Analysis

  • max time kernel
    92s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 03:40

General

  • Target

    1fbe327464836d274ae4ed88422ebd51a7d51276984d562c0dc514dd0a91317eN.exe

  • Size

    3.2MB

  • MD5

    892ed62f8ddabfda4f6b956e76336aa0

  • SHA1

    fcdb789e4824c85226ca38adc63ecff077986c2d

  • SHA256

    1fbe327464836d274ae4ed88422ebd51a7d51276984d562c0dc514dd0a91317e

  • SHA512

    465b5554cf759999fd2a23cb63c6f98f0f1cd7ba3ecff3ef6fddc2b60e0a0d9430f83f38643cb73417a023a5b8c0de114ee2de18660eccd587d3529628a3bf16

  • SSDEEP

    98304:AklBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NT/YUugy:AklBFLPj3JStuv40ar7zrbDlsa2VIlPu

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fbe327464836d274ae4ed88422ebd51a7d51276984d562c0dc514dd0a91317eN.exe
    "C:\Users\Admin\AppData\Local\Temp\1fbe327464836d274ae4ed88422ebd51a7d51276984d562c0dc514dd0a91317eN.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\SysWOW64\Pkgcea32.exe
      C:\Windows\system32\Pkgcea32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Windows\SysWOW64\Adfnofpd.exe
        C:\Windows\system32\Adfnofpd.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\SysWOW64\Aajohjon.exe
          C:\Windows\system32\Aajohjon.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3916
          • C:\Windows\SysWOW64\Aoalgn32.exe
            C:\Windows\system32\Aoalgn32.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:408
            • C:\Windows\SysWOW64\Adndoe32.exe
              C:\Windows\system32\Adndoe32.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3568
              • C:\Windows\SysWOW64\Bochmn32.exe
                C:\Windows\system32\Bochmn32.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:968
                • C:\Windows\SysWOW64\Bdpaeehj.exe
                  C:\Windows\system32\Bdpaeehj.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:3688
                  • C:\Windows\SysWOW64\Bdbnjdfg.exe
                    C:\Windows\system32\Bdbnjdfg.exe
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1592
                    • C:\Windows\SysWOW64\Bklfgo32.exe
                      C:\Windows\system32\Bklfgo32.exe
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:4580
                      • C:\Windows\SysWOW64\Bafndi32.exe
                        C:\Windows\system32\Bafndi32.exe
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:3244
                        • C:\Windows\SysWOW64\Bhpfqcln.exe
                          C:\Windows\system32\Bhpfqcln.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:432
                          • C:\Windows\SysWOW64\Bojomm32.exe
                            C:\Windows\system32\Bojomm32.exe
                            13⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:652
                            • C:\Windows\SysWOW64\Bedgjgkg.exe
                              C:\Windows\system32\Bedgjgkg.exe
                              14⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Suspicious use of WriteProcessMemory
                              PID:624
                              • C:\Windows\SysWOW64\Blnoga32.exe
                                C:\Windows\system32\Blnoga32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Suspicious use of WriteProcessMemory
                                PID:3440
                                • C:\Windows\SysWOW64\Bffcpg32.exe
                                  C:\Windows\system32\Bffcpg32.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:3948
                                  • C:\Windows\SysWOW64\Blqllqqa.exe
                                    C:\Windows\system32\Blqllqqa.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:220
                                    • C:\Windows\SysWOW64\Cnahdi32.exe
                                      C:\Windows\system32\Cnahdi32.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:1424
                                      • C:\Windows\SysWOW64\Chglab32.exe
                                        C:\Windows\system32\Chglab32.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:2352
                                        • C:\Windows\SysWOW64\Coadnlnb.exe
                                          C:\Windows\system32\Coadnlnb.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Suspicious use of WriteProcessMemory
                                          PID:3892
                                          • C:\Windows\SysWOW64\Cfkmkf32.exe
                                            C:\Windows\system32\Cfkmkf32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of WriteProcessMemory
                                            PID:1688
                                            • C:\Windows\SysWOW64\Chiigadc.exe
                                              C:\Windows\system32\Chiigadc.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Suspicious use of WriteProcessMemory
                                              PID:4328
                                              • C:\Windows\SysWOW64\Cocacl32.exe
                                                C:\Windows\system32\Cocacl32.exe
                                                23⤵
                                                • Executes dropped EXE
                                                PID:3576
                                                • C:\Windows\SysWOW64\Cfnjpfcl.exe
                                                  C:\Windows\system32\Cfnjpfcl.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3000
                                                  • C:\Windows\SysWOW64\Clgbmp32.exe
                                                    C:\Windows\system32\Clgbmp32.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    PID:4880
                                                    • C:\Windows\SysWOW64\Cofnik32.exe
                                                      C:\Windows\system32\Cofnik32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      PID:1620
                                                      • C:\Windows\SysWOW64\Cdbfab32.exe
                                                        C:\Windows\system32\Cdbfab32.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4232
                                                        • C:\Windows\SysWOW64\Ckmonl32.exe
                                                          C:\Windows\system32\Ckmonl32.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          PID:4768
                                                          • C:\Windows\SysWOW64\Cnkkjh32.exe
                                                            C:\Windows\system32\Cnkkjh32.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5036
                                                            • C:\Windows\SysWOW64\Cdecgbfa.exe
                                                              C:\Windows\system32\Cdecgbfa.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              PID:3656
                                                              • C:\Windows\SysWOW64\Dkokcl32.exe
                                                                C:\Windows\system32\Dkokcl32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                PID:4104
                                                                • C:\Windows\SysWOW64\Dbicpfdk.exe
                                                                  C:\Windows\system32\Dbicpfdk.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  PID:4924
                                                                  • C:\Windows\SysWOW64\Dhclmp32.exe
                                                                    C:\Windows\system32\Dhclmp32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    PID:4396
                                                                    • C:\Windows\SysWOW64\Domdjj32.exe
                                                                      C:\Windows\system32\Domdjj32.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4332
                                                                      • C:\Windows\SysWOW64\Ddjmba32.exe
                                                                        C:\Windows\system32\Ddjmba32.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        PID:2568
                                                                        • C:\Windows\SysWOW64\Dkceokii.exe
                                                                          C:\Windows\system32\Dkceokii.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:5104
                                                                          • C:\Windows\SysWOW64\Dnbakghm.exe
                                                                            C:\Windows\system32\Dnbakghm.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            PID:5112
                                                                            • C:\Windows\SysWOW64\Digehphc.exe
                                                                              C:\Windows\system32\Digehphc.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:656
                                                                              • C:\Windows\SysWOW64\Doaneiop.exe
                                                                                C:\Windows\system32\Doaneiop.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • Modifies registry class
                                                                                PID:1420
                                                                                • C:\Windows\SysWOW64\Dflfac32.exe
                                                                                  C:\Windows\system32\Dflfac32.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3140
                                                                                  • C:\Windows\SysWOW64\Dmennnni.exe
                                                                                    C:\Windows\system32\Dmennnni.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    PID:3480
                                                                                    • C:\Windows\SysWOW64\Dngjff32.exe
                                                                                      C:\Windows\system32\Dngjff32.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:760
                                                                                      • C:\Windows\SysWOW64\Deqcbpld.exe
                                                                                        C:\Windows\system32\Deqcbpld.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:2656
                                                                                        • C:\Windows\SysWOW64\Ekkkoj32.exe
                                                                                          C:\Windows\system32\Ekkkoj32.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          PID:2556
                                                                                          • C:\Windows\SysWOW64\Ebdcld32.exe
                                                                                            C:\Windows\system32\Ebdcld32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:2376
                                                                                            • C:\Windows\SysWOW64\Eiokinbk.exe
                                                                                              C:\Windows\system32\Eiokinbk.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              PID:4812
                                                                                              • C:\Windows\SysWOW64\Eoideh32.exe
                                                                                                C:\Windows\system32\Eoideh32.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:684
                                                                                                • C:\Windows\SysWOW64\Efblbbqd.exe
                                                                                                  C:\Windows\system32\Efblbbqd.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:1036
                                                                                                  • C:\Windows\SysWOW64\Emmdom32.exe
                                                                                                    C:\Windows\system32\Emmdom32.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:2196
                                                                                                    • C:\Windows\SysWOW64\Ennqfenp.exe
                                                                                                      C:\Windows\system32\Ennqfenp.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      PID:4344
                                                                                                      • C:\Windows\SysWOW64\Eehicoel.exe
                                                                                                        C:\Windows\system32\Eehicoel.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        PID:1844
                                                                                                        • C:\Windows\SysWOW64\Epmmqheb.exe
                                                                                                          C:\Windows\system32\Epmmqheb.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • Modifies registry class
                                                                                                          PID:4760
                                                                                                          • C:\Windows\SysWOW64\Efgemb32.exe
                                                                                                            C:\Windows\system32\Efgemb32.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:4244
                                                                                                            • C:\Windows\SysWOW64\Emanjldl.exe
                                                                                                              C:\Windows\system32\Emanjldl.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:3056
                                                                                                              • C:\Windows\SysWOW64\Enbjad32.exe
                                                                                                                C:\Windows\system32\Enbjad32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:4032
                                                                                                                • C:\Windows\SysWOW64\Felbnn32.exe
                                                                                                                  C:\Windows\system32\Felbnn32.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:3560
                                                                                                                  • C:\Windows\SysWOW64\Fpbflg32.exe
                                                                                                                    C:\Windows\system32\Fpbflg32.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • Modifies registry class
                                                                                                                    PID:3348
                                                                                                                    • C:\Windows\SysWOW64\Fflohaij.exe
                                                                                                                      C:\Windows\system32\Fflohaij.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:1744
                                                                                                                      • C:\Windows\SysWOW64\Fmfgek32.exe
                                                                                                                        C:\Windows\system32\Fmfgek32.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:3052
                                                                                                                        • C:\Windows\SysWOW64\Fngcmcfe.exe
                                                                                                                          C:\Windows\system32\Fngcmcfe.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:5016
                                                                                                                          • C:\Windows\SysWOW64\Fealin32.exe
                                                                                                                            C:\Windows\system32\Fealin32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:3160
                                                                                                                            • C:\Windows\SysWOW64\Flkdfh32.exe
                                                                                                                              C:\Windows\system32\Flkdfh32.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:4100
                                                                                                                              • C:\Windows\SysWOW64\Fbelcblk.exe
                                                                                                                                C:\Windows\system32\Fbelcblk.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Modifies registry class
                                                                                                                                PID:4796
                                                                                                                                • C:\Windows\SysWOW64\Fiodpl32.exe
                                                                                                                                  C:\Windows\system32\Fiodpl32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:3904
                                                                                                                                  • C:\Windows\SysWOW64\Fpimlfke.exe
                                                                                                                                    C:\Windows\system32\Fpimlfke.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:4988
                                                                                                                                    • C:\Windows\SysWOW64\Ffceip32.exe
                                                                                                                                      C:\Windows\system32\Ffceip32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      PID:5156
                                                                                                                                      • C:\Windows\SysWOW64\Fmmmfj32.exe
                                                                                                                                        C:\Windows\system32\Fmmmfj32.exe
                                                                                                                                        67⤵
                                                                                                                                          PID:5196
                                                                                                                                          • C:\Windows\SysWOW64\Fnnjmbpm.exe
                                                                                                                                            C:\Windows\system32\Fnnjmbpm.exe
                                                                                                                                            68⤵
                                                                                                                                              PID:5236
                                                                                                                                              • C:\Windows\SysWOW64\Gehbjm32.exe
                                                                                                                                                C:\Windows\system32\Gehbjm32.exe
                                                                                                                                                69⤵
                                                                                                                                                  PID:5276
                                                                                                                                                  • C:\Windows\SysWOW64\Gpnfge32.exe
                                                                                                                                                    C:\Windows\system32\Gpnfge32.exe
                                                                                                                                                    70⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:5316
                                                                                                                                                    • C:\Windows\SysWOW64\Gfhndpol.exe
                                                                                                                                                      C:\Windows\system32\Gfhndpol.exe
                                                                                                                                                      71⤵
                                                                                                                                                        PID:5356
                                                                                                                                                        • C:\Windows\SysWOW64\Gmafajfi.exe
                                                                                                                                                          C:\Windows\system32\Gmafajfi.exe
                                                                                                                                                          72⤵
                                                                                                                                                            PID:5396
                                                                                                                                                            • C:\Windows\SysWOW64\Gncchb32.exe
                                                                                                                                                              C:\Windows\system32\Gncchb32.exe
                                                                                                                                                              73⤵
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              PID:5436
                                                                                                                                                              • C:\Windows\SysWOW64\Gemkelcd.exe
                                                                                                                                                                C:\Windows\system32\Gemkelcd.exe
                                                                                                                                                                74⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                PID:5476
                                                                                                                                                                • C:\Windows\SysWOW64\Glgcbf32.exe
                                                                                                                                                                  C:\Windows\system32\Glgcbf32.exe
                                                                                                                                                                  75⤵
                                                                                                                                                                    PID:5516
                                                                                                                                                                    • C:\Windows\SysWOW64\Gbalopbn.exe
                                                                                                                                                                      C:\Windows\system32\Gbalopbn.exe
                                                                                                                                                                      76⤵
                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                      PID:5556
                                                                                                                                                                      • C:\Windows\SysWOW64\Gikdkj32.exe
                                                                                                                                                                        C:\Windows\system32\Gikdkj32.exe
                                                                                                                                                                        77⤵
                                                                                                                                                                          PID:5596
                                                                                                                                                                          • C:\Windows\SysWOW64\Gpelhd32.exe
                                                                                                                                                                            C:\Windows\system32\Gpelhd32.exe
                                                                                                                                                                            78⤵
                                                                                                                                                                              PID:5636
                                                                                                                                                                              • C:\Windows\SysWOW64\Gfodeohd.exe
                                                                                                                                                                                C:\Windows\system32\Gfodeohd.exe
                                                                                                                                                                                79⤵
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:5676
                                                                                                                                                                                • C:\Windows\SysWOW64\Gmimai32.exe
                                                                                                                                                                                  C:\Windows\system32\Gmimai32.exe
                                                                                                                                                                                  80⤵
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  PID:5716
                                                                                                                                                                                  • C:\Windows\SysWOW64\Gojiiafp.exe
                                                                                                                                                                                    C:\Windows\system32\Gojiiafp.exe
                                                                                                                                                                                    81⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    PID:5756
                                                                                                                                                                                    • C:\Windows\SysWOW64\Hedafk32.exe
                                                                                                                                                                                      C:\Windows\system32\Hedafk32.exe
                                                                                                                                                                                      82⤵
                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      PID:5796
                                                                                                                                                                                      • C:\Windows\SysWOW64\Hpiecd32.exe
                                                                                                                                                                                        C:\Windows\system32\Hpiecd32.exe
                                                                                                                                                                                        83⤵
                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                        PID:5840
                                                                                                                                                                                        • C:\Windows\SysWOW64\Hfcnpn32.exe
                                                                                                                                                                                          C:\Windows\system32\Hfcnpn32.exe
                                                                                                                                                                                          84⤵
                                                                                                                                                                                            PID:5884
                                                                                                                                                                                            • C:\Windows\SysWOW64\Hmmfmhll.exe
                                                                                                                                                                                              C:\Windows\system32\Hmmfmhll.exe
                                                                                                                                                                                              85⤵
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:5928
                                                                                                                                                                                              • C:\Windows\SysWOW64\Hoobdp32.exe
                                                                                                                                                                                                C:\Windows\system32\Hoobdp32.exe
                                                                                                                                                                                                86⤵
                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:5972
                                                                                                                                                                                                • C:\Windows\SysWOW64\Hehkajig.exe
                                                                                                                                                                                                  C:\Windows\system32\Hehkajig.exe
                                                                                                                                                                                                  87⤵
                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                  PID:6016
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Hlbcnd32.exe
                                                                                                                                                                                                    C:\Windows\system32\Hlbcnd32.exe
                                                                                                                                                                                                    88⤵
                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                    PID:6056
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Hblkjo32.exe
                                                                                                                                                                                                      C:\Windows\system32\Hblkjo32.exe
                                                                                                                                                                                                      89⤵
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      PID:6096
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Hifcgion.exe
                                                                                                                                                                                                        C:\Windows\system32\Hifcgion.exe
                                                                                                                                                                                                        90⤵
                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                        PID:6136
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Hpqldc32.exe
                                                                                                                                                                                                          C:\Windows\system32\Hpqldc32.exe
                                                                                                                                                                                                          91⤵
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          PID:4320
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Hemdlj32.exe
                                                                                                                                                                                                            C:\Windows\system32\Hemdlj32.exe
                                                                                                                                                                                                            92⤵
                                                                                                                                                                                                              PID:4116
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Hlglidlo.exe
                                                                                                                                                                                                                C:\Windows\system32\Hlglidlo.exe
                                                                                                                                                                                                                93⤵
                                                                                                                                                                                                                  PID:2216
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Ibaeen32.exe
                                                                                                                                                                                                                    C:\Windows\system32\Ibaeen32.exe
                                                                                                                                                                                                                    94⤵
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:4840
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Iikmbh32.exe
                                                                                                                                                                                                                      C:\Windows\system32\Iikmbh32.exe
                                                                                                                                                                                                                      95⤵
                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                      PID:976
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Ipeeobbe.exe
                                                                                                                                                                                                                        C:\Windows\system32\Ipeeobbe.exe
                                                                                                                                                                                                                        96⤵
                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                        PID:4528
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Ifomll32.exe
                                                                                                                                                                                                                          C:\Windows\system32\Ifomll32.exe
                                                                                                                                                                                                                          97⤵
                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:5152
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Imiehfao.exe
                                                                                                                                                                                                                            C:\Windows\system32\Imiehfao.exe
                                                                                                                                                                                                                            98⤵
                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                            PID:5228
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Iojbpo32.exe
                                                                                                                                                                                                                              C:\Windows\system32\Iojbpo32.exe
                                                                                                                                                                                                                              99⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:5300
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Iedjmioj.exe
                                                                                                                                                                                                                                C:\Windows\system32\Iedjmioj.exe
                                                                                                                                                                                                                                100⤵
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:5364
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Ilnbicff.exe
                                                                                                                                                                                                                                  C:\Windows\system32\Ilnbicff.exe
                                                                                                                                                                                                                                  101⤵
                                                                                                                                                                                                                                    PID:5428
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Ibhkfm32.exe
                                                                                                                                                                                                                                      C:\Windows\system32\Ibhkfm32.exe
                                                                                                                                                                                                                                      102⤵
                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                      PID:5500
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Iibccgep.exe
                                                                                                                                                                                                                                        C:\Windows\system32\Iibccgep.exe
                                                                                                                                                                                                                                        103⤵
                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                        PID:5564
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Ilqoobdd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\Ilqoobdd.exe
                                                                                                                                                                                                                                          104⤵
                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                          PID:5628
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Igfclkdj.exe
                                                                                                                                                                                                                                            C:\Windows\system32\Igfclkdj.exe
                                                                                                                                                                                                                                            105⤵
                                                                                                                                                                                                                                              PID:5712
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Impliekg.exe
                                                                                                                                                                                                                                                C:\Windows\system32\Impliekg.exe
                                                                                                                                                                                                                                                106⤵
                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                PID:5784
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Joahqn32.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\Joahqn32.exe
                                                                                                                                                                                                                                                  107⤵
                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                  PID:5876
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Jekqmhia.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\Jekqmhia.exe
                                                                                                                                                                                                                                                    108⤵
                                                                                                                                                                                                                                                      PID:5956
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Jleijb32.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\Jleijb32.exe
                                                                                                                                                                                                                                                        109⤵
                                                                                                                                                                                                                                                          PID:6024
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Jgkmgk32.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\Jgkmgk32.exe
                                                                                                                                                                                                                                                            110⤵
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:6092
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Jmeede32.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\Jmeede32.exe
                                                                                                                                                                                                                                                              111⤵
                                                                                                                                                                                                                                                                PID:4340
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Jofalmmp.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\Jofalmmp.exe
                                                                                                                                                                                                                                                                  112⤵
                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                  PID:4168
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Jepjhg32.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\Jepjhg32.exe
                                                                                                                                                                                                                                                                    113⤵
                                                                                                                                                                                                                                                                      PID:4540
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Jpenfp32.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\Jpenfp32.exe
                                                                                                                                                                                                                                                                        114⤵
                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                        PID:2784
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Jgpfbjlo.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\Jgpfbjlo.exe
                                                                                                                                                                                                                                                                          115⤵
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          PID:2896
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Jniood32.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\Jniood32.exe
                                                                                                                                                                                                                                                                            116⤵
                                                                                                                                                                                                                                                                              PID:5220
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Jokkgl32.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\Jokkgl32.exe
                                                                                                                                                                                                                                                                                117⤵
                                                                                                                                                                                                                                                                                  PID:4388
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Jedccfqg.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\Jedccfqg.exe
                                                                                                                                                                                                                                                                                    118⤵
                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                    PID:5420
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Jlolpq32.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\Jlolpq32.exe
                                                                                                                                                                                                                                                                                      119⤵
                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                      PID:5540
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Kcidmkpq.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\Kcidmkpq.exe
                                                                                                                                                                                                                                                                                        120⤵
                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                        PID:5660
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Kjblje32.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\Kjblje32.exe
                                                                                                                                                                                                                                                                                          121⤵
                                                                                                                                                                                                                                                                                            PID:5792
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Kpmdfonj.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\Kpmdfonj.exe
                                                                                                                                                                                                                                                                                              122⤵
                                                                                                                                                                                                                                                                                                PID:3496
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Kgflcifg.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Kgflcifg.exe
                                                                                                                                                                                                                                                                                                  123⤵
                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                  PID:6004
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Knqepc32.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Knqepc32.exe
                                                                                                                                                                                                                                                                                                    124⤵
                                                                                                                                                                                                                                                                                                      PID:6120
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Koaagkcb.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Koaagkcb.exe
                                                                                                                                                                                                                                                                                                        125⤵
                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                        PID:4744
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Kflide32.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Kflide32.exe
                                                                                                                                                                                                                                                                                                          126⤵
                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                          PID:1552
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Kncaec32.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Kncaec32.exe
                                                                                                                                                                                                                                                                                                            127⤵
                                                                                                                                                                                                                                                                                                              PID:5368
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Kodnmkap.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Kodnmkap.exe
                                                                                                                                                                                                                                                                                                                128⤵
                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                PID:6184
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Kfnfjehl.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Kfnfjehl.exe
                                                                                                                                                                                                                                                                                                                  129⤵
                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                  PID:6224
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Klhnfo32.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Klhnfo32.exe
                                                                                                                                                                                                                                                                                                                    130⤵
                                                                                                                                                                                                                                                                                                                      PID:6264
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Kcbfcigf.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Kcbfcigf.exe
                                                                                                                                                                                                                                                                                                                        131⤵
                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                        PID:6304
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Kngkqbgl.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Kngkqbgl.exe
                                                                                                                                                                                                                                                                                                                          132⤵
                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                          PID:6344
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Lpfgmnfp.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Lpfgmnfp.exe
                                                                                                                                                                                                                                                                                                                            133⤵
                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            PID:6384
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Lfbped32.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Lfbped32.exe
                                                                                                                                                                                                                                                                                                                              134⤵
                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                              PID:6424
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Llmhaold.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Llmhaold.exe
                                                                                                                                                                                                                                                                                                                                135⤵
                                                                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                PID:6464
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Lcgpni32.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Lcgpni32.exe
                                                                                                                                                                                                                                                                                                                                  136⤵
                                                                                                                                                                                                                                                                                                                                    PID:6504
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Ljqhkckn.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Ljqhkckn.exe
                                                                                                                                                                                                                                                                                                                                      137⤵
                                                                                                                                                                                                                                                                                                                                        PID:6544
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Lqkqhm32.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Lqkqhm32.exe
                                                                                                                                                                                                                                                                                                                                          138⤵
                                                                                                                                                                                                                                                                                                                                            PID:6584
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Lgdidgjg.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Lgdidgjg.exe
                                                                                                                                                                                                                                                                                                                                              139⤵
                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                              PID:6624
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Lnoaaaad.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Lnoaaaad.exe
                                                                                                                                                                                                                                                                                                                                                140⤵
                                                                                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                PID:6664
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Lopmii32.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Lopmii32.exe
                                                                                                                                                                                                                                                                                                                                                  141⤵
                                                                                                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                  PID:6704
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Lfjfecno.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Lfjfecno.exe
                                                                                                                                                                                                                                                                                                                                                    142⤵
                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                    PID:6744
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Lmdnbn32.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Lmdnbn32.exe
                                                                                                                                                                                                                                                                                                                                                      143⤵
                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                      PID:6784
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Lcnfohmi.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Lcnfohmi.exe
                                                                                                                                                                                                                                                                                                                                                        144⤵
                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                        PID:6824
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Ljhnlb32.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Ljhnlb32.exe
                                                                                                                                                                                                                                                                                                                                                          145⤵
                                                                                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                          PID:6864
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Mqafhl32.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Mqafhl32.exe
                                                                                                                                                                                                                                                                                                                                                            146⤵
                                                                                                                                                                                                                                                                                                                                                              PID:6904
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Mgloefco.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Mgloefco.exe
                                                                                                                                                                                                                                                                                                                                                                147⤵
                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                PID:6944
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Mnegbp32.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Mnegbp32.exe
                                                                                                                                                                                                                                                                                                                                                                  148⤵
                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                  PID:6984
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Mogcihaj.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Mogcihaj.exe
                                                                                                                                                                                                                                                                                                                                                                    149⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:7024
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Mfqlfb32.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Mfqlfb32.exe
                                                                                                                                                                                                                                                                                                                                                                        150⤵
                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                        PID:7064
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Mqfpckhm.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Mqfpckhm.exe
                                                                                                                                                                                                                                                                                                                                                                          151⤵
                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                          PID:7104
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Mgphpe32.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Mgphpe32.exe
                                                                                                                                                                                                                                                                                                                                                                            152⤵
                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                            PID:7144
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Mmmqhl32.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Mmmqhl32.exe
                                                                                                                                                                                                                                                                                                                                                                              153⤵
                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                              PID:3076
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Mcgiefen.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Mcgiefen.exe
                                                                                                                                                                                                                                                                                                                                                                                154⤵
                                                                                                                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                PID:5448
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Mnmmboed.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Mnmmboed.exe
                                                                                                                                                                                                                                                                                                                                                                                  155⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                  PID:5348
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Monjjgkb.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Monjjgkb.exe
                                                                                                                                                                                                                                                                                                                                                                                    156⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                    PID:5484
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Mfhbga32.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Mfhbga32.exe
                                                                                                                                                                                                                                                                                                                                                                                      157⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                      PID:5684
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Nmbjcljl.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Nmbjcljl.exe
                                                                                                                                                                                                                                                                                                                                                                                        158⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:5920
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Nggnadib.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Nggnadib.exe
                                                                                                                                                                                                                                                                                                                                                                                            159⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                            PID:6044
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Nnafno32.exe
                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Nnafno32.exe
                                                                                                                                                                                                                                                                                                                                                                                              160⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                              PID:3152
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Ncnofeof.exe
                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Ncnofeof.exe
                                                                                                                                                                                                                                                                                                                                                                                                161⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:5092
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Nflkbanj.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Nflkbanj.exe
                                                                                                                                                                                                                                                                                                                                                                                                    162⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5900
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Nmfcok32.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Nmfcok32.exe
                                                                                                                                                                                                                                                                                                                                                                                                        163⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                        PID:6196
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Nglhld32.exe
                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Nglhld32.exe
                                                                                                                                                                                                                                                                                                                                                                                                          164⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                          PID:6252
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Nnfpinmi.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Nnfpinmi.exe
                                                                                                                                                                                                                                                                                                                                                                                                            165⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                            PID:6312
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Npgmpf32.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Npgmpf32.exe
                                                                                                                                                                                                                                                                                                                                                                                                              166⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:6368
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Nfaemp32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Nfaemp32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  167⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6420
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Nmkmjjaa.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Nmkmjjaa.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    168⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6476
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Nceefd32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Nceefd32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      169⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6532
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Ojomcopk.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Ojomcopk.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        170⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6596
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Oaifpi32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Oaifpi32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          171⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6660
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Offnhpfo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Offnhpfo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              172⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6732
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Onmfimga.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Onmfimga.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                173⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6796
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Opnbae32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Opnbae32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  174⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6860
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Ojdgnn32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Ojdgnn32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    175⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6932
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Oanokhdb.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Oanokhdb.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      176⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6996
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Oghghb32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Oghghb32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        177⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7056
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Onapdl32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Onapdl32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          178⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7132
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Opclldhj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Opclldhj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            179⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5140
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ofmdio32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Ofmdio32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              180⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5488
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Omgmeigd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Omgmeigd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  181⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5604
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Ocaebc32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Ocaebc32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    182⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5872
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Pnfiplog.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Pnfiplog.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      183⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4456
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Ppgegd32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Ppgegd32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        184⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3664
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Pfandnla.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Pfandnla.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          185⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6192
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Pagbaglh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Pagbaglh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              186⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6300
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Phajna32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Phajna32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                187⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Pmnbfhal.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Pmnbfhal.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  188⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Pdhkcb32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Pdhkcb32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    189⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Pjbcplpe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Pjbcplpe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      190⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Palklf32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Palklf32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        191⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6812
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Phfcipoo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Phfcipoo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          192⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Pnplfj32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Pnplfj32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            193⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ppahmb32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Ppahmb32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              194⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Qfkqjmdg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Qfkqjmdg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                195⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Qmeigg32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Qmeigg32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  196⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Qdoacabq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Qdoacabq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      197⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Qjiipk32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Qjiipk32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          198⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Qpeahb32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Qpeahb32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            199⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Afpjel32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Afpjel32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              200⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Amjbbfgo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Amjbbfgo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                201⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adcjop32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Adcjop32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    202⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Aknbkjfh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Aknbkjfh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        203⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Apjkcadp.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Apjkcadp.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            204⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Agdcpkll.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Agdcpkll.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                205⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Amnlme32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Amnlme32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    206⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adhdjpjf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Adhdjpjf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      207⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7204
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Akblfj32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Akblfj32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        208⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Apodoq32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Apodoq32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            209⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7280
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Agimkk32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Agimkk32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                210⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7324
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Amcehdod.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Amcehdod.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    211⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Bdmmeo32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Bdmmeo32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      212⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Bobabg32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Bobabg32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        213⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bpdnjple.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Bpdnjple.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          214⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Bkibgh32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Bkibgh32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            215⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7524
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Bacjdbch.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Bacjdbch.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              216⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7564
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Bgpcliao.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Bgpcliao.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  217⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Bmjkic32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Bmjkic32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      218⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7644
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Bddcenpi.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Bddcenpi.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        219⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bknlbhhe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Bknlbhhe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          220⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Bahdob32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Bahdob32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            221⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Bhblllfo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Bhblllfo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              222⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Bnoddcef.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Bnoddcef.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  223⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cdimqm32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Cdimqm32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      224⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Conanfli.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Conanfli.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          225⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cponen32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Cponen32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            226⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ckebcg32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Ckebcg32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              227⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cpbjkn32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Cpbjkn32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  228⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cglbhhga.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Cglbhhga.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      229⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Caageq32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Caageq32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        230⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Chkobkod.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Chkobkod.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          231⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8164
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cnhgjaml.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Cnhgjaml.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            232⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cdbpgl32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Cdbpgl32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              233⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cnjdpaki.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Cnjdpaki.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                234⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dhphmj32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Dhphmj32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    235⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dojqjdbl.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Dojqjdbl.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      236⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Ddgibkpc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Ddgibkpc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        237⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Dkqaoe32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Dkqaoe32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            238⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 7264 -s 412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                239⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7412
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7264 -ip 7264
                                                                                                                    1⤵
                                                                                                                      PID:7372

                                                                                                                    Network

                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                          Replay Monitor

                                                                                                                          Loading Replay Monitor...

                                                                                                                          Downloads

                                                                                                                          • C:\Windows\SysWOW64\Aajohjon.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            564282b8ea37cd074c5b13e50e908f3a

                                                                                                                            SHA1

                                                                                                                            bce1b99bb0c2f47e00f790f73dc24818b1c009df

                                                                                                                            SHA256

                                                                                                                            71471ae1acca004b290a08732970422cfff2323e1341112b79dc1c829af0986b

                                                                                                                            SHA512

                                                                                                                            ab0a290d6eb39f21622b679fcbf29cc4d23fddd154b5dff10379dc5399dfb250176a25ee38bf926d4768b4eb6953a3b4adaaa7052a0e64cd45b3ea97eda7666b

                                                                                                                          • C:\Windows\SysWOW64\Adfnofpd.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            deac054d42273f809d687a63c597f790

                                                                                                                            SHA1

                                                                                                                            f5f0f3e1b8ee989a3427338b96588de9479a1ef7

                                                                                                                            SHA256

                                                                                                                            1af85a5cd2a9cbeddaa925a6179a7e85565adcd254162358ce1a3006230b415d

                                                                                                                            SHA512

                                                                                                                            ca95b101f37e30a49c2c99933b30763887617d966e3fe70f685f1435f10571c5616216063f7b211d7c7d44884a6147ae863b8267c5af086a948e9310a6df97ef

                                                                                                                          • C:\Windows\SysWOW64\Adndoe32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            0cad215af391ab6458400cfa1bb52517

                                                                                                                            SHA1

                                                                                                                            a322a7527121aeaa445422c661a0ddaf1dc5f767

                                                                                                                            SHA256

                                                                                                                            e7a6ed4973795a4ace4ecbeca3f9a1e61df0830d04f3d8642625ab749db817d5

                                                                                                                            SHA512

                                                                                                                            6128d48eb93378de2216579466ed7c8d30b965d608cd6b103980da4f6ab5e4a8d5521d5edbde17f6a2b602def8a2f0b36cfccdfb39899287a638996a3c0e5b83

                                                                                                                          • C:\Windows\SysWOW64\Aoalgn32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            3c85fe1d4e1b7f919eb32d515034c3de

                                                                                                                            SHA1

                                                                                                                            a409c1fd7a3680a667733a9920b27b191e88f5d3

                                                                                                                            SHA256

                                                                                                                            70877a1c7ed5020272744c2d8c69b849a18e6b7d570b9d34953579b0665701fa

                                                                                                                            SHA512

                                                                                                                            b858f775592096996a501cfea6713f6211f9a40b15f07c5ef47bb120905d21b5b2c56d9cc65b2ce8d513d9b1b0aa0901768d5c00e2d76c3bebc58e56d7573fea

                                                                                                                          • C:\Windows\SysWOW64\Bafndi32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            6bd6e126c1a5e277c9d259c1bbcc2fb1

                                                                                                                            SHA1

                                                                                                                            69d8bfd9c4423b94445ff4e87645c288050c5458

                                                                                                                            SHA256

                                                                                                                            b18def083a400b16041c9a4e71108b055d4e8316c3a3afffa333f7ded6eaf60a

                                                                                                                            SHA512

                                                                                                                            3f132ffc9cc86c367bf067554a48afd22ed409cb02fd8dbed65c7d77ad6d09125bca9f7d273a5f8cb1b21928d3338b563d31e3ba602dbf0e5839678be3e4f979

                                                                                                                          • C:\Windows\SysWOW64\Bdbnjdfg.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            82e0d01900528cfca3a90f00c28ca703

                                                                                                                            SHA1

                                                                                                                            c7f67c8196f13d6f1bfe2fc33209cab49cc266eb

                                                                                                                            SHA256

                                                                                                                            9afc015fb0eed9fcd75ac3bd051aa46795bcf612b8176df191f1d34a3d66f1ad

                                                                                                                            SHA512

                                                                                                                            95a753db05f4122420ddba0db09e4c54248e9f268f81df4c955462f286a2edc9c28077105b14c12aa30eca1df91efa6406ccf1d8bdeeadbe4d4951b1df4411f1

                                                                                                                          • C:\Windows\SysWOW64\Bdpaeehj.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            df910c6246c0bc59899f24541ad3e359

                                                                                                                            SHA1

                                                                                                                            8441172e2c2e3f16e5924ca405052daaf1b0db0e

                                                                                                                            SHA256

                                                                                                                            71f7d2710b824e4e8c71a85b7488d6937754ab1ff28d4922ea22a3fdec5918b1

                                                                                                                            SHA512

                                                                                                                            9a73d8b281cec4b73ef243c52c158da7a66962eb475b16ee3c24c7254ecd8c91f7d12ef4a5beb92f2c89f5b0c838f7626fbc4cc10f3f820ad22ec8353c74d371

                                                                                                                          • C:\Windows\SysWOW64\Bedgjgkg.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            884e29657a9d2589ef1c1d6710e44227

                                                                                                                            SHA1

                                                                                                                            235c40f421eb0f33c63c7206661138dd2a44bd8d

                                                                                                                            SHA256

                                                                                                                            2cffe9628d1d226458a0ec53064e47c2366c0174d8049f763330c44b87d01b40

                                                                                                                            SHA512

                                                                                                                            7d1789972d323320675dfb3af2457b457ad8cd06f6af6f7dc6233a0e0dcf72d57f8dae1cf61dee75d3debf3b587ce1b386dc5a4353d279e8e5c77826f706d6ae

                                                                                                                          • C:\Windows\SysWOW64\Bffcpg32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            61848b810877295a9d547db28c61bd2f

                                                                                                                            SHA1

                                                                                                                            83aef9bd3470e3ce52b4c543552bff962c77af32

                                                                                                                            SHA256

                                                                                                                            832ae73ba1dad93569c505447256357fa28a44aafbc6e420e2051ddb6cc84bad

                                                                                                                            SHA512

                                                                                                                            9676c2922ee3a010d5ef70cb7aab852735ff0d964e69c9c9ff83f4e6e45b678c5cff143d0ee7ec4e7365a200eacbc137d13c92d842a4b1286d14ef21a063f280

                                                                                                                          • C:\Windows\SysWOW64\Bhpfqcln.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            88e04512c864ffbb84fcbf05f13441bd

                                                                                                                            SHA1

                                                                                                                            872eaee26d5b46123749e8ad0775858ce1442e55

                                                                                                                            SHA256

                                                                                                                            ad1cb15c4e42c463f08d3fda4675b1e6868e875e02a14e5544339d5031956efe

                                                                                                                            SHA512

                                                                                                                            ea86001f9782e97f71768ade0991334b3c2f737f13f24fbe40ce28938be94cd3f05b8d308c7ebc43adc3a10c2d91a57f7e628f38f7dfb63efe06f1c91fd4d78d

                                                                                                                          • C:\Windows\SysWOW64\Bklfgo32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            56c7d0b8a567f99228a5b249da13a064

                                                                                                                            SHA1

                                                                                                                            3116ff2c2c68afdc1d3307faf7ffbbd1879ed0ca

                                                                                                                            SHA256

                                                                                                                            2b439263b2cfbd5e8f33c4ffb3d5502182b6f3a00eab132106cc3f4d2d4f69c4

                                                                                                                            SHA512

                                                                                                                            d1f223dd096623144ad100d11d18251e90b2e4bf480499408ad741021eb25d15b86f4ce0b9b44e8324da222ce5dc8f616d51b13ce3ecf36396d6d9f9d40711c5

                                                                                                                          • C:\Windows\SysWOW64\Blnoga32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            7cac644fa443ce7817a4325c9c6a62c7

                                                                                                                            SHA1

                                                                                                                            74edf615c0a17844613eab2d1a7452ed5e2240c2

                                                                                                                            SHA256

                                                                                                                            918e2211db8c8b9dcd142b381ade3473073e7ab534acb746ce5cf7c81323f87a

                                                                                                                            SHA512

                                                                                                                            97d3c58e4f8903fb0961427a8c54652263cc92dda9cac24918e22763e3221e9896bd5972051a97c880506e3aebc3820b11d09b3923a831d4cdb56d067f97c649

                                                                                                                          • C:\Windows\SysWOW64\Blqllqqa.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            340b1a9c52da484b051fb49a33e27e97

                                                                                                                            SHA1

                                                                                                                            155e530e4af64280e0f3c082800a77b0eb7216b5

                                                                                                                            SHA256

                                                                                                                            95b66bba368ed691057b43a39530ff2d8e1961fa77f8f7345d9efc28e65ba683

                                                                                                                            SHA512

                                                                                                                            d0f21958fd16bae6fd6e47cfe91131ce1d8c459f47fd52a2cf4138c876c92da403320f49e4a68d7c6891a9d5813efcb84fdc5ac225870f10ecd9944683494124

                                                                                                                          • C:\Windows\SysWOW64\Bochmn32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            6360434fccf108f640ba3da1476c6683

                                                                                                                            SHA1

                                                                                                                            cb2da35e97369a3d6bb169b4faccb450c0e6f7c5

                                                                                                                            SHA256

                                                                                                                            46366fb3736020eb38ab1a0f54c910c44aca6c163ec6f5500853ef873a662faa

                                                                                                                            SHA512

                                                                                                                            d39d81f56828639c49fc8eddf63ff324321e22ce91db51f3422d76105b211d0530d328651bd284e38368397ab1293ba633d2d5e801f6e28b9ca1b7ec8f93755a

                                                                                                                          • C:\Windows\SysWOW64\Bojomm32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            61de174e615a838f39177a578f129caa

                                                                                                                            SHA1

                                                                                                                            dbfb721df286738c5296050311c377a99744408d

                                                                                                                            SHA256

                                                                                                                            07f4825762d2bfdccb07c2ad7fb9a1def5c94c911cac45665e431c393f5701de

                                                                                                                            SHA512

                                                                                                                            607688194e884c502e3eb25ad5804480e7adc78501bac3bbfd187b7b6e62425d864d699954512ff64328c26bde0e76216c875411b6936e28de0ec31ed8df8f79

                                                                                                                          • C:\Windows\SysWOW64\Cdbfab32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            82b5b84b2a71e4f89d5fb0d4d785608d

                                                                                                                            SHA1

                                                                                                                            69eb96aec662055b358a279fc22f38686879b172

                                                                                                                            SHA256

                                                                                                                            8283e55eebb5770e9cca44ccd2563a30a45c4aac5fab995ede2ecab3ce350162

                                                                                                                            SHA512

                                                                                                                            3e8e676b39006cffa15013e8d98601cf63d8039a07691e5c5209aaf60cbedecc017bffec6f47f43e08b3cc07f16d288f9ca6c10b01315db807790131e0c6008e

                                                                                                                          • C:\Windows\SysWOW64\Cdecgbfa.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            373424d040e6391fe47a32212bf1db3f

                                                                                                                            SHA1

                                                                                                                            e2da11e13e75c202408159972bf3ffcb39739511

                                                                                                                            SHA256

                                                                                                                            91da0b36af6db79e05a0a8d5256aa52e0984b11eac156eb136a408396a802514

                                                                                                                            SHA512

                                                                                                                            63721125b1557194466bfd9ae55a05f13a529691b095bf5f4a1498fc523d00933a17c46c013653f706c67931653b275e4a175a8c42083466367af88177f69067

                                                                                                                          • C:\Windows\SysWOW64\Cfkmkf32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            16bfba9a7b5c8d52e01e5029a3de5b6a

                                                                                                                            SHA1

                                                                                                                            6a21c9396400923bbf884dca3ea1b503a27af13c

                                                                                                                            SHA256

                                                                                                                            13384003dc64ab881f31283c3184221b342aceef959a8cf50cc1d919a6c57c73

                                                                                                                            SHA512

                                                                                                                            8decaf75b854b6050e56f519ab763977ccc3a92117fdde4b6175b6c1fdccf95493c3335930bf6fe7637c65676e0099680eebbc6f233d33c8cc7ca86be6b5a403

                                                                                                                          • C:\Windows\SysWOW64\Cfnjpfcl.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            eb8220b29ed45f983c77d6dd0f543472

                                                                                                                            SHA1

                                                                                                                            14d816bab2191ff758d4f2972f654d53be0801fb

                                                                                                                            SHA256

                                                                                                                            58a749c988c0e75bb30d9e2ba71920a926a9c039e2ad4f3a0c4cb393dbc3b2d1

                                                                                                                            SHA512

                                                                                                                            b950681d155b390ff4c80c1788dffc196f5a7c3b48c6dd75f754d5f1389d23e0806ae15387481c77f2c2ea7b4c7ee50df01ad65788241555abf99a5f8f3ab572

                                                                                                                          • C:\Windows\SysWOW64\Chglab32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            705715caf84e5284809004f56b11cd49

                                                                                                                            SHA1

                                                                                                                            af54a99cf42a37964d40496821159064efb1833c

                                                                                                                            SHA256

                                                                                                                            34c48b26ea13fabb56916bad77099ac58919b27578cee3fb683b5ce1ba5be095

                                                                                                                            SHA512

                                                                                                                            95734d4c8459be14466b22777fc91cc5e23be04cc0c413aeb534753499892e53ee89ea7589c3e4464698febaff890510768458c13e52777fa4ac0ee127d89841

                                                                                                                          • C:\Windows\SysWOW64\Chiigadc.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            c7d358ed3088c34ef72499cda86e3e60

                                                                                                                            SHA1

                                                                                                                            87224e13b5ae271c73d0c3ebf26616b3d7388129

                                                                                                                            SHA256

                                                                                                                            296c2a1f4afc52931a5fd54e12647d582fcd3f0c10b99fd07fd90e1e0930b358

                                                                                                                            SHA512

                                                                                                                            59fe1f1ac82cb01d061d227a79e1a704994e69bc1d16bded15ef85dee44cdf3d1c40152f10e7975945536df0712579e570e9906fee95bff4b60eb1c6067f96d7

                                                                                                                          • C:\Windows\SysWOW64\Ckmonl32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            14afc58d310b6ede1bd2569fcb768d02

                                                                                                                            SHA1

                                                                                                                            c759012b59a38f8cc29fa8841730855e35f90955

                                                                                                                            SHA256

                                                                                                                            1cb91c244c9cb915bd6fc377936907ec4bc96f2a51b55eff9c452ca08d6014ec

                                                                                                                            SHA512

                                                                                                                            20126bb42612244b881f0d033ee1bdd061462457d05e82e9c780149491d04ffe291bf6cc5173a3ed07688bfac230d24d2972ebdb9bd8fbc4b1c7510fa0de4e2e

                                                                                                                          • C:\Windows\SysWOW64\Clgbmp32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            8c6db970d3c24e6f8c16be19f6bf1a82

                                                                                                                            SHA1

                                                                                                                            5f91930ea60ab3f8dec874e754cafd941dc1f0bf

                                                                                                                            SHA256

                                                                                                                            e2662d55386b837768e597e470b5d2a65b5fb50e0121695a0646ac23e7a081ce

                                                                                                                            SHA512

                                                                                                                            ab074685c4bdf782c566b40b183f4c025064772bd186903cbd6c3f2ba43a28e121fca0162a1360c201d8a030b4e3a2ce523a9aab0d8dbd3de07ee9d6faa3c299

                                                                                                                          • C:\Windows\SysWOW64\Cnahdi32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            ad0bcfc0536eb6c14c107f739c33057a

                                                                                                                            SHA1

                                                                                                                            1385ba8c59843758e66f0bd47a25a730d565064d

                                                                                                                            SHA256

                                                                                                                            16535bae472e51996855972b81da2d7e38b3920591c7fa3c5bc751459c741166

                                                                                                                            SHA512

                                                                                                                            be6b7f048646922a39f87b4bbd72370dbbb30e462fe3f6e7d5a542e5f14dabdc98dbd7c71903874c08537b51e5da7b36021202e315f6e9b1401393c8e7140345

                                                                                                                          • C:\Windows\SysWOW64\Cnkkjh32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            ac36bff619fe8c6677a7d6ef4c8ddb87

                                                                                                                            SHA1

                                                                                                                            01bac8fc4edcaa85c04b1da1ea7de97d41c9c5f2

                                                                                                                            SHA256

                                                                                                                            a2cfed068e52260d2fff7b01a6706cb4fbdc8c968e7977dcb754e066b5560475

                                                                                                                            SHA512

                                                                                                                            d41ccb20ab1b63b3fc633c266dbc178adbe29b482d0f7d154685bc6082c3450b769a7bfd0b406fb16d0fd507e0d6f102499f38294d948f4aa144848d9b2debfa

                                                                                                                          • C:\Windows\SysWOW64\Coadnlnb.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            649681e6ca143ec1860be03962b937f6

                                                                                                                            SHA1

                                                                                                                            81deb12a74620d8aed8722287710206927391919

                                                                                                                            SHA256

                                                                                                                            ca671242d2490e23459ae5c8e8eee934cc1f09c84e0335d78077462656508e70

                                                                                                                            SHA512

                                                                                                                            8949eb0aa7c61d175eee1e66e50313c545044900116da71489441b61cf289c9866a3d3c4ab2ab1bff40d2b7e8329a8fa160dfd5cfc65d20fe93a27f9d0b65342

                                                                                                                          • C:\Windows\SysWOW64\Cocacl32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            c9ddd771c6714bc3e74764431b73547b

                                                                                                                            SHA1

                                                                                                                            ca43f75001e6a6a7f3448ed7a010dbaeeb8395cc

                                                                                                                            SHA256

                                                                                                                            7e25ac6dbb36e805da1c5d8bba5d6f7506edb00eb1663e43cc7068b537202cba

                                                                                                                            SHA512

                                                                                                                            18d73268abd22e8c8fecf5a821b409c89eb08a5b301280c1714191a421fd16a0bc73c7aec77400ec0809d632cd736ea48c69b4747c3c9249e77c1c2b726b6953

                                                                                                                          • C:\Windows\SysWOW64\Cofnik32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            e1824fa0b1a0068fe6ef1e4bc60ac60e

                                                                                                                            SHA1

                                                                                                                            58b203d281d4b3857fa553832265858de111e17d

                                                                                                                            SHA256

                                                                                                                            c5fd7d983615a1d42b03dbed988d7a28889c9cdcda19e29e61dcf57b11e7250d

                                                                                                                            SHA512

                                                                                                                            afb6f20c624ed8781a2012f9f30c6e41d8e8223577634ca55af6ba222a427de59e64857d40a36aac71e3406e4d97cf57027dec2d2132ad7c6833d1e99e0af3d4

                                                                                                                          • C:\Windows\SysWOW64\Dbicpfdk.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            29b201c6b9d465012994a5cfd9d081b4

                                                                                                                            SHA1

                                                                                                                            6f6c06bc2e041303d430811afaa23c8f7d66c85c

                                                                                                                            SHA256

                                                                                                                            36a3236bf00bcc178348e0af6c98bd7be0a32c9daeed029f8cd83f9cd887d24d

                                                                                                                            SHA512

                                                                                                                            d0874bde01fc700d0651cc6098b53658ae064ce88526b84a40e92949c830e771459a7c3621a2f805e45fb67e7625731399b5083efb55461944a9b7277b0dcc5f

                                                                                                                          • C:\Windows\SysWOW64\Dhclmp32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            12418631c27e51eca26237723cf5d5b7

                                                                                                                            SHA1

                                                                                                                            58d33377c03436aaf50e61ae90e00849f54d8736

                                                                                                                            SHA256

                                                                                                                            a54cbf7ccf12a01ff72eb422af388f8c4587a7b77b2f0cb2df8592c6ca8d216d

                                                                                                                            SHA512

                                                                                                                            5bd8c9de94fb8d138d8a55e31549237d4ac42f434dcb439fc882e56622a8ac74fbef528145d7e592a561660eeb27c2af7dd2555a29aae6f4bc9bca26ac925571

                                                                                                                          • C:\Windows\SysWOW64\Dkokcl32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            d6496652d6434325e1290ae85fd48fa2

                                                                                                                            SHA1

                                                                                                                            5623649fae9cf386d167ee537e11e49729ff52ad

                                                                                                                            SHA256

                                                                                                                            6f6fd49fa79f50b2c05d2a6e48b152d0b3f88e2feda1e51de2c7d03f495469c8

                                                                                                                            SHA512

                                                                                                                            9de38538825afa15347415f0590214a20e78b1e40f3485d43744ea961475122f62ef8fb89abc26d8a1aba123e591d7d49129b4a58bea848e632738728e524861

                                                                                                                          • C:\Windows\SysWOW64\Hqdkac32.dll

                                                                                                                            Filesize

                                                                                                                            7KB

                                                                                                                            MD5

                                                                                                                            c7d7d5efb24469a4755d9ab619fdbfc2

                                                                                                                            SHA1

                                                                                                                            2f3bb5c0dc3b267e8fc4b21c43627c641f068e69

                                                                                                                            SHA256

                                                                                                                            983cb69656e8f4d33ada6c34aea72cc732b50c33bcdb934aff06884758becae0

                                                                                                                            SHA512

                                                                                                                            012e5c5b603b3a7371da48b736fb249b417ed551c7fb8b0be384de7cff0503240c37f292a786fe8db547fad73c005f19f603ed5233255b39d73f2295b8d184f5

                                                                                                                          • C:\Windows\SysWOW64\Pkgcea32.exe

                                                                                                                            Filesize

                                                                                                                            3.2MB

                                                                                                                            MD5

                                                                                                                            59a75a4dd12ed89176061a6893d95209

                                                                                                                            SHA1

                                                                                                                            fe880192e52d702b5f1923c0e2811440911a8c95

                                                                                                                            SHA256

                                                                                                                            e0a52006b8737039c9e3bd6178ac7d7ef101d2a17c1307761ebf815e680540c4

                                                                                                                            SHA512

                                                                                                                            42bd565c15c40c14bc405f2e74e6129987f9e1ce8322c11218a3419444d11f57018bb0ed96be7786bf6dce0a7141419a31868127802fd3817487340fe268c606

                                                                                                                          • memory/220-132-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/408-31-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/408-577-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/432-92-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/624-108-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/652-100-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/656-291-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/684-345-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/760-315-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/968-52-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/1036-351-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/1420-297-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/1424-141-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/1592-68-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/1620-205-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/1688-164-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/1744-411-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/1844-369-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/2196-357-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/2352-149-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/2376-333-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/2556-327-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/2568-273-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/2656-321-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3000-189-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3052-417-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3056-387-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3140-303-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3160-429-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3244-84-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3348-405-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3440-117-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3480-309-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3560-399-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3568-44-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3576-181-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3656-237-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3688-60-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3892-156-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3904-447-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3916-24-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3916-570-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/3948-124-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4032-393-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4100-435-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4104-245-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4232-213-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4244-381-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4320-614-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4328-173-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4332-267-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4344-363-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4396-261-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4576-556-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4576-8-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4580-76-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4596-0-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4596-549-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4760-375-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4768-221-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4796-441-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4812-339-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4848-563-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4848-15-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4880-197-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4924-253-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/4988-453-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5016-423-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5036-229-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5104-279-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5112-285-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5156-459-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5196-465-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5236-471-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5276-477-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5316-483-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5356-489-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5396-495-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5436-501-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5476-507-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5516-513-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5556-519-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5596-525-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5636-531-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5676-537-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5716-543-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5756-550-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5796-557-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5840-564-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5884-571-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5928-578-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/5972-584-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/6016-590-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/6056-596-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/6096-602-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB

                                                                                                                          • memory/6136-608-0x0000000000400000-0x0000000000436000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            216KB