71⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        72⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        73⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        74⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        75⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        76⤵
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        77⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        78⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        79⤵
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        80⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:236
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        82⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        84⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        85⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        86⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        87⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        88⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        89⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        90⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        91⤵
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        92⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:100
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        94⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        95⤵
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        96⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1268
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:696
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4760
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        100⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        101⤵
        
        PID:756
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        102⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        103⤵
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        104⤵
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        105⤵
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        107⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        108⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        109⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        110⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        111⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        112⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        114⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        115⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        116⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        117⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        118⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        120⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        121⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        122⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        124⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        126⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        127⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        128⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        130⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        131⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        132⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        138⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        139⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        140⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        141⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        143⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        144⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        145⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        146⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        147⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        148⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        149⤵
        
        PID:680
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        150⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        151⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        152⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        153⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        155⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        156⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        157⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        160⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        161⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        162⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        163⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        164⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        165⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        166⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        167⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6580
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6624
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        170⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        171⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        172⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        174⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        177⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        178⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        179⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        180⤵
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        181⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        182⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        183⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        185⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6936
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        187⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        188⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        189⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        190⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        191⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        193⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        194⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        195⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        196⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6836
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        198⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        199⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        201⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        202⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        203⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        204⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6912
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        206⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        207⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        209⤵
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        210⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        212⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        213⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        214⤵
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        215⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        216⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        217⤵
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        218⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        219⤵
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        220⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        221⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7432
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        223⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        224⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        225⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        226⤵
        Modifies registry class
        
        PID:7596
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        227⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7684
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7728
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        230⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        231⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        232⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        233⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        234⤵
        Modifies registry class
        
        PID:7932
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        235⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        236⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8052
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        238⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        239⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8184
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        241⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        242⤵
        Drops file in System32 directory
        
        PID:7244
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        243⤵
        Modifies registry class
        
        PID:7332
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        244⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        245⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        246⤵
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        247⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        248⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7672
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        250⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        251⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        252⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        253⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        254⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        255⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        256⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        257⤵
        Drops file in System32 directory
        
        PID:8180
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        258⤵
        Drops file in System32 directory
        
        PID:7172
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        259⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        260⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7504
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7588
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7696
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        264⤵
        Drops file in System32 directory
        
        PID:7816
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        265⤵
        Modifies registry class
        
        PID:7928
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        266⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        267⤵
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        268⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7664
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7584
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        271⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        272⤵
        Modifies registry class
        
        PID:8008
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        273⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7412
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        275⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        276⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        277⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8024
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        279⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        280⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        281⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        282⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        283⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        284⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        285⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        286⤵
        Drops file in System32 directory
        
        PID:8460
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        287⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8552
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        289⤵
        Modifies registry class
        
        PID:8592
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        290⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        291⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8708
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        293⤵
        Modifies registry class
        
        PID:8752
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        294⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8824
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        296⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        297⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        298⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        299⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        300⤵
        Modifies registry class
        
        PID:9020
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        301⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        302⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        303⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9140
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        304⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        305⤵
        Modifies registry class
        
        PID:7772
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        306⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        307⤵
        Modifies registry class
        
        PID:8300
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        308⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        309⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        310⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8540
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        311⤵
        Modifies registry class
        
        PID:8588
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        312⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        313⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        314⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        315⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        316⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        317⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        318⤵
        Modifies registry class
        
        PID:9076
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        319⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        320⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        321⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8404
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        322⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        323⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8660
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        324⤵
        Drops file in System32 directory
        
        PID:8856
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        325⤵
        Modifies registry class
        
        PID:9052
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        326⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        327⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        328⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        329⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8440
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        330⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8852
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        331⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        332⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        333⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        334⤵
        Modifies registry class
        
        PID:9320
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        335⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        336⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        337⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        338⤵
        Modifies registry class
        
        PID:9464
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        339⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9504
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        340⤵
        Modifies registry class
        
        PID:9540
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        341⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        342⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9612
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        343⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9648
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9688
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        345⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        346⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        347⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        348⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9836
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        349⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        350⤵
        Drops file in System32 directory
        
        PID:9912
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        351⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9952 -s 396
        352⤵
        Program crash
        
        PID:10032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 9952 -ip 9952
1⤵
PID:10008

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:8536

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:7284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
163KB

MD5
3a21bf1347212967366a67c14ceda748

SHA1
c8fa2a485019392275e5383757e995e949b0968b

SHA256
a534ddd0ea457af1498764ac11ae28ec3100adc59bb4aefdd5013da9b7cd6be9

SHA512
09cc13d69e5d5e5fa2acfde351d36bb5e4347fad71840eec891fca449764e02de61a6bd9c5d57d34c688ff8d1d95d71fe842843d72f24b14286125fd80da7c13

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
163KB

MD5
c27d646550cd7a821124d4539f94c5c8

SHA1
4e05a40caa1e39d5b9891fdd1c2a4c60ed2bf3be

SHA256
53d42e1a4b286edf925202a4b3d8ddc0602affde1666bf422df1033d6bd72315

SHA512
4c3c871a45bf4d667ff9c997230e29b862ccd56ab2e784cde30c0171904e5bfa513de1a235e3897f5f25e758b0a830fcc49eca2882bd6f66f752e316ef39bb72

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
163KB

MD5
fa2532a07c63806cd0e72a5dc6b07250

SHA1
28aeeae983e3e20f727a068c10c3001788e6b27b

SHA256
a9f8bf7fa9edcb0d93dba09c19b80ca1b7d02055c8711ef27466dd32521b18f6

SHA512
c6cc61fcf4e42dedb6614454a62fd80b6847f73531fc9532def9db38ef290994be1aad418d8054073fe27b813219394cd60bca07e4939f437af8ac80871c827c

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
163KB

MD5
6abbd8fc66c65418bd72443accab49d9

SHA1
e9af9d2242198fc7510f933387fb4608b0dbd66e

SHA256
48c56db92aa2e0df3f376a11e8ee21c7011b4837a99da59c24e830f6f2813183

SHA512
07ec57901c8637b73e54c24ccfa03938b652d32163e9f3c1b3dafe614a327e418146115cf7e5b40d49f4e6eb7bbfa197bfcb2770f83c40bf3736019da581d262

Download Submit
C:\Windows\SysWOW64\Cafigg32.exe

Filesize
163KB

MD5
99defba4c0e388c3224e999c86cabcc7

SHA1
a9d945550cb1e7581a04e52255135024bd0b546a

SHA256
83d1be23aa38a639878574bcde2d69a431d234fe041649632e222dd87e6208f6

SHA512
da63e587d5d773730eedeb52c0e0336a54f1d3310d438cb070baab613306a93f3b36ce50a11e15377ce69458d2814801d38462997f5e53d3da00bc94f79657d9

Download Submit
C:\Windows\SysWOW64\Cahfmgoo.exe

Filesize
163KB

MD5
cbf5c67638cb033abb65c21a66948431

SHA1
a88cc38966554764cc62281fd8dbf8ff9e625f01

SHA256
2872d8acd16f0681621f34fe44897d5b46951c73a28f84d07a94d71e563a1f30

SHA512
418251d6935258ce425ef310cd1572297a34c2ed3d4c3170500e49f75ca4ee5096179afaf046467701182e436fe9eeef2a33725049e204e8de7b876c47542794

Download Submit
C:\Windows\SysWOW64\Camphf32.exe

Filesize
163KB

MD5
a4dae32a7ad92639b3b7e01869018e40

SHA1
c3d0c9fce77a04d758fe66886ebe6f015acc705e

SHA256
4655af52339513694b443bd42805d14d5966b305fc05581cb0ce6d34640e59a1

SHA512
d1daa77adb95b375fbbd03a75cbc46e86aa9bb772f7a73300b5e7d31924b3d73da8ed4ef1ad5c7b0dae21df0ea4e598ac2d469e194be8caafe59af9fb006a8f7

Download Submit
C:\Windows\SysWOW64\Cbgbgj32.exe

Filesize
163KB

MD5
5b29d42c6a3b2c5d4523fde062962c1f

SHA1
833418f3e3858fd75582a2625645508f43855b90

SHA256
c05a45ca44b60903710a51278249e7b1b853a12fe542f14805beeb79e509db43

SHA512
89e27f75a9e1b35c734315d3ff468ca14781100ae940412ff34c67436fab95a5587d65d4d33e479efa72740f4f8d615298aba86481f6d05c6a7e1db4e07e3ea0

Download Submit
C:\Windows\SysWOW64\Cbjoljdo.exe

Filesize
163KB

MD5
824440401bf5646fffa1544973e60246

SHA1
dbc9b23b22abb9770bf3321c404af55552601125

SHA256
2ad0d6f2357739dd41ba246891d4a5e587ad0678dd0b51fc08aa47e83a127868

SHA512
f33384eddfafe7947da06b726179d5e694d68a8d2a9a0397f00d93d18a46de61c4d9ce2322ed92c780bd74c0211ebcf3f8355ed862dfea31f4902e47ba1a8fd2

Download Submit
C:\Windows\SysWOW64\Cbqlfkmi.exe

Filesize
163KB

MD5
4f1391405de5baf2db8920aadc9c8000

SHA1
b4d4e31fad10d78cd9fa4271d60fd40d5d7b5347

SHA256
7dcd94d5ab4959bd25506aa40f84c0015d564caca045d4f23185212056e2cdf1

SHA512
953f3fadc650ece651c714305a4010e9db46e68204af49d3e15a7f64eb61ae3c784fa5d7a68aad882c30caf3a6a807ff0e74e39b5116026d836b021538446832

Download Submit
C:\Windows\SysWOW64\Cddecc32.exe

Filesize
163KB

MD5
055797fff8ab5ec686ad1f249435952f

SHA1
eb21480948e47ed7853f8665d55750eaa0c36339

SHA256
e51732bd18945ea619178fe0b87af87577fe3c45455fcd7c0998f1f3a87cf584

SHA512
4478db50c0baf695a509327a3a838b6998b5f7d1f4311392d6ccfef2e55bae5d88524ab2069a5e4efe89a89b2e8db2c7429c4f3fedc38d0f3a91308a66d8c1d2

Download Submit
C:\Windows\SysWOW64\Cdfbibnb.exe

Filesize
163KB

MD5
9375ccaab055084cae6145ddf6520438

SHA1
35b8a363d11ad34d4b701ad5036e16a3eeb30a76

SHA256
69213f3fc88d8d4a6266ae009413b83019235734bdb9c7b8c514f93020fe499a

SHA512
61a6ec886880227b87379c15da19a8b1909a1125cbac00c818616c0ca2964fb6748a4167f8a1a1ea4c7cfa3ac43b630e793cb1d0d504912b6b5866168949cf35

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
163KB

MD5
0ec26d88e4fee01c8d26005328c41374

SHA1
f2a632537dc604949a84c6f6a526d5de01afd6c0

SHA256
c7a23d034e3a6c52506b4da44a8d68e53d5286fca94245f0e6134a7e216642c4

SHA512
1978676150ce7dfe087131e21d034e47f92f08e0d330b775af1234cad8cc017db39798884b4be65f32e2b30bcdff8415e10d6abc399889d510d0183a0cd3c67d

Download Submit
C:\Windows\SysWOW64\Cdiooblp.exe

Filesize
163KB

MD5
aea55252268a728fcbd26b02463f3373

SHA1
d1fc9672cd3f82d2b0c579575125572e97bb2fcb

SHA256
3d1ca0a388919c14662c820966c60b74ad75fb25c6de880da99a173865b6234f

SHA512
8428c4cbb89780e74f0308045604b539e917221c477182cce133358e9d9fb2de69446a860ac0b012adaee057e36654d84d097efc79cc3dfe017f902ff6b268c4

Download Submit
C:\Windows\SysWOW64\Cecbmf32.exe

Filesize
163KB

MD5
c60dbde71030d2722bbfc5b2863d75a8

SHA1
6d656e131b116bdb211aabd833e7de0749b96316

SHA256
db6741130c80d828bfea32194438fc0148602355ecbaafd68783217f970f52fb

SHA512
bf125bf94c3ba842bf0f6d8a11773d4df09fcf874e4af018df41e732f0de8ecc6477f520dd9de03d548629948831ba82db07130dabf50fc2c14535ccb5e04d14

Download Submit
C:\Windows\SysWOW64\Cefoce32.exe

Filesize
163KB

MD5
c20f5279f5204a23d5a9c755069a10ce

SHA1
69aa8b1a2d7e6cde43c564dbb6cac4d0eef9913b

SHA256
b6eff96f2eb49d8bb14bcdfbdd879211c29c24033ed39fdfa3e2ab2c33427eeb

SHA512
aa17feed404ad7c01736514ca7572d651deb15414f58ba1a1fa0519abdd30b3385870faecf592a6c9538ae7432cdd8bb5e81190744ea6485b4c051419a9fe5bf

Download Submit
C:\Windows\SysWOW64\Cehkhecb.exe

Filesize
163KB

MD5
8fd9d4b2d44d2cb3b5e9b10bf45da929

SHA1
a857d33b9e33b2532103aaed36a8bf9e57580cea

SHA256
35a169a45bb913fbb0f5cdcaf510fe36c6ce976f220874f558c05ae5cab7d052

SHA512
37984e8def87e9846e1750d793f52823ba20b40889cca854502724c812b92c5ff9cb6fef49fad366130495f896c7ce856b525aa803e6f6499991217c7752b132

Download Submit
C:\Windows\SysWOW64\Ceoibflm.exe

Filesize
163KB

MD5
b3161103f7d96fde12a69875b690b742

SHA1
2ba02657865fd63ad1d5942f1cf4879883c42741

SHA256
63d37edafba72c92f2e910df14d93906cee18d1eb8ae08b9647bcdd12450cf17

SHA512
cd116223363a317cae69dceeaea8f1a8e2b5a76f95e84af461671fef156d63664a1ad314313be2d35d051fd8569768705ee0cab215a8cc4ee8f31fa56c538e16

Download Submit
C:\Windows\SysWOW64\Chbnia32.exe

Filesize
163KB

MD5
b53b8123d7ec30e0283112335c4e8104

SHA1
800b467e90999d4a31f4c807d0b0ada9d8c43144

SHA256
6fca3fd8ef65160e6c6ef29cca5089af7921073a0de2f0554dacd2a2054421cc

SHA512
b28f29e025324fc31b694e7a6526636998f754e2fd85965f97d1bb77b6274c7de3fd9ea5dfb9a5eca7bd8a6b66a201a08c7359298e551d588d54fb893b1a60c7

Download Submit
C:\Windows\SysWOW64\Chdkoa32.exe

Filesize
163KB

MD5
ab4760c02346926936e3402fbaaec808

SHA1
6403d5febe0cda2986f456fb1fcf5ed7e84fefd9

SHA256
84c2925dcc77c4b5d4ff4745649135f68a3f6553c5ba6dea8e07207daf7328c7

SHA512
68f2d4971e858d38df24ccffcb8ca428a3a953c1bb84a2924a024416c851544ca36521c307bf3c48e82e3a7c1ac3a1db02fe2f91c08066055df1fbd9faca0eb6

Download Submit
C:\Windows\SysWOW64\Chghdqbf.exe

Filesize
163KB

MD5
36964f73092a263ec88d95b8a4fd71c4

SHA1
40dc449986276b7a516cb3500259e59680e2ec28

SHA256
3fd9d67eba2c9b82f7d603adf32b23f432da71bd95cbaabd27121c980dfc00ff

SHA512
ac17c55ae55797cf83947404066b6e55a6de2f8568536a43781cbe0360383c592c3bd6c07705774828e143854845bd1ae14d871bdf9e79602e951872e56d3e55

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
163KB

MD5
f46fb497ae6a6f58a38ceb9133fe738e

SHA1
a4602181099053fe0ee29b0c5e120202a939e52a

SHA256
2ec0138e0c37c899797424f666a8ffc0ba0f379fa40b668f153cc44b85245d7c

SHA512
70fc118975458496f1d6646796ff272530975cfdd503ae9e1b4d657e5ff1f193abd1580ee7cdb470525377941398325bd77ed3535a1d6bf7226de0a1550e78d4

Download Submit
C:\Windows\SysWOW64\Ckpjfm32.exe

Filesize
163KB

MD5
1b79d9c2072fbcbc67a390a757163284

SHA1
a6118444324260bbe3e3d5b171fea19e30a8db4a

SHA256
8e1b40a8d1b757aac5db0f51e2c51c8580f62066d03452d83420d0097067a6b8

SHA512
325ed05b814353ffa505780dc0b2548b3c13a36d840f5dc97cef23aed97e4827c0a35c32fe4401b859c8f0a27e47ef76a17b23cab6ba7ea763619ddf2f5e32dc

Download Submit
C:\Windows\SysWOW64\Clbceo32.exe

Filesize
163KB

MD5
cc7ebace697f07f49e8bcc4136ad51fb

SHA1
2a23003388a9214c4959aba0e78b9ff4b3ca23c0

SHA256
b98ba6af0b03b2f3d298d658946a11a9d97c4176a7e5a7a6deab387538e21a62

SHA512
0e7b2f181307f616280a0703e920c383e6cdcd148732610c04673ac65b8843f0ae2358ddc76564d69058c73ffc422690fd97bf0ec7ede56231f21b7bbdfe4f08

Download Submit
C:\Windows\SysWOW64\Clkndpag.exe

Filesize
163KB

MD5
f936acb0f3ffd9f26e8d5e605e5773d8

SHA1
d6ec30744383794de7b34305dcdcf24d0602991d

SHA256
020d2f79d55f55985379cf91c002cc6629e5968594a6649bc56d86fe149a867f

SHA512
73b4a26af70efb770e82b311829d39d412724fa0d124758a4d742b140f009d1252a0c9194ca535d0e4b9ef3ff0a5ac7504d8c36006bfa2ebb74aeed548b1117c

Download Submit
C:\Windows\SysWOW64\Clpgpp32.exe

Filesize
163KB

MD5
dbdba325c4c71ca5008609328b063c6d

SHA1
662c304a32682af9cafb9395a7ffe1216b386d8c

SHA256
bf1ae6466519ac76f03a59ce3e86b805bb124de2102cea9ae2d5a7bfb74b3ef4

SHA512
cf3ee9ef04c03632225bc47458ccd4ee802d6f7a7782bda3d740785c1567a52109935a175626d27593a8763bbf8d79e1d039a9b91fe26bba8d86b30a7d2c8dcd

Download Submit
C:\Windows\SysWOW64\Cogmkl32.exe

Filesize
163KB

MD5
bb6fe5466e0d56a0a5a680670cba9440

SHA1
12592b62900ea37a4530b99f77d05bd8bba1c1cc

SHA256
d13efa18eaeac74d5e9bb9da5459aeb97d1a34fc5fa09e23650f50b3208d1b0f

SHA512
78479a0a55116239148c9cf844aca065cd3dcacfa9b1891435c368336f117535eadc8cc5836f3261ad7e3c5ad3dfa6d49bf098493dcd7d9968366c98e23468eb

Download Submit
C:\Windows\SysWOW64\Cojjqlpk.exe

Filesize
163KB

MD5
d122b4dd15e292da147ca744ef509c74

SHA1
7474f35b2ddb39f5f99aec57addc6844a4b2caca

SHA256
8e206947c3e2d10bc78b5c30ee2869b82d0ac2a4f2d73bc0d5a55d99ce9b6829

SHA512
f9ea2fcc5c4a3fd32c7075b0f12b3b9aeedc6337e250a2f40913250b5b1e70e9969830b1e3cfdcd157fe4e07a82fc4a5f49c8d829d207f5ab7feed861a11a463

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
163KB

MD5
e38d6cd9688b9ff4be9387db5a530d57

SHA1
d9371adde681e4d67d81507b2bfea758ef5a4417

SHA256
f257b0ec3e7af3978bac14eb6b2ec53db569e8545e174bcbe6cd4032040a86f6

SHA512
c56d140184bc71882620360a331033e0629473fde38ac364ebddc6b25cc8c642a6ace84bc8056c3d9827731f0b23c54c6258abb203ec482bfead6a8daf4eb84a

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
163KB

MD5
dbb8110f7873c40fd2a3f4aeadbb6925

SHA1
7d14cb782163173747c1c74a164b0ab394a82a00

SHA256
f42aac8524919e46a8bb5ff799fdc4b4ee4b98c4156310ac6543fa7913964a35

SHA512
eaa8eb105d29d19b211b76248d1cd02f1185e08af6b991c5aeb41a54cf858a723f6b959dbc4e23cddc7af673115e60d59c445e34f7a798eb7584d0368b4f9a3a

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
163KB

MD5
1b91f90901b25896891f1cdddd0268c7

SHA1
142c2d8bd7ad50d236382d26b0b60069b03415cd

SHA256
b5bcb58597ff733e60c43b97791bc3de5671f4eeb9c7e11a7247274f377aa3fa

SHA512
88ee03c516cbd5bb8ae1f71588b6fbc45d18571272e4ae7ccd634905fbf81f44ce0c4eabd8429c399c2a7fb0d08d7a9adebf2ffa30d2df35e6a4ee6c095076d4

Download Submit
C:\Windows\SysWOW64\Dbllbibl.exe

Filesize
163KB

MD5
00bd9340562e34f68a4a9c195eee680e

SHA1
afe04e809e2469c8e961bc0f37ed78fa842c1192

SHA256
cefab2f738963ec6451ec95ecb0fd94bbfd6fc3be04cadc9aa54467ef32a2d98

SHA512
3c63e16775c63147437ee12c48f26a32dfbb2f5f419448bd80fbd37fa5f2f7f38fd6b0511e549a348d8348d3c9fa795ecd95152fb720e854522d07d6242a09c1

Download Submit
C:\Windows\SysWOW64\Dboigi32.exe

Filesize
163KB

MD5
2d17dc0c874c1f3562ad886303a38470

SHA1
83e4d6f4a26e3993e966c1b98e11f78ce91e9593

SHA256
b37cbe426658bf9a996cb1e1e958f584ef085978520a925b9deeb9e449b1b76c

SHA512
f04a66b5a82832984b7fcdb23de68413000b2c8dace4db53bf021173aa16f07534f912181c9018cdfe55d208aa2268b7dcb9c5a78b217971d387f2c5fa9bad1b

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
163KB

MD5
ee28b4c3747b381627db20bfadf95e0a

SHA1
497254481c9da331d3516df75993af2b03bec1fb

SHA256
e9fe155a4bebe6704fd7b320dfb323565ab2cc8b571ef12a659610396dab0d4f

SHA512
9940de2bf0d141e2c42dd668756ab6d7fc7c18bc2b8d733db34c87810144405e4c0bcf62759efbda6418e98a6b985064d2a1c438f36d050d1481681fe2a0d886

Download Submit
C:\Windows\SysWOW64\Dekhneap.exe

Filesize
163KB

MD5
1f45ef18ff0571e4dd59e2ba66fd7f03

SHA1
62ad87f5626edb6a7cf01676b2171d77be6b6280

SHA256
6388f4717d6f632a7eedf63f0a02131ac2c10ea3773dc663006ea5e3e7b48e3d

SHA512
a9c8507c1579ebe4dfa83af8e688eb3c731c060b10a2988db2c7bdf74b3268fcad7a708e2c82f58e7ffd3e40b09aa37b442e1cd963a4931b8086cd1b9b0eb279

Download Submit
C:\Windows\SysWOW64\Dhidjpqc.exe

Filesize
163KB

MD5
5a5f9ed4379da77ea3947d7a12434f47

SHA1
559bb8f4fad0e8a8807580d9fd1330728a181942

SHA256
87a13bae1ff232bfba8ae62e495f9045c582ebbb9f0dc9419dc10f85ac0526c8

SHA512
748486f8bd4d0342b42ac91055c8d68159641bd87c657340827ba2938d36697a8c5631759fcab1c937939caa18f556683c111e1a55c2743f01a528af4382acf3

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
163KB

MD5
7c2cf1627c2697d98ab15a2a0aede15c

SHA1
6f82fa1300c7cf2cf8e0db717adcf0311a8784fd

SHA256
ad867f0e11185c00eaafb1fe6c7bda6b48624fa22c11d00c61ea178d59c63565

SHA512
52486599e4e302456843c4955021930f717040511dccb7ebfe7f31a4e8e9a73be9e096f4531eb85d08bd3189e326752b1872a7fd43a31207dafd3a8d8cd1c683

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
163KB

MD5
d91e950464a5424c84f53f91b8347c48

SHA1
23db21b99d8451dabdc3e471fa9662d849be195a

SHA256
345b4d82b7b5f85a75410e70d55da0fd445318714a4544a27e8b6e8578c0fa7c

SHA512
25ff59ed7c619fe7500cedb0033b4e94d366342f244cef4c6ea4e84200b502876aae7c98788da852e073517112d94aba45fe5d820ec79873ccb0c6b893133779

Download Submit
C:\Windows\SysWOW64\Docmgjhp.exe

Filesize
163KB

MD5
36a7bd34465617172063907f5be38d41

SHA1
df28f423b9ce3de3f9f7f7d656059f928f35b561

SHA256
9c66106ef24509592821f1212700424fc7170ee354723da27069e48047b84ad5

SHA512
51a82a8cade6cc80e7c865a512f8f7308f0e29e174239f6a278e82367319d51af43dea8a4200c4628ca42f4edaf01d74c73f003d47c96876e5739ce820bb1a38

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
163KB

MD5
82ff8a0edfe644a1fca3ed97f83170f2

SHA1
a851ee86b69a83014847a083913e0ae28b2d4572

SHA256
998bf3bf177ee40a1a58ab4efc87091b73280bb02d535cc73bd43b95ea6084ae

SHA512
f756636a76dab819f9ebf91c15ea8ab5eb4832e806db83150a3ed084ba0e94e0dc29bfea89ae875f585ce311591f8c7cf3ff1f3ef04fd6988af5a3f60ec334fc

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
163KB

MD5
289d20e8863d0cd80f52e31c841a90a7

SHA1
9535e88ecf109b64c81b33c54060172da3b82dac

SHA256
6a684055b01ec07a4f212edbf5e8c063ee9e319709fd19d971465f370244e64e

SHA512
d84387fc652ece5578ca783c17542f4b0c8830827784c6c4c53c98eb02da607f445c210be3421c6b99779aaf2f985401dc0b9654ed68f979c595cf8b858214c1

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
163KB

MD5
fa2e727a4c1163a5f7e63782ce2b735e

SHA1
96afdc422fe70b802b6ee654c72f2dad64f2e6db

SHA256
f0d926f52d1451bb03399d2682f385d9ef5af6e634cc75893750ba22664db68e

SHA512
6a38fd5c89f4a3e108801a3394efb8661fdc47cd809fc8b59708de101c8d722b2a2d3e4e04b929b57e86673da0345d51f75c35b75058f257b0beaeb5a048d32f

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
163KB

MD5
d9f9cf635f86e9da1c5435db4004f798

SHA1
1147b46144c4f060125152d1d55797cf5dca3c39

SHA256
d87beb6dee6eb9238d097c961ec92a96301e949a00c0540a26cdbc01abd703ad

SHA512
a21d415fb2246ef6cf7a5f32b3f2e148ac7af28467d03592d51a722ba9a7178ef3c0c257e8d96c34fb498ca1c49b8e3bea4a52ceb2a83cc0837fcbd7b5d21e2e

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
163KB

MD5
dff8b26a01df41148e557fb53bd25003

SHA1
24960ba20dd1e231a5a9a2014623871cc2ec517e

SHA256
3b3c7c9f0c271cebf9d1e341ae043ba036b232c93d82e9199a2b048d9759be92

SHA512
ef4bbf2160799ee1a94d6726063b9076d17b2c7e328688ffb2a2afef061bedfcde0ede8bf4fdb0345c898a45909f6886328e45ef9a8251a22b6aaaafbdfd3007

Download Submit
memory/100-596-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/224-427-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/320-2716-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/320-540-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/528-436-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/548-527-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/624-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-600-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/696-624-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/848-545-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/864-2700-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/880-609-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/888-62-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/948-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/968-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1008-440-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1076-332-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1092-504-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1256-597-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1268-613-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1444-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1740-611-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1788-608-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1840-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1868-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1888-651-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1996-497-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2256-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2616-599-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2836-439-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2840-338-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2944-421-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3036-635-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3044-349-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3092-547-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3240-528-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3280-553-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3328-2738-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3412-498-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3420-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3420-2833-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3444-499-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3564-525-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3568-344-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3592-606-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3608-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3616-429-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3652-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3860-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3888-426-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3948-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4144-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4172-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4240-598-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4292-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4396-433-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4404-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4488-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4516-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4692-601-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4732-445-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4760-2658-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4764-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4784-438-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4804-514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4808-612-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4988-610-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5004-432-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5012-430-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5016-435-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5024-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-555-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5104-535-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5144-794-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5156-657-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5196-668-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5224-796-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5272-678-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5300-802-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5308-680-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5396-696-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5432-697-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5444-2594-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5480-703-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5512-813-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5556-714-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5600-725-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5644-726-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5652-822-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5652-2589-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5704-732-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5760-738-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5844-749-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5916-755-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5944-2554-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5960-761-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6004-771-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6028-2580-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6044-773-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6100-779-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6272-2474-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6580-2522-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6912-2448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/7172-2342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/7296-2322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8016-2385-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8660-2224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8708-2274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8980-2260-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/9148-2228-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/9320-2213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads