Analysis

  • max time kernel
    90s
  • max time network
    91s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 06:53

General

  • Target

    b10313bb27a5fd2a2b1233edbf5d8680c7fdd98bfaed35eb528e1418357da76eN.exe

  • Size

    207KB

  • MD5

    ab93e319d0f81ac4e48cdca47facb270

  • SHA1

    70dd621869eefd445ef6b3e470a3eb59fbc68305

  • SHA256

    b10313bb27a5fd2a2b1233edbf5d8680c7fdd98bfaed35eb528e1418357da76e

  • SHA512

    e5b81d55b1200ff5cc6dbd0209c69bd6c02b32b791c3425e8710cdf2024b8ae84fd44f887f7464b4415ad9bbaa18f8e53ed58c8dc29931bdf8bedbf886fb73c8

  • SSDEEP

    6144:CI5dJs9uwpkVwVRJUKeVjj+VPj92d62ASOwj:V5dJjwpljupIPj92aSOc

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b10313bb27a5fd2a2b1233edbf5d8680c7fdd98bfaed35eb528e1418357da76eN.exe
    "C:\Users\Admin\AppData\Local\Temp\b10313bb27a5fd2a2b1233edbf5d8680c7fdd98bfaed35eb528e1418357da76eN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\SysWOW64\Nngokoej.exe
      C:\Windows\system32\Nngokoej.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\SysWOW64\Npfkgjdn.exe
        C:\Windows\system32\Npfkgjdn.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3876
        • C:\Windows\SysWOW64\Ngpccdlj.exe
          C:\Windows\system32\Ngpccdlj.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1160
          • C:\Windows\SysWOW64\Nebdoa32.exe
            C:\Windows\system32\Nebdoa32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5072
            • C:\Windows\SysWOW64\Nnjlpo32.exe
              C:\Windows\system32\Nnjlpo32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2436
              • C:\Windows\SysWOW64\Nlmllkja.exe
                C:\Windows\system32\Nlmllkja.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1384
                • C:\Windows\SysWOW64\Ndcdmikd.exe
                  C:\Windows\system32\Ndcdmikd.exe
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:3328
                  • C:\Windows\SysWOW64\Ngbpidjh.exe
                    C:\Windows\system32\Ngbpidjh.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4648
                    • C:\Windows\SysWOW64\Neeqea32.exe
                      C:\Windows\system32\Neeqea32.exe
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:4556
                      • C:\Windows\SysWOW64\Nnlhfn32.exe
                        C:\Windows\system32\Nnlhfn32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1168
                        • C:\Windows\SysWOW64\Nloiakho.exe
                          C:\Windows\system32\Nloiakho.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:2244
                          • C:\Windows\SysWOW64\Npjebj32.exe
                            C:\Windows\system32\Npjebj32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:1352
                            • C:\Windows\SysWOW64\Ncianepl.exe
                              C:\Windows\system32\Ncianepl.exe
                              14⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:3520
                              • C:\Windows\SysWOW64\Ngdmod32.exe
                                C:\Windows\system32\Ngdmod32.exe
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:3204
                                • C:\Windows\SysWOW64\Nfgmjqop.exe
                                  C:\Windows\system32\Nfgmjqop.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:2304
                                  • C:\Windows\SysWOW64\Njciko32.exe
                                    C:\Windows\system32\Njciko32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:4760
                                    • C:\Windows\SysWOW64\Nlaegk32.exe
                                      C:\Windows\system32\Nlaegk32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:4348
                                      • C:\Windows\SysWOW64\Npmagine.exe
                                        C:\Windows\system32\Npmagine.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:1676
                                        • C:\Windows\SysWOW64\Ndhmhh32.exe
                                          C:\Windows\system32\Ndhmhh32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Suspicious use of WriteProcessMemory
                                          PID:4732
                                          • C:\Windows\SysWOW64\Nckndeni.exe
                                            C:\Windows\system32\Nckndeni.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:4828
                                            • C:\Windows\SysWOW64\Nfjjppmm.exe
                                              C:\Windows\system32\Nfjjppmm.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:3868
                                              • C:\Windows\SysWOW64\Njefqo32.exe
                                                C:\Windows\system32\Njefqo32.exe
                                                23⤵
                                                • Executes dropped EXE
                                                PID:1876
                                                • C:\Windows\SysWOW64\Nnqbanmo.exe
                                                  C:\Windows\system32\Nnqbanmo.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4940
                                                  • C:\Windows\SysWOW64\Oponmilc.exe
                                                    C:\Windows\system32\Oponmilc.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    PID:4108
                                                    • C:\Windows\SysWOW64\Ocnjidkf.exe
                                                      C:\Windows\system32\Ocnjidkf.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      PID:4292
                                                      • C:\Windows\SysWOW64\Ogifjcdp.exe
                                                        C:\Windows\system32\Ogifjcdp.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4724
                                                        • C:\Windows\SysWOW64\Oflgep32.exe
                                                          C:\Windows\system32\Oflgep32.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:428
                                                          • C:\Windows\SysWOW64\Oncofm32.exe
                                                            C:\Windows\system32\Oncofm32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            PID:2788
                                                            • C:\Windows\SysWOW64\Olfobjbg.exe
                                                              C:\Windows\system32\Olfobjbg.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              PID:4880
                                                              • C:\Windows\SysWOW64\Odmgcgbi.exe
                                                                C:\Windows\system32\Odmgcgbi.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                PID:2228
                                                                • C:\Windows\SysWOW64\Ogkcpbam.exe
                                                                  C:\Windows\system32\Ogkcpbam.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  PID:4336
                                                                  • C:\Windows\SysWOW64\Ofnckp32.exe
                                                                    C:\Windows\system32\Ofnckp32.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:3972
                                                                    • C:\Windows\SysWOW64\Oneklm32.exe
                                                                      C:\Windows\system32\Oneklm32.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      PID:2344
                                                                      • C:\Windows\SysWOW64\Olhlhjpd.exe
                                                                        C:\Windows\system32\Olhlhjpd.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • Modifies registry class
                                                                        PID:3132
                                                                        • C:\Windows\SysWOW64\Odocigqg.exe
                                                                          C:\Windows\system32\Odocigqg.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:244
                                                                          • C:\Windows\SysWOW64\Ognpebpj.exe
                                                                            C:\Windows\system32\Ognpebpj.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • Modifies registry class
                                                                            PID:2248
                                                                            • C:\Windows\SysWOW64\Ofqpqo32.exe
                                                                              C:\Windows\system32\Ofqpqo32.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3056
                                                                              • C:\Windows\SysWOW64\Onhhamgg.exe
                                                                                C:\Windows\system32\Onhhamgg.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:5024
                                                                                • C:\Windows\SysWOW64\Olkhmi32.exe
                                                                                  C:\Windows\system32\Olkhmi32.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3552
                                                                                  • C:\Windows\SysWOW64\Odapnf32.exe
                                                                                    C:\Windows\system32\Odapnf32.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • Modifies registry class
                                                                                    PID:3536
                                                                                    • C:\Windows\SysWOW64\Ocdqjceo.exe
                                                                                      C:\Windows\system32\Ocdqjceo.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:4024
                                                                                      • C:\Windows\SysWOW64\Ofcmfodb.exe
                                                                                        C:\Windows\system32\Ofcmfodb.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        • Modifies registry class
                                                                                        PID:3272
                                                                                        • C:\Windows\SysWOW64\Ojoign32.exe
                                                                                          C:\Windows\system32\Ojoign32.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          PID:608
                                                                                          • C:\Windows\SysWOW64\Olmeci32.exe
                                                                                            C:\Windows\system32\Olmeci32.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            PID:1200
                                                                                            • C:\Windows\SysWOW64\Oqhacgdh.exe
                                                                                              C:\Windows\system32\Oqhacgdh.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              PID:400
                                                                                              • C:\Windows\SysWOW64\Ocgmpccl.exe
                                                                                                C:\Windows\system32\Ocgmpccl.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                PID:4444
                                                                                                • C:\Windows\SysWOW64\Ofeilobp.exe
                                                                                                  C:\Windows\system32\Ofeilobp.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  PID:996
                                                                                                  • C:\Windows\SysWOW64\Ojaelm32.exe
                                                                                                    C:\Windows\system32\Ojaelm32.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:800
                                                                                                    • C:\Windows\SysWOW64\Pmoahijl.exe
                                                                                                      C:\Windows\system32\Pmoahijl.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      PID:4960
                                                                                                      • C:\Windows\SysWOW64\Pqknig32.exe
                                                                                                        C:\Windows\system32\Pqknig32.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:4116
                                                                                                        • C:\Windows\SysWOW64\Pcijeb32.exe
                                                                                                          C:\Windows\system32\Pcijeb32.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:4320
                                                                                                          • C:\Windows\SysWOW64\Pgefeajb.exe
                                                                                                            C:\Windows\system32\Pgefeajb.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            PID:4948
                                                                                                            • C:\Windows\SysWOW64\Pjcbbmif.exe
                                                                                                              C:\Windows\system32\Pjcbbmif.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Modifies registry class
                                                                                                              PID:264
                                                                                                              • C:\Windows\SysWOW64\Pnonbk32.exe
                                                                                                                C:\Windows\system32\Pnonbk32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • Modifies registry class
                                                                                                                PID:5104
                                                                                                                • C:\Windows\SysWOW64\Pclgkb32.exe
                                                                                                                  C:\Windows\system32\Pclgkb32.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:4548
                                                                                                                  • C:\Windows\SysWOW64\Pfjcgn32.exe
                                                                                                                    C:\Windows\system32\Pfjcgn32.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:1336
                                                                                                                    • C:\Windows\SysWOW64\Pjeoglgc.exe
                                                                                                                      C:\Windows\system32\Pjeoglgc.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Modifies registry class
                                                                                                                      PID:1128
                                                                                                                      • C:\Windows\SysWOW64\Pmdkch32.exe
                                                                                                                        C:\Windows\system32\Pmdkch32.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:4820
                                                                                                                        • C:\Windows\SysWOW64\Pcncpbmd.exe
                                                                                                                          C:\Windows\system32\Pcncpbmd.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:3076
                                                                                                                          • C:\Windows\SysWOW64\Pgioqq32.exe
                                                                                                                            C:\Windows\system32\Pgioqq32.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:4468
                                                                                                                            • C:\Windows\SysWOW64\Pjhlml32.exe
                                                                                                                              C:\Windows\system32\Pjhlml32.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:5056
                                                                                                                              • C:\Windows\SysWOW64\Pmfhig32.exe
                                                                                                                                C:\Windows\system32\Pmfhig32.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                PID:4868
                                                                                                                                • C:\Windows\SysWOW64\Pdmpje32.exe
                                                                                                                                  C:\Windows\system32\Pdmpje32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:3884
                                                                                                                                  • C:\Windows\SysWOW64\Pcppfaka.exe
                                                                                                                                    C:\Windows\system32\Pcppfaka.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:4992
                                                                                                                                    • C:\Windows\SysWOW64\Pfolbmje.exe
                                                                                                                                      C:\Windows\system32\Pfolbmje.exe
                                                                                                                                      66⤵
                                                                                                                                        PID:2580
                                                                                                                                        • C:\Windows\SysWOW64\Pjjhbl32.exe
                                                                                                                                          C:\Windows\system32\Pjjhbl32.exe
                                                                                                                                          67⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:4536
                                                                                                                                          • C:\Windows\SysWOW64\Pmidog32.exe
                                                                                                                                            C:\Windows\system32\Pmidog32.exe
                                                                                                                                            68⤵
                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                            PID:896
                                                                                                                                            • C:\Windows\SysWOW64\Pdpmpdbd.exe
                                                                                                                                              C:\Windows\system32\Pdpmpdbd.exe
                                                                                                                                              69⤵
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              PID:5136
                                                                                                                                              • C:\Windows\SysWOW64\Pcbmka32.exe
                                                                                                                                                C:\Windows\system32\Pcbmka32.exe
                                                                                                                                                70⤵
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:5172
                                                                                                                                                • C:\Windows\SysWOW64\Pfaigm32.exe
                                                                                                                                                  C:\Windows\system32\Pfaigm32.exe
                                                                                                                                                  71⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:5212
                                                                                                                                                  • C:\Windows\SysWOW64\Qnhahj32.exe
                                                                                                                                                    C:\Windows\system32\Qnhahj32.exe
                                                                                                                                                    72⤵
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:5252
                                                                                                                                                    • C:\Windows\SysWOW64\Qqfmde32.exe
                                                                                                                                                      C:\Windows\system32\Qqfmde32.exe
                                                                                                                                                      73⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:5288
                                                                                                                                                      • C:\Windows\SysWOW64\Qceiaa32.exe
                                                                                                                                                        C:\Windows\system32\Qceiaa32.exe
                                                                                                                                                        74⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:5324
                                                                                                                                                        • C:\Windows\SysWOW64\Qfcfml32.exe
                                                                                                                                                          C:\Windows\system32\Qfcfml32.exe
                                                                                                                                                          75⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          PID:5364
                                                                                                                                                          • C:\Windows\SysWOW64\Qmmnjfnl.exe
                                                                                                                                                            C:\Windows\system32\Qmmnjfnl.exe
                                                                                                                                                            76⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            PID:5404
                                                                                                                                                            • C:\Windows\SysWOW64\Qqijje32.exe
                                                                                                                                                              C:\Windows\system32\Qqijje32.exe
                                                                                                                                                              77⤵
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:5440
                                                                                                                                                              • C:\Windows\SysWOW64\Qcgffqei.exe
                                                                                                                                                                C:\Windows\system32\Qcgffqei.exe
                                                                                                                                                                78⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                PID:5476
                                                                                                                                                                • C:\Windows\SysWOW64\Qffbbldm.exe
                                                                                                                                                                  C:\Windows\system32\Qffbbldm.exe
                                                                                                                                                                  79⤵
                                                                                                                                                                    PID:5512
                                                                                                                                                                    • C:\Windows\SysWOW64\Ajanck32.exe
                                                                                                                                                                      C:\Windows\system32\Ajanck32.exe
                                                                                                                                                                      80⤵
                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:5548
                                                                                                                                                                      • C:\Windows\SysWOW64\Ampkof32.exe
                                                                                                                                                                        C:\Windows\system32\Ampkof32.exe
                                                                                                                                                                        81⤵
                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                        PID:5588
                                                                                                                                                                        • C:\Windows\SysWOW64\Aqkgpedc.exe
                                                                                                                                                                          C:\Windows\system32\Aqkgpedc.exe
                                                                                                                                                                          82⤵
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:5632
                                                                                                                                                                          • C:\Windows\SysWOW64\Acjclpcf.exe
                                                                                                                                                                            C:\Windows\system32\Acjclpcf.exe
                                                                                                                                                                            83⤵
                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                            PID:5668
                                                                                                                                                                            • C:\Windows\SysWOW64\Ageolo32.exe
                                                                                                                                                                              C:\Windows\system32\Ageolo32.exe
                                                                                                                                                                              84⤵
                                                                                                                                                                                PID:5716
                                                                                                                                                                                • C:\Windows\SysWOW64\Ajckij32.exe
                                                                                                                                                                                  C:\Windows\system32\Ajckij32.exe
                                                                                                                                                                                  85⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:5756
                                                                                                                                                                                  • C:\Windows\SysWOW64\Ambgef32.exe
                                                                                                                                                                                    C:\Windows\system32\Ambgef32.exe
                                                                                                                                                                                    86⤵
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    PID:5792
                                                                                                                                                                                    • C:\Windows\SysWOW64\Aqncedbp.exe
                                                                                                                                                                                      C:\Windows\system32\Aqncedbp.exe
                                                                                                                                                                                      87⤵
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:5832
                                                                                                                                                                                      • C:\Windows\SysWOW64\Aclpap32.exe
                                                                                                                                                                                        C:\Windows\system32\Aclpap32.exe
                                                                                                                                                                                        88⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:5876
                                                                                                                                                                                        • C:\Windows\SysWOW64\Afjlnk32.exe
                                                                                                                                                                                          C:\Windows\system32\Afjlnk32.exe
                                                                                                                                                                                          89⤵
                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:5916
                                                                                                                                                                                          • C:\Windows\SysWOW64\Ajfhnjhq.exe
                                                                                                                                                                                            C:\Windows\system32\Ajfhnjhq.exe
                                                                                                                                                                                            90⤵
                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            PID:5956
                                                                                                                                                                                            • C:\Windows\SysWOW64\Amddjegd.exe
                                                                                                                                                                                              C:\Windows\system32\Amddjegd.exe
                                                                                                                                                                                              91⤵
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:6000
                                                                                                                                                                                              • C:\Windows\SysWOW64\Aeklkchg.exe
                                                                                                                                                                                                C:\Windows\system32\Aeklkchg.exe
                                                                                                                                                                                                92⤵
                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:6036
                                                                                                                                                                                                • C:\Windows\SysWOW64\Acnlgp32.exe
                                                                                                                                                                                                  C:\Windows\system32\Acnlgp32.exe
                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                  PID:6072
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Afmhck32.exe
                                                                                                                                                                                                    C:\Windows\system32\Afmhck32.exe
                                                                                                                                                                                                    94⤵
                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                    PID:6108
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Andqdh32.exe
                                                                                                                                                                                                      C:\Windows\system32\Andqdh32.exe
                                                                                                                                                                                                      95⤵
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:3664
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Amgapeea.exe
                                                                                                                                                                                                        C:\Windows\system32\Amgapeea.exe
                                                                                                                                                                                                        96⤵
                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        PID:2748
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Aeniabfd.exe
                                                                                                                                                                                                          C:\Windows\system32\Aeniabfd.exe
                                                                                                                                                                                                          97⤵
                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                          PID:4396
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Acqimo32.exe
                                                                                                                                                                                                            C:\Windows\system32\Acqimo32.exe
                                                                                                                                                                                                            98⤵
                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:3492
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Afoeiklb.exe
                                                                                                                                                                                                              C:\Windows\system32\Afoeiklb.exe
                                                                                                                                                                                                              99⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:4244
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Anfmjhmd.exe
                                                                                                                                                                                                                C:\Windows\system32\Anfmjhmd.exe
                                                                                                                                                                                                                100⤵
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                PID:2716
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Aadifclh.exe
                                                                                                                                                                                                                  C:\Windows\system32\Aadifclh.exe
                                                                                                                                                                                                                  101⤵
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  PID:2060
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Accfbokl.exe
                                                                                                                                                                                                                    C:\Windows\system32\Accfbokl.exe
                                                                                                                                                                                                                    102⤵
                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:2064
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Agoabn32.exe
                                                                                                                                                                                                                      C:\Windows\system32\Agoabn32.exe
                                                                                                                                                                                                                      103⤵
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:4752
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Bjmnoi32.exe
                                                                                                                                                                                                                        C:\Windows\system32\Bjmnoi32.exe
                                                                                                                                                                                                                        104⤵
                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                        PID:2320
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bmkjkd32.exe
                                                                                                                                                                                                                          C:\Windows\system32\Bmkjkd32.exe
                                                                                                                                                                                                                          105⤵
                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:5168
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Bebblb32.exe
                                                                                                                                                                                                                            C:\Windows\system32\Bebblb32.exe
                                                                                                                                                                                                                            106⤵
                                                                                                                                                                                                                              PID:4772
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Bcebhoii.exe
                                                                                                                                                                                                                                C:\Windows\system32\Bcebhoii.exe
                                                                                                                                                                                                                                107⤵
                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                PID:5280
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Bfdodjhm.exe
                                                                                                                                                                                                                                  C:\Windows\system32\Bfdodjhm.exe
                                                                                                                                                                                                                                  108⤵
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  PID:5320
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Bnkgeg32.exe
                                                                                                                                                                                                                                    C:\Windows\system32\Bnkgeg32.exe
                                                                                                                                                                                                                                    109⤵
                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                    PID:4952
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Baicac32.exe
                                                                                                                                                                                                                                      C:\Windows\system32\Baicac32.exe
                                                                                                                                                                                                                                      110⤵
                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                      PID:5432
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Beeoaapl.exe
                                                                                                                                                                                                                                        C:\Windows\system32\Beeoaapl.exe
                                                                                                                                                                                                                                        111⤵
                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                        PID:5496
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bgcknmop.exe
                                                                                                                                                                                                                                          C:\Windows\system32\Bgcknmop.exe
                                                                                                                                                                                                                                          112⤵
                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                          PID:5536
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Bjagjhnc.exe
                                                                                                                                                                                                                                            C:\Windows\system32\Bjagjhnc.exe
                                                                                                                                                                                                                                            113⤵
                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                            PID:5616
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Bnmcjg32.exe
                                                                                                                                                                                                                                              C:\Windows\system32\Bnmcjg32.exe
                                                                                                                                                                                                                                              114⤵
                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                              PID:5696
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Balpgb32.exe
                                                                                                                                                                                                                                                C:\Windows\system32\Balpgb32.exe
                                                                                                                                                                                                                                                115⤵
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                PID:5748
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Beglgani.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\Beglgani.exe
                                                                                                                                                                                                                                                  116⤵
                                                                                                                                                                                                                                                    PID:5824
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Bgehcmmm.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\Bgehcmmm.exe
                                                                                                                                                                                                                                                      117⤵
                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                      PID:5892
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Bjddphlq.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\Bjddphlq.exe
                                                                                                                                                                                                                                                        118⤵
                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:5948
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Bmbplc32.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\Bmbplc32.exe
                                                                                                                                                                                                                                                          119⤵
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                          PID:1804
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Banllbdn.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\Banllbdn.exe
                                                                                                                                                                                                                                                            120⤵
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:6056
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\Bhhdil32.exe
                                                                                                                                                                                                                                                              121⤵
                                                                                                                                                                                                                                                                PID:6104
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Bjfaeh32.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\Bjfaeh32.exe
                                                                                                                                                                                                                                                                  122⤵
                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                  PID:4516
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Bnbmefbg.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\Bnbmefbg.exe
                                                                                                                                                                                                                                                                    123⤵
                                                                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                    PID:1996
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Bapiabak.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\Bapiabak.exe
                                                                                                                                                                                                                                                                      124⤵
                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                      PID:3140
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Bcoenmao.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\Bcoenmao.exe
                                                                                                                                                                                                                                                                        125⤵
                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                        PID:532
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\Cfmajipb.exe
                                                                                                                                                                                                                                                                          126⤵
                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                          PID:5040
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Cndikf32.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\Cndikf32.exe
                                                                                                                                                                                                                                                                            127⤵
                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                            PID:388
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cmgjgcgo.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\Cmgjgcgo.exe
                                                                                                                                                                                                                                                                              128⤵
                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                              PID:5200
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\Cenahpha.exe
                                                                                                                                                                                                                                                                                129⤵
                                                                                                                                                                                                                                                                                  PID:5180
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Chmndlge.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\Chmndlge.exe
                                                                                                                                                                                                                                                                                    130⤵
                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                    PID:5380
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cjkjpgfi.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\Cjkjpgfi.exe
                                                                                                                                                                                                                                                                                      131⤵
                                                                                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                      PID:5464
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cmiflbel.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\Cmiflbel.exe
                                                                                                                                                                                                                                                                                        132⤵
                                                                                                                                                                                                                                                                                          PID:5604
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Caebma32.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\Caebma32.exe
                                                                                                                                                                                                                                                                                            133⤵
                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                            PID:5740
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Chokikeb.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\Chokikeb.exe
                                                                                                                                                                                                                                                                                              134⤵
                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                              PID:5816
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Cfbkeh32.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\Cfbkeh32.exe
                                                                                                                                                                                                                                                                                                135⤵
                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                PID:5932
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Cnicfe32.exe
                                                                                                                                                                                                                                                                                                  136⤵
                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                  PID:2448
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Cagobalc.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Cagobalc.exe
                                                                                                                                                                                                                                                                                                    137⤵
                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                    PID:5964
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cdfkolkf.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Cdfkolkf.exe
                                                                                                                                                                                                                                                                                                      138⤵
                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                      PID:2040
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cfdhkhjj.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Cfdhkhjj.exe
                                                                                                                                                                                                                                                                                                        139⤵
                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                        PID:636
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Cajlhqjp.exe
                                                                                                                                                                                                                                                                                                          140⤵
                                                                                                                                                                                                                                                                                                            PID:5164
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Cffdpghg.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Cffdpghg.exe
                                                                                                                                                                                                                                                                                                              141⤵
                                                                                                                                                                                                                                                                                                                PID:5308
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Cjbpaf32.exe
                                                                                                                                                                                                                                                                                                                  142⤵
                                                                                                                                                                                                                                                                                                                    PID:656
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Cmqmma32.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Cmqmma32.exe
                                                                                                                                                                                                                                                                                                                      143⤵
                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                      PID:5620
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Cegdnopg.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Cegdnopg.exe
                                                                                                                                                                                                                                                                                                                        144⤵
                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                        PID:5628
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dhfajjoj.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Dhfajjoj.exe
                                                                                                                                                                                                                                                                                                                          145⤵
                                                                                                                                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                          PID:4044
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Dfiafg32.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Dfiafg32.exe
                                                                                                                                                                                                                                                                                                                            146⤵
                                                                                                                                                                                                                                                                                                                              PID:5800
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dmcibama.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Dmcibama.exe
                                                                                                                                                                                                                                                                                                                                147⤵
                                                                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                PID:4368
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Danecp32.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Danecp32.exe
                                                                                                                                                                                                                                                                                                                                  148⤵
                                                                                                                                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                  PID:4928
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Ddmaok32.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\Ddmaok32.exe
                                                                                                                                                                                                                                                                                                                                    149⤵
                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                    PID:4892
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Djgjlelk.exe
                                                                                                                                                                                                                                                                                                                                      150⤵
                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                      PID:5428
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dobfld32.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Dobfld32.exe
                                                                                                                                                                                                                                                                                                                                        151⤵
                                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                        PID:5392
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Daqbip32.exe
                                                                                                                                                                                                                                                                                                                                          152⤵
                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                          PID:5912
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Ddonekbl.exe
                                                                                                                                                                                                                                                                                                                                            153⤵
                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                            PID:6140
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Dfnjafap.exe
                                                                                                                                                                                                                                                                                                                                              154⤵
                                                                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                              PID:4344
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dkifae32.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Dkifae32.exe
                                                                                                                                                                                                                                                                                                                                                155⤵
                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                PID:5264
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Dmgbnq32.exe
                                                                                                                                                                                                                                                                                                                                                  156⤵
                                                                                                                                                                                                                                                                                                                                                    PID:5532
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Deokon32.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Deokon32.exe
                                                                                                                                                                                                                                                                                                                                                      157⤵
                                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                      PID:1788
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\Dfpgffpm.exe
                                                                                                                                                                                                                                                                                                                                                        158⤵
                                                                                                                                                                                                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                        PID:5160
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\Dmjocp32.exe
                                                                                                                                                                                                                                                                                                                                                          159⤵
                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                          PID:5992
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\Daekdooc.exe
                                                                                                                                                                                                                                                                                                                                                            160⤵
                                                                                                                                                                                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                            PID:2908
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\Dddhpjof.exe
                                                                                                                                                                                                                                                                                                                                                              161⤵
                                                                                                                                                                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                              PID:512
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\Dhocqigp.exe
                                                                                                                                                                                                                                                                                                                                                                162⤵
                                                                                                                                                                                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                PID:4488
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Dknpmdfc.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\Dknpmdfc.exe
                                                                                                                                                                                                                                                                                                                                                                  163⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:6164
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                                                                                                                                                                                                      164⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:6212
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 420
                                                                                                                                                                                                                                                                                                                                                                          165⤵
                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                          PID:6360
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6212 -ip 6212
                                  1⤵
                                    PID:6292
                                  • C:\Windows\System32\WaaSMedicAgent.exe
                                    C:\Windows\System32\WaaSMedicAgent.exe 2b008d394097c8c16f8b31c98050bfe5 SwWJ3gHf+kiL7zQpv9s5Rg.0.1.0.0.0
                                    1⤵
                                      PID:4928

                                    Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Windows\SysWOW64\Deokon32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            5769cbe3d152965c5f56cc6ebbeae15c

                                            SHA1

                                            f328a2bce3a733e34065b0f052106b8f347f6410

                                            SHA256

                                            16884a7c2286a06b6eb6ab00bec13d149454586447e43692092ce0af949f8178

                                            SHA512

                                            0aa6f978140e017ac33ff9ed66139a78b8835a3915a867b10b0937c2d234707c16c449759f31e1f39beedbb70188e9eeaca336b65fa22529656a0786531a9276

                                          • C:\Windows\SysWOW64\Gbmgladp.dll

                                            Filesize

                                            7KB

                                            MD5

                                            17c77cb57c06306ec830a0f84d21f043

                                            SHA1

                                            dffbebe590a72c709d892d84209fb6bcb6af47a6

                                            SHA256

                                            7af3441b5294637908329c9f8add5153964a99f17f4df10e8efa0acbd9a09290

                                            SHA512

                                            5d87c0a351b4a425505361fa1856c352ca5daf3b1acda7bbbb91dcdd735574996761dac147b3467c13d8e6ebf087228ed32d17d6df5cdaea6956fb9f537bce07

                                          • C:\Windows\SysWOW64\Ncianepl.exe

                                            Filesize

                                            207KB

                                            MD5

                                            3bc25f744c05525019e261467da2d553

                                            SHA1

                                            f86e65e7ee83fe794eeb29e8783b175822879703

                                            SHA256

                                            affd1b1b743019e19a60c5fccb527eb0a2c44a77771020431e56d9668fb85566

                                            SHA512

                                            774eae85de101124291a9092dfb01f697eb0f82e9ace590f827f40654e8ca7df5b4f62d7395c1edce4e724768ee8cb7f8c1d7827bb893e6062dde6481881359c

                                          • C:\Windows\SysWOW64\Nckndeni.exe

                                            Filesize

                                            207KB

                                            MD5

                                            58e67ea2d67b5feae6172c021498fe7d

                                            SHA1

                                            5b0ba369d5c26be6226d4ce78072b25d4f0d57b9

                                            SHA256

                                            a094add6e00b253558c153263c247838a481cbbb4cf24e43bd341141e4e8d3b2

                                            SHA512

                                            b46aae85d91b288ef9aa1597f355f1dc473c01c0865f6b133cfcd73ef8e052993635b6653734dcad2a1cda1a1fa3442d87b409b9993e270ba2cea6847eebf48c

                                          • C:\Windows\SysWOW64\Ndcdmikd.exe

                                            Filesize

                                            207KB

                                            MD5

                                            7b744d7cae3ad676c97f65f4b351235b

                                            SHA1

                                            b3726ccf9b4eb4ffa714290f037fc182454c3ed9

                                            SHA256

                                            02770dfebb59138c7c9bcee03c99d74e767ef3f3241b445a8efc962f5cab0da3

                                            SHA512

                                            3f0abfe37c29b8b3708141eca52482526b51e93326a372e09d64f33060f3d2863b2f93d8c3aba3fc1360d7ec7b8f62df80b144dbf852bb16a6e7d283f22a4113

                                          • C:\Windows\SysWOW64\Ndhmhh32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            9664d19f856b0770337e92b6d7d9b441

                                            SHA1

                                            e22e0826336abb68eb99db4aca50739a89969997

                                            SHA256

                                            29293061e03bd4c613fdefb5f8b20fa5e9c4982200599bb94391bde4bcb4a9f6

                                            SHA512

                                            56f33ff4f71e04e27659e645c20c6e422274226a2ec22e8564eb033bd8b1e1bc3dd7d74a1d5f608294df6e533da39ce6618eb15b83c336be78fbe7cb295bcc08

                                          • C:\Windows\SysWOW64\Nebdoa32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            67edf70f61c668ca90874f707e3e90fb

                                            SHA1

                                            265d79b62afce7836d79fbe6b6a964fc552949ec

                                            SHA256

                                            74d1d7831eef3e880b61a96fd86ebc948dce276a9276a05f2b2ba82713a8347e

                                            SHA512

                                            8b0372d2b0d850a09b9777aa7afd3b6c6776aa0911497d6e873815ca45e4843cbb9b74c44896e8f7d9fb695e74c8bdf77e2d32bd06191d3cc568246312fdc69e

                                          • C:\Windows\SysWOW64\Neeqea32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            28fe35898e38cd001fb142764f0b3477

                                            SHA1

                                            53678b5f6ea4e779a999ab025e437e969d0edaac

                                            SHA256

                                            cb430396d0273ce88d5fa42553671b567a25154fb3aa3e449a65d2bfb47fef86

                                            SHA512

                                            dbb8a3b94a895ecc3a0db012843be832aa1fa11aa6177277cd6580bb04ee3218d78220fedf316712d84cad932ae307e5c943c5850e93e81f8706e892cf7a337e

                                          • C:\Windows\SysWOW64\Nfgmjqop.exe

                                            Filesize

                                            207KB

                                            MD5

                                            4fecf638f0528fb10e858da45bb73a99

                                            SHA1

                                            07c9f6574d280493fd7c8be5c67d7af21effc4f6

                                            SHA256

                                            78dfb54a17e87cb7922bf06ca852a4692062a6a348269a2fb1c7d679cfec331b

                                            SHA512

                                            a924ee3876b53c96d8e74611c9f51a6dd17b6fe90013a02cd6ec234198fe889b9ced4fa78f4ecf22ece21175de7030018b54ad07fed7d107e9e96dbc4ea55f7b

                                          • C:\Windows\SysWOW64\Nfjjppmm.exe

                                            Filesize

                                            207KB

                                            MD5

                                            a9414977beea856dc6708eea71df4f0c

                                            SHA1

                                            66f0ffbbe850c82cdd6181dda3b607336fa81e73

                                            SHA256

                                            8227a01972c9f2781bdeddb30e0632c67e37ee2a14eaf7078b7a9478d2e4772a

                                            SHA512

                                            d09d16b59409c719ff38bac7e4a2ef30848a43eaf5dd7c758bc224e8b896ae56c781d055c97ae9e3b84586a3e783db31457a07c6b0aae3d15dae78878b3797f2

                                          • C:\Windows\SysWOW64\Ngbpidjh.exe

                                            Filesize

                                            207KB

                                            MD5

                                            b869b316a8b0d24142c12af30390587f

                                            SHA1

                                            93cece610f037daca41a52089ddabeebb0ffb830

                                            SHA256

                                            61a5abdcecbb19ab6abaaace47126406c893d03726980956a31d20702ae74193

                                            SHA512

                                            e5c079ae5d06a57c5addc200f098dae81e2a595bf1b7c6984a88fd70c15cd0e7c3b5bb222283a97df95a6b375c7b791ecf39fbc62d695a4950a16c9ab6b6381d

                                          • C:\Windows\SysWOW64\Ngdmod32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            2044ad94ef8b7d2a5e7a42300f5c3c70

                                            SHA1

                                            a71cbfeaa5a07f2ca25cf7d9945e7f841bee1357

                                            SHA256

                                            27ea5a2f3cf773c6bfbafe08cff959960b0dd7e3511061339e27b2417fbd187a

                                            SHA512

                                            80410207fceee53dec7a227539d83b26ca0101f165db93bb6d3813766f841b83e498e847a9bb5967dbec54cba481e2c8d18e3fc763ff93f6ffe55d480bd9aebf

                                          • C:\Windows\SysWOW64\Ngpccdlj.exe

                                            Filesize

                                            207KB

                                            MD5

                                            5412f3877f357f1d737c453251f83549

                                            SHA1

                                            42611a619bc53f098bf45fa145006b72937f5739

                                            SHA256

                                            74ac941ca66f84888b435cb7f86b9a1fcd65a3dc38c93474686ee609bb67b234

                                            SHA512

                                            8f6584fb6f3120beeb8222da3d99f205358bf12a2839bad9619fcf6c6675c037d83c92cfb4f9931244dec8ffbdea870b06e28fc9c7da4fa2dfd4ae4559bcbdf9

                                          • C:\Windows\SysWOW64\Njciko32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            ab22de51ea720d6487541b61e6d99da8

                                            SHA1

                                            d56e6c0687f00443c873a2a4d8cd0b1ad75b2e1a

                                            SHA256

                                            5d7365353a44f6d0d98cebcc4bd6f347fe625ffcb0d7d1fccfcecd211d6e7f8d

                                            SHA512

                                            92166426cbb2ae084b1ef9b01a0dee1447f1b4951fa8856c6e4ce524de40d48479ebaba049627b5aec0e8d6b5a3f8fa2a55f1d782f759d5fa2b6623f0ad0d8b4

                                          • C:\Windows\SysWOW64\Njefqo32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            449226ef8d131a277924d0a8da4d33d1

                                            SHA1

                                            a1f59f8a36a58f7e0ae3688e2cc17ce1de8b2a6a

                                            SHA256

                                            bd0c038457dfd47d9a0c250efee6e1afe8d431c8f40872032e60415b2f251b82

                                            SHA512

                                            0519155d8fb1f4efe9671c779de68509898855a14571371842dd4b25277cf5ae316891e6da1ddfa18a3326aa43163384aea82d5ccbeeb6ef3ca65cdf1e513e20

                                          • C:\Windows\SysWOW64\Nlaegk32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            d9a806ce8081d53c4aa98fc4f2557587

                                            SHA1

                                            5a2c2165bdaa05d1bcc840da924a85396b4deda6

                                            SHA256

                                            6d10698142d5c8fd8ff344fc9828002bc4d89814d0912f4ed792330cf770d54b

                                            SHA512

                                            38c5ae61a48c5deb61c24a354c6d877e447080f61396a856b03e9c3cb5a8bb930a8853728ca55789b7b5ad5a98697c1dca4b15139be56469b7aee2a43f99c9b6

                                          • C:\Windows\SysWOW64\Nlmllkja.exe

                                            Filesize

                                            207KB

                                            MD5

                                            1eb71e6b5986444799acfd0ad9fc910e

                                            SHA1

                                            128f59bf1a7775b6271887dda7885dce05c06754

                                            SHA256

                                            a4b8da3beb4da6eb00c76556f8618f9d4516cd53f47f2dd692cb7d7b27b3b2ff

                                            SHA512

                                            3d2f6c61c4692ed2519e1d9cc34895b6735fb984fbc5614f254195f5fedbe9d8d825b5120c29c5e5fe78789adc7ab5853a57972bf6640555686effe4d4378c2c

                                          • C:\Windows\SysWOW64\Nloiakho.exe

                                            Filesize

                                            207KB

                                            MD5

                                            0751d71d0d3523ee104a9ee70b2b7940

                                            SHA1

                                            82f6a8a0b2d05bc5c664b653b25fca58eda224a9

                                            SHA256

                                            ff958d4c772df9e5d567c40450cb2da3be738f0ec6b9f0cd9c33c7f5e72338b0

                                            SHA512

                                            2fe6ea7ffa4fd37e8b22c072a851e83e50f5410ae5ae8195501baab44f5b73dc033174f1f4d46aa4521d38abbabdd274587589f8f8b4c6cb3e04a1c05a7844e3

                                          • C:\Windows\SysWOW64\Nngokoej.exe

                                            Filesize

                                            207KB

                                            MD5

                                            430a60ddad029926d2b22c31d753a1b4

                                            SHA1

                                            230f19901870306660ca5ee2d10e1e24c87fa914

                                            SHA256

                                            3b78cf85e8020cdf73e975f5fefb5f7af57097b44c286eac14101c271090b2d8

                                            SHA512

                                            0faaed4519aa03e4871de501f8ba4051b5850e8adecb57ea2859359070cb5f757fa6448a661d745ee1d56024d61ca30344da6303fc2b61949ece039ec8da2cfc

                                          • C:\Windows\SysWOW64\Nnjlpo32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            48eea0e2765112f9095c9e26435928e0

                                            SHA1

                                            4c03cc7f2852a215ef8bbd35099bdcc349fd09e3

                                            SHA256

                                            ec5e9b8ec2c57515c9a79619b9cefa49b3f19cee489f85932241e6dfd7a74c6c

                                            SHA512

                                            67d1277ac7d86e7dbbb90779fd66565bb65030327e0a753acbd72b5d8176a532c21ab0d47a176ce8477cbe2dff3aae686fefc13f68b1f50767f472b5d9b8fcf0

                                          • C:\Windows\SysWOW64\Nnlhfn32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            376c8ff5618c0586c2a7d7329c655900

                                            SHA1

                                            14f1bb5e66703a8cd520bdcb71e2823da114cd51

                                            SHA256

                                            036d11096e9f4faa4d55edbf3e645171cc1b44843e67ea074c0600026f74eaf1

                                            SHA512

                                            582388bffa18c46ef7a4e2d43934b94a5ccdc8c6e97c03de216af60a33e8d664953db7dbc1700d81df36523eed11bbfa7004746f9ae38d65be2ef998e6d28bff

                                          • C:\Windows\SysWOW64\Nnqbanmo.exe

                                            Filesize

                                            207KB

                                            MD5

                                            d0a007d2d689fab9cd25a427c591a712

                                            SHA1

                                            d3fea170098764f5363c916573bf35b3ddc03f1a

                                            SHA256

                                            8df3189b99abb3e9c506d65eafd973f8b4a19a439624ad37d346b02f891933cf

                                            SHA512

                                            7749d9717a8bce52e4f2a68a916108f1bc055649ab5e2551d895baa7386b854fc051d4fed4475e81b024e75e2b129b2616923044c127334e6e38c56e3ddd3e5d

                                          • C:\Windows\SysWOW64\Npfkgjdn.exe

                                            Filesize

                                            207KB

                                            MD5

                                            9145a7906c935ff28536a7b315a75b14

                                            SHA1

                                            608590ba99bc14b640ee779190487e7f23ca1245

                                            SHA256

                                            09773ec6974a21c09614a145dc4c13dab7b6369561b883492f5e33a4c799588f

                                            SHA512

                                            2052a9d06f99ebe2388c8c97116a76a9cfb737236b34f4655651b8a084a0d6f6dcaf9330c8793c6a4470a84f3aae8e1ca453f2cdcf6be8a78a49a848d3e2a343

                                          • C:\Windows\SysWOW64\Npjebj32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            689b7532dbe88edc59f23599598c46b2

                                            SHA1

                                            89544a3457375a55fee0872a91f25246578ddbab

                                            SHA256

                                            cd3d7d52d4a50c652932c987f9ea6c5825fcb7b642e5575c4e1d393ebe70bbea

                                            SHA512

                                            5a424f35e040d5834fac1764075ed6a31e4cc0665f1c1c0a18559474a7ed685b969768231485c8aee062b49de6528f9248827b918bbfc0f3b5dc8d87e91c94a3

                                          • C:\Windows\SysWOW64\Npmagine.exe

                                            Filesize

                                            207KB

                                            MD5

                                            2324a7baa68c29cd86db9f7a1b52b594

                                            SHA1

                                            9e1a3493767e5c6794608ab798cf236559b67de0

                                            SHA256

                                            faddc1abbb166d97faea995ebd34aaf98c893a46200552dd01e5e408423ac7ea

                                            SHA512

                                            713d989638cef18f23d38ed3b60f5d6e33c8596511e4b7936dfb1f61864bcb5d32c6b0ed1621a05823e92338fc0f41f7cc6939117ff04038698b85790c9280c4

                                          • C:\Windows\SysWOW64\Ocnjidkf.exe

                                            Filesize

                                            207KB

                                            MD5

                                            b6abd90c76d0256f74a60176a3f03d8b

                                            SHA1

                                            06c323a96e2fd7412d7a6c6bae486846ead704b6

                                            SHA256

                                            8176e612bff50cd943401da6b86336d2c684e9483ca58986cd5297640e4c9d58

                                            SHA512

                                            81bf392708edf177dd200eae987ca5d19be33db89f3e128dfb8ed1c6c102166d7756dab53c960307fde68f3aad08932e4b64f21b6271465aa7ca4be507d589ba

                                          • C:\Windows\SysWOW64\Odmgcgbi.exe

                                            Filesize

                                            207KB

                                            MD5

                                            810962a7cbc4903ab6b06e3802d90631

                                            SHA1

                                            868c9036a55f557f6316b491b85306ee3d292f8b

                                            SHA256

                                            9eb43a57051271de0f177d2018bf9ea9d8b67292d4c707dff067a41ac9445a02

                                            SHA512

                                            9d90bc87008c16e45cd8ba22872ba1a53f0cc2f315dbc6ede25e459afd1065c6efc1ae767c96c4aea48855245235e1c1417fc5360d9c018d67b993b1ba007594

                                          • C:\Windows\SysWOW64\Oflgep32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            0fbe321612f9316de8b56c9b4ff8db84

                                            SHA1

                                            fe9bc8491c0ed2514dd8643340426d9a163b5700

                                            SHA256

                                            738bb13d47b8b0ff347d30fe8ad89e157c035b2ad9f88c2889fdad7f58854e64

                                            SHA512

                                            7536a8e77d9a0d93eac29c54ffeaa39061910d889c2a400ccd98b75bed8a31dbde8e9a4108792bdb0bceb4eb0c2660dee872a6f9703946fbef561e4ea4dcaabd

                                          • C:\Windows\SysWOW64\Ofnckp32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            a39c8997da0cfc0b868cb41aabe6f1ff

                                            SHA1

                                            9517d1409b3748b9f3d81dffec92ff36c8474dff

                                            SHA256

                                            aa5f9d5737167e2d61de0728a19c30f4b5d503262a34793dd5f91ef5599b28cd

                                            SHA512

                                            e985fb333ac70113370191a19b6c95f6e20d6f2b2778e28d63cae06bea2c3536ac3114e770db60a09d004b6d5253fd8bff35785379aa92f5e21cf588327fae25

                                          • C:\Windows\SysWOW64\Ogifjcdp.exe

                                            Filesize

                                            207KB

                                            MD5

                                            8b19940a807a5ac90b03a7b4db2a4584

                                            SHA1

                                            8b4eeae7ca06be77ddf021aeafd12aaf741a5d4f

                                            SHA256

                                            cec8ce6e9ed96463cc5a3c4848370f6f680dca66131f3269c48902d3952569bc

                                            SHA512

                                            e7ebbf78b3ccd2324d0957732336eef3d1c96bea4f8b881d65ccb790ee98a9ac9bcdc27ac1526be334dc850f29914a397ed78b4bea6951cf395bd0dd5009732c

                                          • C:\Windows\SysWOW64\Ogkcpbam.exe

                                            Filesize

                                            207KB

                                            MD5

                                            474eb1bc0b65ad8615477c1417604f0d

                                            SHA1

                                            743cd5bb4cbb80735395155ccbbd16107ce6f1cb

                                            SHA256

                                            ec90605f498404340dbe82a0b2dbecb08c3823de27f29a4debc94d48610dc1b8

                                            SHA512

                                            2d34f0b934e8480b50ab078e939cd4da02a03cd003589383d2b68ed8078b93c69241e26850ba467592132e9c4a0777e4829cc2ef4f7c376c06b24861a4eb4528

                                          • C:\Windows\SysWOW64\Olfobjbg.exe

                                            Filesize

                                            207KB

                                            MD5

                                            b8df7b64d0640eecefc3d06721e76e61

                                            SHA1

                                            5fcfeaa5e87e165a153c4a4dfc6ed167e907b3db

                                            SHA256

                                            dc340fd4c322feaf0dbc6286b7fe37f77af0b21992b4308b427af5575db196e9

                                            SHA512

                                            d62c83db53168fa932c5ade845a54cff9eb9f2ec91c82e754599218bb3350524eb644393390d8ac6ed2d06a813ea36c18917222ceaff6465ca4c2fa2c7153276

                                          • C:\Windows\SysWOW64\Oncofm32.exe

                                            Filesize

                                            207KB

                                            MD5

                                            1b628b833f1bcf87bb749778f7a8cce1

                                            SHA1

                                            7372e31ff715e2d93948c3a7c432ca7709bee9a2

                                            SHA256

                                            7191d57ebd100fb1b6889f837d519e230b19a2c05f2bde1f69a1fdc201bdf50d

                                            SHA512

                                            6da3f423e6eeef9bfc06a09627d6d3986547d5e89a82482d2767084241cf9acce3affd3940ec5df3fd2c9ca782b67c5bb95a62c7573db386e922fcb4502d961a

                                          • C:\Windows\SysWOW64\Oponmilc.exe

                                            Filesize

                                            207KB

                                            MD5

                                            1617f0a78aa8534245c0d7ae257aba9c

                                            SHA1

                                            bb7f91dc05b50d714e870d0a13aec8a0adabd09a

                                            SHA256

                                            eb67ee96342767437969eb85c4143a8515ebf833842c29263357307d84d0742f

                                            SHA512

                                            e16262f469acf90995f37350d0336e4d5d01b6fcb26ed1880c343ec4b6499b3e27f29d76e703e92fd779b3a80896a62224dc27d2d37a63f59f907a2a5c7694df

                                          • memory/244-274-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/400-333-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/428-689-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/608-321-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/800-351-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/896-1230-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/996-345-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1104-7-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1104-536-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1160-549-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1160-28-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1168-83-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1200-1277-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1200-327-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1336-396-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1352-99-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1384-567-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1384-52-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1676-637-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1876-661-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/1876-177-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2224-0-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2224-530-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2228-240-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2228-707-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2244-91-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2248-739-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2248-280-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2304-123-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2304-619-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2344-723-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2344-262-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2436-44-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2436-561-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2788-224-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/2788-695-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3056-745-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3056-286-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3076-412-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3132-268-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3204-613-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3204-115-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3272-315-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3328-574-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3328-60-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3520-107-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3520-607-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3536-763-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3552-757-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3552-298-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3868-655-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3876-1360-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3876-543-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3876-20-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3884-436-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/3972-256-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4024-309-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4108-193-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4116-363-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4244-1168-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4292-201-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4320-369-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4320-1261-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4336-248-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4348-139-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4348-631-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4444-339-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4468-418-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4488-1042-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4536-453-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4556-75-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4556-586-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4648-580-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4724-683-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4724-209-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4732-154-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4732-643-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4760-131-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4760-625-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4828-649-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4828-162-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4868-430-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4880-701-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4880-232-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4940-185-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4940-667-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4948-375-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4960-357-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/4992-442-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5024-292-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5024-751-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5056-424-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5072-555-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5072-36-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5136-464-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5172-470-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5200-1110-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5288-486-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5324-492-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5512-518-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5536-1142-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5548-524-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5620-1080-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5632-537-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5716-1197-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/5832-568-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/6036-1181-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB

                                          • memory/6108-1178-0x0000000000400000-0x000000000045B000-memory.dmp

                                            Filesize

                                            364KB