berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
88s
max time network
185s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/0445405bb7106522c0b2157809e4d5f8.exe
Size

404KB
MD5

0445405bb7106522c0b2157809e4d5f8
SHA1

b0237e2914a12657d871b806d6baceab252e87cd
SHA256

cc706aedab00da219c85afd7669f52120ccd83f6a82e18066145c8d844fc103b
SHA512

0bb2152c9ae4f5dd0a10681f1f21d61e74c123e44021c0714a4b36609c7cbbb1e9f57dc7945a16b5a225d61079dfecf5be81a6c049fa9b1a596217d2c90cc266
SSDEEP

6144:VoCb0tjENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836S5:lwcMpV6yYP4rbpV6yYPg058KS

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpoiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjabdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flddoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfaijand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dlicflic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adnbapjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfkamk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahgamo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijonfmbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpbbak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcmpgpkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhaope32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfokff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Minipm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eijigg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fefcgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ficlmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdafa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfemmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcimfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjebiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odaiodbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkedbmab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkqhpmkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geklckkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhhcne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkiapn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kicfijal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibpgqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdalog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mllccpfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjdpac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kciaqi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naqqmieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohaokbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcknee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmdbooik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Decmjjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhcfleff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Limioiia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gllajf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnbapjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifhbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoefgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iljpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cejaobel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fghcqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onngci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfkpiled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgamo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hklglk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Downloads MZ/PE file 1 IoCs

flow	pid	Process
23	12308	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
5696	Iapjgo32.exe
2772	Ibpgqa32.exe
4796	Ijkled32.exe
3936	Ibbcfa32.exe
2980	Ilkhog32.exe
6036	Ibdplaho.exe
3564	Inkaqb32.exe
1992	Idhiii32.exe
2128	Ijbbfc32.exe
2120	Jdjfohjg.exe
2100	Jlanpfkj.exe
3312	Jjgkab32.exe
3264	Jbppgona.exe
1180	Jdalog32.exe
1552	Jjkdlall.exe
6060	Kkbkmqed.exe
5512	Kbjbnnfg.exe
4596	Kehojiej.exe
5284	Klbgfc32.exe
5684	Kblpcndd.exe
3800	Lbqinm32.exe
3504	Leoejh32.exe
2948	Lhmafcnf.exe
3848	Laffpi32.exe
6128	Lddble32.exe
2180	Lojfin32.exe
960	Ldfoad32.exe
4676	Lkqgno32.exe
1772	Lajokiaa.exe
5288	Ldkhlcnb.exe
4460	Mdnebc32.exe
5836	Mkjjdmaj.exe
2468	Madbagif.exe
2712	Mdbnmbhj.exe
6016	Mlifnphl.exe
5088	Mklfjm32.exe
560	Mccokj32.exe
3140	Mddkbbfg.exe
5820	Mllccpfj.exe
3864	Mojopk32.exe
2852	Mahklf32.exe
4112	Mdghhb32.exe
1912	Nlnpio32.exe
2004	Nomlek32.exe
2992	Nchhfild.exe
1320	Nheqnpjk.exe
6064	Nfiagd32.exe
468	Nlcidopb.exe
5636	Nkeipk32.exe
2496	Ncmaai32.exe
2520	Ndnnianm.exe
328	Nocbfjmc.exe
5344	Nbbnbemf.exe
3048	Ndpjnq32.exe
1136	Nhlfoodc.exe
5456	Nkjckkcg.exe
2548	Ncaklhdi.exe
5632	Nfpghccm.exe
5032	Odbgdp32.exe
2460	Oljoen32.exe
4528	Okmpqjad.exe
5092	Ocdgahag.exe
4372	Obfhmd32.exe
1352	Odedipge.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nhlfoodc.exe	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Cfhhml32.exe	Cmpcdfll.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Cemeoh32.exe
File created	C:\Windows\SysWOW64\Omloon32.dll	Ljkghi32.exe
File created	C:\Windows\SysWOW64\Hfjipc32.dll	Komoed32.exe
File opened for modification	C:\Windows\SysWOW64\Kjnihnmd.exe	Koiejemn.exe
File opened for modification	C:\Windows\SysWOW64\Ncaklhdi.exe	Nkjckkcg.exe
File created	C:\Windows\SysWOW64\Cibkohef.exe	Cdebfago.exe
File opened for modification	C:\Windows\SysWOW64\Aiqkmd32.exe	Akmjdpac.exe
File created	C:\Windows\SysWOW64\Cnlpgibd.exe	Becknc32.exe
File opened for modification	C:\Windows\SysWOW64\Hccomh32.exe	Hklglk32.exe
File created	C:\Windows\SysWOW64\Kkpdnm32.dll	Pkoemhao.exe
File created	C:\Windows\SysWOW64\Modgbakp.dll	Kgqdfi32.exe
File opened for modification	C:\Windows\SysWOW64\Iapbodql.exe	Ikejbjip.exe
File created	C:\Windows\SysWOW64\Amkabind.exe	Afqifo32.exe
File opened for modification	C:\Windows\SysWOW64\Abbiej32.exe	Akhaipei.exe
File created	C:\Windows\SysWOW64\Mjbkbj32.dll	Hgbonm32.exe
File created	C:\Windows\SysWOW64\Iqdfmajd.exe	Ijjnpg32.exe
File opened for modification	C:\Windows\SysWOW64\Loniiflo.exe	Leedqa32.exe
File created	C:\Windows\SysWOW64\Dqhckhgq.dll	Kimgba32.exe
File created	C:\Windows\SysWOW64\Kohcfcqo.dll	Pddokabk.exe
File created	C:\Windows\SysWOW64\Cfedmfqd.exe	Clpppmqn.exe
File created	C:\Windows\SysWOW64\Hiffij32.dll	Ldoafodd.exe
File created	C:\Windows\SysWOW64\Ijiflg32.dll	Abdfkj32.exe
File opened for modification	C:\Windows\SysWOW64\Kjipmoai.exe	Kcphpdil.exe
File opened for modification	C:\Windows\SysWOW64\Mbldhn32.exe	Mmokpglb.exe
File created	C:\Windows\SysWOW64\Ihbdmc32.dll	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Aimhmkgn.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Nkgoke32.exe	Noqofdlj.exe
File created	C:\Windows\SysWOW64\Pocdba32.exe	Pgllad32.exe
File opened for modification	C:\Windows\SysWOW64\Jmffnq32.exe	Jginej32.exe
File created	C:\Windows\SysWOW64\Flpkcbqm.exe	Fefcgh32.exe
File created	C:\Windows\SysWOW64\Pldnki32.dll	Icgbob32.exe
File created	C:\Windows\SysWOW64\Dfcojl32.dll	Jghhjq32.exe
File created	C:\Windows\SysWOW64\Econlc32.dll	Flghognq.exe
File created	C:\Windows\SysWOW64\Gnfmkhcj.dll	Pahpee32.exe
File created	C:\Windows\SysWOW64\Fgkelj32.dll	Gclimi32.exe
File created	C:\Windows\SysWOW64\Oldficfh.dll	Jbpkfa32.exe
File opened for modification	C:\Windows\SysWOW64\Elaobdmm.exe	Dbijinfl.exe
File created	C:\Windows\SysWOW64\Flekgd32.dll	Nbbnbemf.exe
File created	C:\Windows\SysWOW64\Akagbfeh.dll	Ffcpgcfj.exe
File opened for modification	C:\Windows\SysWOW64\Eppobi32.exe	Eifffoob.exe
File opened for modification	C:\Windows\SysWOW64\Jggapj32.exe	Jmamba32.exe
File opened for modification	C:\Windows\SysWOW64\Nhafcd32.exe	Nmlafk32.exe
File opened for modification	C:\Windows\SysWOW64\Pgpobmca.exe	Ppffec32.exe
File opened for modification	C:\Windows\SysWOW64\Kcfnqccd.exe	Kkofofbb.exe
File created	C:\Windows\SysWOW64\Meghme32.dll	Mddkbbfg.exe
File created	C:\Windows\SysWOW64\Cemeoh32.exe	Cfhhml32.exe
File opened for modification	C:\Windows\SysWOW64\Kmppneal.exe	Kaioidkh.exe
File created	C:\Windows\SysWOW64\Namnmp32.exe	Nggjog32.exe
File created	C:\Windows\SysWOW64\Glkfdino.dll	Qbkcek32.exe
File opened for modification	C:\Windows\SysWOW64\Qhbhapha.exe	Pahpee32.exe
File opened for modification	C:\Windows\SysWOW64\Hgnlmdcp.exe	Hfnpca32.exe
File created	C:\Windows\SysWOW64\Fdbdih32.dll	Mfhgcbfo.exe
File created	C:\Windows\SysWOW64\Ohdlpa32.exe	Onngci32.exe
File created	C:\Windows\SysWOW64\Qoflodqh.dll	Djklgb32.exe
File created	C:\Windows\SysWOW64\Fblpflfg.exe	Fkehdnee.exe
File created	C:\Windows\SysWOW64\Cpmbkm32.dll	Fblpflfg.exe
File created	C:\Windows\SysWOW64\Bjhgke32.exe	Bgjjoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ifckkhfi.exe	Ifqoehhl.exe
File created	C:\Windows\SysWOW64\Bcllmi32.dll	Ogmiepcf.exe
File opened for modification	C:\Windows\SysWOW64\Pkedbmab.exe	Opopdd32.exe
File opened for modification	C:\Windows\SysWOW64\Bdiamnpc.exe	Bnoiqd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
13084	12972	WerFault.exe	690

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmifkecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fifomlap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlhaee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmlafk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fifhbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefedcmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kppbejka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naqqmieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebejem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhgmlli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbldhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohpiphlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbkcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijdnka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iapbodql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhqqlmba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kicfijal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecoaijio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpghfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmghklif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haafnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqdmodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdgal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eedmlo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpobmca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdiamnpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elaobdmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdebfago.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcifmdeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Geklckkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likcdpop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Labkempb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomlek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoefgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hklglk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cihjeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ellicihn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilqmam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfpqap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Komoed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icgbob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abdfkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpejlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiomnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqdfmajd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppffec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebpqjmpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afqifo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnlpgibd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcmpgpkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
13212	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lokceimi.dll"	Bkcjjhgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaflkim.dll"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Knifging.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhndgjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Elaobdmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmqljn32.dll"	Gklnem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Flghognq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kifcnjpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laglkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bggknnmj.dll"	Ohdbkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmlafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpdfpmoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icgbob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pocdba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncapfeoc.dll"	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbibenl.dll"	Dpoiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egdqph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgodjiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkdoje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjenh32.dll"	Mhmcck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmffnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pknghk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmole32.dll"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onjebpml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fghcqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opopdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhgjll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faebcoda.dll"	Fochecog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajkfn32.dll"	Aamipe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Japmcfcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Giokid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijkled32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cibkohef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqoppk32.dll"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clpppmqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpihbjmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgibqj32.dll"	Dhgjll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmffnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eifffoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dndlba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkcmi32.dll"	Alpnde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enllgbcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bncpjk32.dll"	Pfkpiled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icklhnop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpflhb32.dll"	Oahnhncc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Minipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnkqlk32.dll"	Bbmbgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnchgmkg.dll"	Kfpqap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaggn32.dll"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgfep32.dll"	Pgpobmca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adnbapjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibdlc32.dll"	Hhiaepfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfggbope.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqgkidki.dll"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 5696	4780	0445405bb7106522c0b2157809e4d5f8.exe	84
PID 4780 wrote to memory of 5696	4780	0445405bb7106522c0b2157809e4d5f8.exe	84
PID 4780 wrote to memory of 5696	4780	0445405bb7106522c0b2157809e4d5f8.exe	84
PID 5696 wrote to memory of 2772	5696	Iapjgo32.exe	85
PID 5696 wrote to memory of 2772	5696	Iapjgo32.exe	85
PID 5696 wrote to memory of 2772	5696	Iapjgo32.exe	85
PID 2772 wrote to memory of 4796	2772	Ibpgqa32.exe	86
PID 2772 wrote to memory of 4796	2772	Ibpgqa32.exe	86
PID 2772 wrote to memory of 4796	2772	Ibpgqa32.exe	86
PID 4796 wrote to memory of 3936	4796	Ijkled32.exe	87
PID 4796 wrote to memory of 3936	4796	Ijkled32.exe	87
PID 4796 wrote to memory of 3936	4796	Ijkled32.exe	87
PID 3936 wrote to memory of 2980	3936	Ibbcfa32.exe	88
PID 3936 wrote to memory of 2980	3936	Ibbcfa32.exe	88
PID 3936 wrote to memory of 2980	3936	Ibbcfa32.exe	88
PID 2980 wrote to memory of 6036	2980	Ilkhog32.exe	89
PID 2980 wrote to memory of 6036	2980	Ilkhog32.exe	89
PID 2980 wrote to memory of 6036	2980	Ilkhog32.exe	89
PID 6036 wrote to memory of 3564	6036	Ibdplaho.exe	90
PID 6036 wrote to memory of 3564	6036	Ibdplaho.exe	90
PID 6036 wrote to memory of 3564	6036	Ibdplaho.exe	90
PID 3564 wrote to memory of 1992	3564	Inkaqb32.exe	91
PID 3564 wrote to memory of 1992	3564	Inkaqb32.exe	91
PID 3564 wrote to memory of 1992	3564	Inkaqb32.exe	91
PID 1992 wrote to memory of 2128	1992	Idhiii32.exe	92
PID 1992 wrote to memory of 2128	1992	Idhiii32.exe	92
PID 1992 wrote to memory of 2128	1992	Idhiii32.exe	92
PID 2128 wrote to memory of 2120	2128	Ijbbfc32.exe	93
PID 2128 wrote to memory of 2120	2128	Ijbbfc32.exe	93
PID 2128 wrote to memory of 2120	2128	Ijbbfc32.exe	93
PID 2120 wrote to memory of 2100	2120	Jdjfohjg.exe	94
PID 2120 wrote to memory of 2100	2120	Jdjfohjg.exe	94
PID 2120 wrote to memory of 2100	2120	Jdjfohjg.exe	94
PID 2100 wrote to memory of 3312	2100	Jlanpfkj.exe	95
PID 2100 wrote to memory of 3312	2100	Jlanpfkj.exe	95
PID 2100 wrote to memory of 3312	2100	Jlanpfkj.exe	95
PID 3312 wrote to memory of 3264	3312	Jjgkab32.exe	96
PID 3312 wrote to memory of 3264	3312	Jjgkab32.exe	96
PID 3312 wrote to memory of 3264	3312	Jjgkab32.exe	96
PID 3264 wrote to memory of 1180	3264	Jbppgona.exe	97
PID 3264 wrote to memory of 1180	3264	Jbppgona.exe	97
PID 3264 wrote to memory of 1180	3264	Jbppgona.exe	97
PID 1180 wrote to memory of 1552	1180	Jdalog32.exe	98
PID 1180 wrote to memory of 1552	1180	Jdalog32.exe	98
PID 1180 wrote to memory of 1552	1180	Jdalog32.exe	98
PID 1552 wrote to memory of 6060	1552	Jjkdlall.exe	99
PID 1552 wrote to memory of 6060	1552	Jjkdlall.exe	99
PID 1552 wrote to memory of 6060	1552	Jjkdlall.exe	99
PID 6060 wrote to memory of 5512	6060	Kkbkmqed.exe	100
PID 6060 wrote to memory of 5512	6060	Kkbkmqed.exe	100
PID 6060 wrote to memory of 5512	6060	Kkbkmqed.exe	100
PID 5512 wrote to memory of 4596	5512	Kbjbnnfg.exe	101
PID 5512 wrote to memory of 4596	5512	Kbjbnnfg.exe	101
PID 5512 wrote to memory of 4596	5512	Kbjbnnfg.exe	101
PID 4596 wrote to memory of 5284	4596	Kehojiej.exe	102
PID 4596 wrote to memory of 5284	4596	Kehojiej.exe	102
PID 4596 wrote to memory of 5284	4596	Kehojiej.exe	102
PID 5284 wrote to memory of 5684	5284	Klbgfc32.exe	103
PID 5284 wrote to memory of 5684	5284	Klbgfc32.exe	103
PID 5284 wrote to memory of 5684	5284	Klbgfc32.exe	103
PID 5684 wrote to memory of 3800	5684	Kblpcndd.exe	104
PID 5684 wrote to memory of 3800	5684	Kblpcndd.exe	104
PID 5684 wrote to memory of 3800	5684	Kblpcndd.exe	104
PID 3800 wrote to memory of 3504	3800	Lbqinm32.exe	105

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\0445405bb7106522c0b2157809e4d5f8.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\0445405bb7106522c0b2157809e4d5f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\SysWOW64\Iapjgo32.exe
  C:\Windows\system32\Iapjgo32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5696
- - C:\Windows\SysWOW64\Ibpgqa32.exe
    C:\Windows\system32\Ibpgqa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\Ijkled32.exe
      C:\Windows\system32\Ijkled32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6036
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6060
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5512
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5284
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5684
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        23⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6128
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        27⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        28⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        29⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        30⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        31⤵
        Executes dropped EXE
        
        PID:5288
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        32⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        33⤵
        Executes dropped EXE
        
        PID:5836
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        35⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        36⤵
        Executes dropped EXE
        
        PID:6016
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        37⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        38⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5820
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        41⤵
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        42⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        44⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        46⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        47⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        48⤵
        Executes dropped EXE
        
        PID:6064
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        50⤵
        Executes dropped EXE
        
        PID:5636
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        51⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        52⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        53⤵
        Executes dropped EXE
        
        PID:328
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        56⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        59⤵
        Executes dropped EXE
        
        PID:5632
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        60⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        61⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        63⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        64⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        65⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        66⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        67⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        68⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        69⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        70⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        71⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        73⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        74⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        75⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        76⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        77⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        78⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        79⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        80⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        81⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        82⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        83⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        84⤵
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        85⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        86⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        87⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        88⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        89⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        90⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        91⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        92⤵
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        93⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        95⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        96⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        97⤵
        
        PID:564
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        100⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        102⤵
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        103⤵
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        104⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        105⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        106⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        107⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        108⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        109⤵
        
        PID:800
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:400
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        111⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        112⤵
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        113⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1028
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        115⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        116⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        117⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        118⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        120⤵
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        121⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        122⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        123⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        124⤵
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        125⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        126⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        127⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        128⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        131⤵
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        132⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        134⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\Acbmjcgd.exe
        
        C:\Windows\system32\Acbmjcgd.exe
        135⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        137⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Acdioc32.exe
        
        C:\Windows\system32\Acdioc32.exe
        138⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        139⤵
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        140⤵
        
        PID:668
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        141⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        142⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        143⤵
        
        PID:784
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        144⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        145⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        146⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        147⤵
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        148⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        149⤵
        
        PID:948
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        151⤵
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        152⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        153⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:940
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        155⤵
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        156⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        157⤵
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        158⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        159⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        161⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        162⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        163⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        164⤵
        
        PID:396
        
        C:\Windows\SysWOW64\Dpoiho32.exe
        
        C:\Windows\system32\Dpoiho32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Ecoaijio.exe
        
        C:\Windows\system32\Ecoaijio.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\Edoncm32.exe
        
        C:\Windows\system32\Edoncm32.exe
        167⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Ecdkdj32.exe
        
        C:\Windows\system32\Ecdkdj32.exe
        168⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Ellpmolj.exe
        
        C:\Windows\system32\Ellpmolj.exe
        169⤵
        
        PID:724
        
        C:\Windows\SysWOW64\Enllgbcl.exe
        
        C:\Windows\system32\Enllgbcl.exe
        170⤵
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Egdqph32.exe
        
        C:\Windows\system32\Egdqph32.exe
        171⤵
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Fckaeioa.exe
        
        C:\Windows\system32\Fckaeioa.exe
        172⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Fpoaom32.exe
        
        C:\Windows\system32\Fpoaom32.exe
        173⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Fcpkph32.exe
        
        C:\Windows\system32\Fcpkph32.exe
        174⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Fjjcmbci.exe
        
        C:\Windows\system32\Fjjcmbci.exe
        175⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Fnglcqio.exe
        
        C:\Windows\system32\Fnglcqio.exe
        176⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Ffcpgcfj.exe
        
        C:\Windows\system32\Ffcpgcfj.exe
        177⤵
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\Gnjhhpgl.exe
        
        C:\Windows\system32\Gnjhhpgl.exe
        178⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Gfemmb32.exe
        
        C:\Windows\system32\Gfemmb32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Gcimfg32.exe
        
        C:\Windows\system32\Gcimfg32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Gckjlf32.exe
        
        C:\Windows\system32\Gckjlf32.exe
        181⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Gjebiq32.exe
        
        C:\Windows\system32\Gjebiq32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Gjhonp32.exe
        
        C:\Windows\system32\Gjhonp32.exe
        183⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Hfnpca32.exe
        
        C:\Windows\system32\Hfnpca32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Hgnlmdcp.exe
        
        C:\Windows\system32\Hgnlmdcp.exe
        185⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Hdbmfhbi.exe
        
        C:\Windows\system32\Hdbmfhbi.exe
        186⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Hjabdo32.exe
        
        C:\Windows\system32\Hjabdo32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Hcifmdeo.exe
        
        C:\Windows\system32\Hcifmdeo.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Hjcojo32.exe
        
        C:\Windows\system32\Hjcojo32.exe
        189⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Ijfkpnji.exe
        
        C:\Windows\system32\Ijfkpnji.exe
        190⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Igjlibib.exe
        
        C:\Windows\system32\Igjlibib.exe
        191⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Incdem32.exe
        
        C:\Windows\system32\Incdem32.exe
        192⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Infqklol.exe
        
        C:\Windows\system32\Infqklol.exe
        193⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Iepihf32.exe
        
        C:\Windows\system32\Iepihf32.exe
        194⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Imknli32.exe
        
        C:\Windows\system32\Imknli32.exe
        195⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Iebfmfdg.exe
        
        C:\Windows\system32\Iebfmfdg.exe
        196⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Ijonfmbn.exe
        
        C:\Windows\system32\Ijonfmbn.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Icgbob32.exe
        
        C:\Windows\system32\Icgbob32.exe
        198⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Jakchf32.exe
        
        C:\Windows\system32\Jakchf32.exe
        199⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Jjdgal32.exe
        
        C:\Windows\system32\Jjdgal32.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:6956
        
        C:\Windows\SysWOW64\Jghhjq32.exe
        
        C:\Windows\system32\Jghhjq32.exe
        201⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Jnapgjdo.exe
        
        C:\Windows\system32\Jnapgjdo.exe
        202⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Japmcfcc.exe
        
        C:\Windows\system32\Japmcfcc.exe
        203⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Jfmekm32.exe
        
        C:\Windows\system32\Jfmekm32.exe
        204⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Jabiie32.exe
        
        C:\Windows\system32\Jabiie32.exe
        205⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Knifging.exe
        
        C:\Windows\system32\Knifging.exe
        206⤵
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Kebodc32.exe
        
        C:\Windows\system32\Kebodc32.exe
        207⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Kaioidkh.exe
        
        C:\Windows\system32\Kaioidkh.exe
        208⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Kmppneal.exe
        
        C:\Windows\system32\Kmppneal.exe
        209⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Khfdlnab.exe
        
        C:\Windows\system32\Khfdlnab.exe
        210⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Kfkamk32.exe
        
        C:\Windows\system32\Kfkamk32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6480
        
        C:\Windows\SysWOW64\Knbinhfl.exe
        
        C:\Windows\system32\Knbinhfl.exe
        212⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Ldoafodd.exe
        
        C:\Windows\system32\Ldoafodd.exe
        213⤵
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Lmgfod32.exe
        
        C:\Windows\system32\Lmgfod32.exe
        214⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Ljkghi32.exe
        
        C:\Windows\system32\Ljkghi32.exe
        215⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Lhogamih.exe
        
        C:\Windows\system32\Lhogamih.exe
        216⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Laglkb32.exe
        
        C:\Windows\system32\Laglkb32.exe
        217⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Leedqa32.exe
        
        C:\Windows\system32\Leedqa32.exe
        218⤵
        Drops file in System32 directory
        
        PID:6948
        
        C:\Windows\SysWOW64\Loniiflo.exe
        
        C:\Windows\system32\Loniiflo.exe
        219⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Mhfmbl32.exe
        
        C:\Windows\system32\Mhfmbl32.exe
        220⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Maoakaip.exe
        
        C:\Windows\system32\Maoakaip.exe
        221⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Mmebpbod.exe
        
        C:\Windows\system32\Mmebpbod.exe
        222⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Mgngih32.exe
        
        C:\Windows\system32\Mgngih32.exe
        223⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Mackfa32.exe
        
        C:\Windows\system32\Mackfa32.exe
        224⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Mhmcck32.exe
        
        C:\Windows\system32\Mhmcck32.exe
        225⤵
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Mmjlkb32.exe
        
        C:\Windows\system32\Mmjlkb32.exe
        226⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Mdddhlbl.exe
        
        C:\Windows\system32\Mdddhlbl.exe
        227⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Nmlhaa32.exe
        
        C:\Windows\system32\Nmlhaa32.exe
        228⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Nolekd32.exe
        
        C:\Windows\system32\Nolekd32.exe
        229⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Nggjog32.exe
        
        C:\Windows\system32\Nggjog32.exe
        230⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Namnmp32.exe
        
        C:\Windows\system32\Namnmp32.exe
        231⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Noqofdlj.exe
        
        C:\Windows\system32\Noqofdlj.exe
        232⤵
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Nkgoke32.exe
        
        C:\Windows\system32\Nkgoke32.exe
        233⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Ngnppfgb.exe
        
        C:\Windows\system32\Ngnppfgb.exe
        234⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Oklifdmi.exe
        
        C:\Windows\system32\Oklifdmi.exe
        235⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Onjebpml.exe
        
        C:\Windows\system32\Onjebpml.exe
        236⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Oeamcmmo.exe
        
        C:\Windows\system32\Oeamcmmo.exe
        237⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Ohpiphlb.exe
        
        C:\Windows\system32\Ohpiphlb.exe
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\Oahnhncc.exe
        
        C:\Windows\system32\Oahnhncc.exe
        239⤵
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Okqbac32.exe
        
        C:\Windows\system32\Okqbac32.exe
        240⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Ohdbkh32.exe
        
        C:\Windows\system32\Ohdbkh32.exe
        241⤵
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ofhcdlgg.exe
        
        C:\Windows\system32\Ofhcdlgg.exe
        242⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Pndhhnda.exe
        
        C:\Windows\system32\Pndhhnda.exe
        243⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Paocim32.exe
        
        C:\Windows\system32\Paocim32.exe
        244⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Pfkpiled.exe
        
        C:\Windows\system32\Pfkpiled.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7312
        
        C:\Windows\SysWOW64\Philfgdh.exe
        
        C:\Windows\system32\Philfgdh.exe
        246⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Pgllad32.exe
        
        C:\Windows\system32\Pgllad32.exe
        247⤵
        Drops file in System32 directory
        
        PID:7384
        
        C:\Windows\SysWOW64\Pocdba32.exe
        
        C:\Windows\system32\Pocdba32.exe
        248⤵
        Modifies registry class
        
        PID:7420
        
        C:\Windows\SysWOW64\Pnfdnnbo.exe
        
        C:\Windows\system32\Pnfdnnbo.exe
        249⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Pbapom32.exe
        
        C:\Windows\system32\Pbapom32.exe
        250⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Pnhacn32.exe
        
        C:\Windows\system32\Pnhacn32.exe
        251⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Pdbiphhi.exe
        
        C:\Windows\system32\Pdbiphhi.exe
        252⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Pnknim32.exe
        
        C:\Windows\system32\Pnknim32.exe
        253⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Pbifol32.exe
        
        C:\Windows\system32\Pbifol32.exe
        254⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Qomghp32.exe
        
        C:\Windows\system32\Qomghp32.exe
        255⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Qbkcek32.exe
        
        C:\Windows\system32\Qbkcek32.exe
        256⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7712
        
        C:\Windows\SysWOW64\Qdipag32.exe
        
        C:\Windows\system32\Qdipag32.exe
        257⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Qbmpjkqk.exe
        
        C:\Windows\system32\Qbmpjkqk.exe
        258⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Agjhbbob.exe
        
        C:\Windows\system32\Agjhbbob.exe
        259⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Aoapcood.exe
        
        C:\Windows\system32\Aoapcood.exe
        260⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Abpmpkoh.exe
        
        C:\Windows\system32\Abpmpkoh.exe
        261⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Akhaipei.exe
        
        C:\Windows\system32\Akhaipei.exe
        262⤵
        Drops file in System32 directory
        
        PID:7928
        
        C:\Windows\SysWOW64\Abbiej32.exe
        
        C:\Windows\system32\Abbiej32.exe
        263⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Abdfkj32.exe
        
        C:\Windows\system32\Abdfkj32.exe
        264⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8000
        
        C:\Windows\SysWOW64\Akmjdpac.exe
        
        C:\Windows\system32\Akmjdpac.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8036
        
        C:\Windows\SysWOW64\Aiqkmd32.exe
        
        C:\Windows\system32\Aiqkmd32.exe
        266⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Aokcjngj.exe
        
        C:\Windows\system32\Aokcjngj.exe
        267⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Aeglbeea.exe
        
        C:\Windows\system32\Aeglbeea.exe
        268⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Bichcc32.exe
        
        C:\Windows\system32\Bichcc32.exe
        269⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Biedhclh.exe
        
        C:\Windows\system32\Biedhclh.exe
        270⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Bkdqdokk.exe
        
        C:\Windows\system32\Bkdqdokk.exe
        271⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Bgkaip32.exe
        
        C:\Windows\system32\Bgkaip32.exe
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:7344
        
        C:\Windows\SysWOW64\Bndjfjhl.exe
        
        C:\Windows\system32\Bndjfjhl.exe
        273⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Bpdfpmoo.exe
        
        C:\Windows\system32\Bpdfpmoo.exe
        274⤵
        Modifies registry class
        
        PID:7472
        
        C:\Windows\SysWOW64\Blkgen32.exe
        
        C:\Windows\system32\Blkgen32.exe
        275⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Becknc32.exe
        
        C:\Windows\system32\Becknc32.exe
        276⤵
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Cnlpgibd.exe
        
        C:\Windows\system32\Cnlpgibd.exe
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Ceehcc32.exe
        
        C:\Windows\system32\Ceehcc32.exe
        278⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Clpppmqn.exe
        
        C:\Windows\system32\Clpppmqn.exe
        279⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Cfedmfqd.exe
        
        C:\Windows\system32\Cfedmfqd.exe
        280⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Chfaenfb.exe
        
        C:\Windows\system32\Chfaenfb.exe
        281⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Cnpibh32.exe
        
        C:\Windows\system32\Cnpibh32.exe
        282⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Cejaobel.exe
        
        C:\Windows\system32\Cejaobel.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Chinkndp.exe
        
        C:\Windows\system32\Chinkndp.exe
        284⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Cbnbhfde.exe
        
        C:\Windows\system32\Cbnbhfde.exe
        285⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Cihjeq32.exe
        
        C:\Windows\system32\Cihjeq32.exe
        286⤵
        System Location Discovery: System Language Discovery
        
        PID:7212
        
        C:\Windows\SysWOW64\Cpbbak32.exe
        
        C:\Windows\system32\Cpbbak32.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4588
        
        C:\Windows\SysWOW64\Cfljnejl.exe
        
        C:\Windows\system32\Cfljnejl.exe
        288⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Dlicflic.exe
        
        C:\Windows\system32\Dlicflic.exe
        289⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Dngobghg.exe
        
        C:\Windows\system32\Dngobghg.exe
        290⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Deagoa32.exe
        
        C:\Windows\system32\Deagoa32.exe
        291⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7760
        
        C:\Windows\SysWOW64\Dlkplk32.exe
        
        C:\Windows\system32\Dlkplk32.exe
        292⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Dojlhg32.exe
        
        C:\Windows\system32\Dojlhg32.exe
        293⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Diopep32.exe
        
        C:\Windows\system32\Diopep32.exe
        294⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Dpihbjmg.exe
        
        C:\Windows\system32\Dpihbjmg.exe
        295⤵
        Modifies registry class
        
        PID:8160
        
        C:\Windows\SysWOW64\Dbgdnelk.exe
        
        C:\Windows\system32\Dbgdnelk.exe
        296⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Defajqko.exe
        
        C:\Windows\system32\Defajqko.exe
        297⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Dpkehi32.exe
        
        C:\Windows\system32\Dpkehi32.exe
        298⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Dbjade32.exe
        
        C:\Windows\system32\Dbjade32.exe
        299⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Dhgjll32.exe
        
        C:\Windows\system32\Dhgjll32.exe
        300⤵
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Doqbifpl.exe
        
        C:\Windows\system32\Doqbifpl.exe
        301⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Eifffoob.exe
        
        C:\Windows\system32\Eifffoob.exe
        302⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Eppobi32.exe
        
        C:\Windows\system32\Eppobi32.exe
        303⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Eemgkpef.exe
        
        C:\Windows\system32\Eemgkpef.exe
        304⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Ehkcgkdj.exe
        
        C:\Windows\system32\Ehkcgkdj.exe
        305⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Ebagdddp.exe
        
        C:\Windows\system32\Ebagdddp.exe
        306⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Eeodqocd.exe
        
        C:\Windows\system32\Eeodqocd.exe
        307⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Epehnhbj.exe
        
        C:\Windows\system32\Epehnhbj.exe
        308⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Eeaqfo32.exe
        
        C:\Windows\system32\Eeaqfo32.exe
        309⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Ellicihn.exe
        
        C:\Windows\system32\Ellicihn.exe
        310⤵
        System Location Discovery: System Language Discovery
        
        PID:8220
        
        C:\Windows\SysWOW64\Eedmlo32.exe
        
        C:\Windows\system32\Eedmlo32.exe
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:8256
        
        C:\Windows\SysWOW64\Elnehifk.exe
        
        C:\Windows\system32\Elnehifk.exe
        312⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Fgcjea32.exe
        
        C:\Windows\system32\Fgcjea32.exe
        313⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Flpbnh32.exe
        
        C:\Windows\system32\Flpbnh32.exe
        314⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Fbjjkble.exe
        
        C:\Windows\system32\Fbjjkble.exe
        315⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\Fidbgm32.exe
        
        C:\Windows\system32\Fidbgm32.exe
        316⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Fpnkdfko.exe
        
        C:\Windows\system32\Fpnkdfko.exe
        317⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Fghcqq32.exe
        
        C:\Windows\system32\Fghcqq32.exe
        318⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8512
        
        C:\Windows\SysWOW64\Fifomlap.exe
        
        C:\Windows\system32\Fifomlap.exe
        319⤵
        System Location Discovery: System Language Discovery
        
        PID:8548
        
        C:\Windows\SysWOW64\Fochecog.exe
        
        C:\Windows\system32\Fochecog.exe
        320⤵
        Modifies registry class
        
        PID:8584
        
        C:\Windows\SysWOW64\Fgjpfqpi.exe
        
        C:\Windows\system32\Fgjpfqpi.exe
        321⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Flghognq.exe
        
        C:\Windows\system32\Flghognq.exe
        322⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8656
        
        C:\Windows\SysWOW64\Fgmllpng.exe
        
        C:\Windows\system32\Fgmllpng.exe
        323⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Fhnichde.exe
        
        C:\Windows\system32\Fhnichde.exe
        324⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\Gohapb32.exe
        
        C:\Windows\system32\Gohapb32.exe
        325⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Gebimmco.exe
        
        C:\Windows\system32\Gebimmco.exe
        326⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\Gllajf32.exe
        
        C:\Windows\system32\Gllajf32.exe
        327⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8836
        
        C:\Windows\SysWOW64\Gojnfb32.exe
        
        C:\Windows\system32\Gojnfb32.exe
        328⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Ghcbohpp.exe
        
        C:\Windows\system32\Ghcbohpp.exe
        329⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Gpjjpe32.exe
        
        C:\Windows\system32\Gpjjpe32.exe
        330⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Giboijgb.exe
        
        C:\Windows\system32\Giboijgb.exe
        331⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Gheodg32.exe
        
        C:\Windows\system32\Gheodg32.exe
        332⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Gckcap32.exe
        
        C:\Windows\system32\Gckcap32.exe
        333⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Glchjedc.exe
        
        C:\Windows\system32\Glchjedc.exe
        334⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Gcmpgpkp.exe
        
        C:\Windows\system32\Gcmpgpkp.exe
        335⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9124
        
        C:\Windows\SysWOW64\Geklckkd.exe
        
        C:\Windows\system32\Geklckkd.exe
        336⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9160
        
        C:\Windows\SysWOW64\Hpaqqdjj.exe
        
        C:\Windows\system32\Hpaqqdjj.exe
        337⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Hgkimn32.exe
        
        C:\Windows\system32\Hgkimn32.exe
        338⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Hjieii32.exe
        
        C:\Windows\system32\Hjieii32.exe
        339⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Hlhaee32.exe
        
        C:\Windows\system32\Hlhaee32.exe
        340⤵
        System Location Discovery: System Language Discovery
        
        PID:8380
        
        C:\Windows\SysWOW64\Hpcmfchg.exe
        
        C:\Windows\system32\Hpcmfchg.exe
        341⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Hjlaoioh.exe
        
        C:\Windows\system32\Hjlaoioh.exe
        342⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Hpejlc32.exe
        
        C:\Windows\system32\Hpejlc32.exe
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:8632
        
        C:\Windows\SysWOW64\Hcdfho32.exe
        
        C:\Windows\system32\Hcdfho32.exe
        344⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Hhaope32.exe
        
        C:\Windows\system32\Hhaope32.exe
        345⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8832
        
        C:\Windows\SysWOW64\Hcfcmnce.exe
        
        C:\Windows\system32\Hcfcmnce.exe
        346⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Hgbonm32.exe
        
        C:\Windows\system32\Hgbonm32.exe
        347⤵
        Drops file in System32 directory
        
        PID:8992
        
        C:\Windows\SysWOW64\Hjpkjh32.exe
        
        C:\Windows\system32\Hjpkjh32.exe
        348⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Hqjcgbbo.exe
        
        C:\Windows\system32\Hqjcgbbo.exe
        349⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Hcipcnac.exe
        
        C:\Windows\system32\Hcipcnac.exe
        350⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Hfgloiqf.exe
        
        C:\Windows\system32\Hfgloiqf.exe
        351⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Hhehkepj.exe
        
        C:\Windows\system32\Hhehkepj.exe
        352⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Iqmplbpl.exe
        
        C:\Windows\system32\Iqmplbpl.exe
        353⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Icklhnop.exe
        
        C:\Windows\system32\Icklhnop.exe
        354⤵
        Modifies registry class
        
        PID:8384
        
        C:\Windows\SysWOW64\Ifihdi32.exe
        
        C:\Windows\system32\Ifihdi32.exe
        355⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\Ihheqd32.exe
        
        C:\Windows\system32\Ihheqd32.exe
        356⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Iqombb32.exe
        
        C:\Windows\system32\Iqombb32.exe
        357⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Ifleji32.exe
        
        C:\Windows\system32\Ifleji32.exe
        358⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\Imfmgcdn.exe
        
        C:\Windows\system32\Imfmgcdn.exe
        359⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\Icpecm32.exe
        
        C:\Windows\system32\Icpecm32.exe
        360⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Ijjnpg32.exe
        
        C:\Windows\system32\Ijjnpg32.exe
        361⤵
        Drops file in System32 directory
        
        PID:9084
        
        C:\Windows\SysWOW64\Iqdfmajd.exe
        
        C:\Windows\system32\Iqdfmajd.exe
        362⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\Ifqoehhl.exe
        
        C:\Windows\system32\Ifqoehhl.exe
        363⤵
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Ifckkhfi.exe
        
        C:\Windows\system32\Ifckkhfi.exe
        364⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Jokpcmmj.exe
        
        C:\Windows\system32\Jokpcmmj.exe
        365⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Jcgldl32.exe
        
        C:\Windows\system32\Jcgldl32.exe
        366⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\Jicdlc32.exe
        
        C:\Windows\system32\Jicdlc32.exe
        367⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\Jcihjl32.exe
        
        C:\Windows\system32\Jcihjl32.exe
        368⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\Jmamba32.exe
        
        C:\Windows\system32\Jmamba32.exe
        369⤵
        Drops file in System32 directory
        
        PID:9372
        
        C:\Windows\SysWOW64\Jggapj32.exe
        
        C:\Windows\system32\Jggapj32.exe
        370⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Jmdjha32.exe
        
        C:\Windows\system32\Jmdjha32.exe
        371⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\Jginej32.exe
        
        C:\Windows\system32\Jginej32.exe
        372⤵
        Drops file in System32 directory
        
        PID:9488
        
        C:\Windows\SysWOW64\Jmffnq32.exe
        
        C:\Windows\system32\Jmffnq32.exe
        373⤵
        Modifies registry class
        
        PID:9536
        
        C:\Windows\SysWOW64\Jfokff32.exe
        
        C:\Windows\system32\Jfokff32.exe
        374⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9572
        
        C:\Windows\SysWOW64\Kimgba32.exe
        
        C:\Windows\system32\Kimgba32.exe
        375⤵
        Drops file in System32 directory
        
        PID:9608
        
        C:\Windows\SysWOW64\Kcbkpj32.exe
        
        C:\Windows\system32\Kcbkpj32.exe
        376⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Kjlcmdbb.exe
        
        C:\Windows\system32\Kjlcmdbb.exe
        377⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Kgqdfi32.exe
        
        C:\Windows\system32\Kgqdfi32.exe
        378⤵
        Drops file in System32 directory
        
        PID:9716
        
        C:\Windows\SysWOW64\Kcgekjgp.exe
        
        C:\Windows\system32\Kcgekjgp.exe
        379⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Kidmcqeg.exe
        
        C:\Windows\system32\Kidmcqeg.exe
        380⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\Kpnepk32.exe
        
        C:\Windows\system32\Kpnepk32.exe
        381⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Kciaqi32.exe
        
        C:\Windows\system32\Kciaqi32.exe
        382⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9860
        
        C:\Windows\SysWOW64\Kmbfiokn.exe
        
        C:\Windows\system32\Kmbfiokn.exe
        383⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\Kppbejka.exe
        
        C:\Windows\system32\Kppbejka.exe
        384⤵
        System Location Discovery: System Language Discovery
        
        PID:9936
        
        C:\Windows\SysWOW64\Kfjjbd32.exe
        
        C:\Windows\system32\Kfjjbd32.exe
        385⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\Lmdbooik.exe
        
        C:\Windows\system32\Lmdbooik.exe
        386⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10012
        
        C:\Windows\SysWOW64\Lcnkli32.exe
        
        C:\Windows\system32\Lcnkli32.exe
        387⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Likcdpop.exe
        
        C:\Windows\system32\Likcdpop.exe
        388⤵
        System Location Discovery: System Language Discovery
        
        PID:10088
        
        C:\Windows\SysWOW64\Labkempb.exe
        
        C:\Windows\system32\Labkempb.exe
        389⤵
        System Location Discovery: System Language Discovery
        
        PID:10128
        
        C:\Windows\SysWOW64\Lglcag32.exe
        
        C:\Windows\system32\Lglcag32.exe
        390⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\Ljjpnb32.exe
        
        C:\Windows\system32\Ljjpnb32.exe
        391⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Lpghfi32.exe
        
        C:\Windows\system32\Lpghfi32.exe
        392⤵
        System Location Discovery: System Language Discovery
        
        PID:9220
        
        C:\Windows\SysWOW64\Ljmmcbdp.exe
        
        C:\Windows\system32\Ljmmcbdp.exe
        393⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\Lmkipncc.exe
        
        C:\Windows\system32\Lmkipncc.exe
        394⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\Lpjelibg.exe
        
        C:\Windows\system32\Lpjelibg.exe
        395⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\Ljoiibbm.exe
        
        C:\Windows\system32\Ljoiibbm.exe
        396⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\Ldgnbg32.exe
        
        C:\Windows\system32\Ldgnbg32.exe
        397⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\Mffjnc32.exe
        
        C:\Windows\system32\Mffjnc32.exe
        398⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\Malnklgg.exe
        
        C:\Windows\system32\Malnklgg.exe
        399⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\Mfhgcbfo.exe
        
        C:\Windows\system32\Mfhgcbfo.exe
        400⤵
        Drops file in System32 directory
        
        PID:9748
        
        C:\Windows\SysWOW64\Mmbopm32.exe
        
        C:\Windows\system32\Mmbopm32.exe
        401⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\Mhhcne32.exe
        
        C:\Windows\system32\Mhhcne32.exe
        402⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9876
        
        C:\Windows\SysWOW64\Miipencp.exe
        
        C:\Windows\system32\Miipencp.exe
        403⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Mmdlflki.exe
        
        C:\Windows\system32\Mmdlflki.exe
        404⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Mhjpceko.exe
        
        C:\Windows\system32\Mhjpceko.exe
        405⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\Mmghklif.exe
        
        C:\Windows\system32\Mmghklif.exe
        406⤵
        System Location Discovery: System Language Discovery
        
        PID:10124
        
        C:\Windows\SysWOW64\Mdaqhf32.exe
        
        C:\Windows\system32\Mdaqhf32.exe
        407⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Minipm32.exe
        
        C:\Windows\system32\Minipm32.exe
        408⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10232
        
        C:\Windows\SysWOW64\Maeaajpl.exe
        
        C:\Windows\system32\Maeaajpl.exe
        409⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\Mdcmnfop.exe
        
        C:\Windows\system32\Mdcmnfop.exe
        410⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\Nfaijand.exe
        
        C:\Windows\system32\Nfaijand.exe
        411⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9504
        
        C:\Windows\SysWOW64\Nmlafk32.exe
        
        C:\Windows\system32\Nmlafk32.exe
        412⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9580
        
        C:\Windows\SysWOW64\Nhafcd32.exe
        
        C:\Windows\system32\Nhafcd32.exe
        413⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Nibbklke.exe
        
        C:\Windows\system32\Nibbklke.exe
        414⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Nplkhf32.exe
        
        C:\Windows\system32\Nplkhf32.exe
        415⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\Nffceq32.exe
        
        C:\Windows\system32\Nffceq32.exe
        416⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\Npognfpo.exe
        
        C:\Windows\system32\Npognfpo.exe
        417⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\Ngipjp32.exe
        
        C:\Windows\system32\Ngipjp32.exe
        418⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\Nmbhgjoi.exe
        
        C:\Windows\system32\Nmbhgjoi.exe
        419⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Npadcfnl.exe
        
        C:\Windows\system32\Npadcfnl.exe
        420⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Nkghqo32.exe
        
        C:\Windows\system32\Nkghqo32.exe
        421⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\Naqqmieo.exe
        
        C:\Windows\system32\Naqqmieo.exe
        422⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9972
        
        C:\Windows\SysWOW64\Ogmiepcf.exe
        
        C:\Windows\system32\Ogmiepcf.exe
        423⤵
        Drops file in System32 directory
        
        PID:9268
        
        C:\Windows\SysWOW64\Omgabj32.exe
        
        C:\Windows\system32\Omgabj32.exe
        424⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\Odaiodbp.exe
        
        C:\Windows\system32\Odaiodbp.exe
        425⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9584
        
        C:\Windows\SysWOW64\Okkalnjm.exe
        
        C:\Windows\system32\Okkalnjm.exe
        426⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Ophjdehd.exe
        
        C:\Windows\system32\Ophjdehd.exe
        427⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\Oknnanhj.exe
        
        C:\Windows\system32\Oknnanhj.exe
        428⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\Omlkmign.exe
        
        C:\Windows\system32\Omlkmign.exe
        429⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\Ohaokbfd.exe
        
        C:\Windows\system32\Ohaokbfd.exe
        430⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10352
        
        C:\Windows\SysWOW64\Onngci32.exe
        
        C:\Windows\system32\Onngci32.exe
        431⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10380
        
        C:\Windows\SysWOW64\Ohdlpa32.exe
        
        C:\Windows\system32\Ohdlpa32.exe
        432⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\Oiehhjjp.exe
        
        C:\Windows\system32\Oiehhjjp.exe
        433⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\Opopdd32.exe
        
        C:\Windows\system32\Opopdd32.exe
        434⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10464
        
        C:\Windows\SysWOW64\Pkedbmab.exe
        
        C:\Windows\system32\Pkedbmab.exe
        435⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10492
        
        C:\Windows\SysWOW64\Paomog32.exe
        
        C:\Windows\system32\Paomog32.exe
        436⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\Pdmikb32.exe
        
        C:\Windows\system32\Pdmikb32.exe
        437⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\Pnenchoc.exe
        
        C:\Windows\system32\Pnenchoc.exe
        438⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\Paaidf32.exe
        
        C:\Windows\system32\Paaidf32.exe
        439⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\Phkaqqoi.exe
        
        C:\Windows\system32\Phkaqqoi.exe
        440⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\Ppffec32.exe
        
        C:\Windows\system32\Ppffec32.exe
        441⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:10664
        
        C:\Windows\SysWOW64\Pgpobmca.exe
        
        C:\Windows\system32\Pgpobmca.exe
        442⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10692
        
        C:\Windows\SysWOW64\Pnjgog32.exe
        
        C:\Windows\system32\Pnjgog32.exe
        443⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\Pddokabk.exe
        
        C:\Windows\system32\Pddokabk.exe
        444⤵
        Drops file in System32 directory
        
        PID:10752
        
        C:\Windows\SysWOW64\Pknghk32.exe
        
        C:\Windows\system32\Pknghk32.exe
        445⤵
        Modifies registry class
        
        PID:10784
        
        C:\Windows\SysWOW64\Pahpee32.exe
        
        C:\Windows\system32\Pahpee32.exe
        446⤵
        Drops file in System32 directory
        
        PID:10812
        
        C:\Windows\SysWOW64\Qhbhapha.exe
        
        C:\Windows\system32\Qhbhapha.exe
        447⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\Qnopjfgi.exe
        
        C:\Windows\system32\Qnopjfgi.exe
        448⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\Qdihfq32.exe
        
        C:\Windows\system32\Qdihfq32.exe
        449⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\Qkcackeb.exe
        
        C:\Windows\system32\Qkcackeb.exe
        450⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\Aamipe32.exe
        
        C:\Windows\system32\Aamipe32.exe
        451⤵
        Modifies registry class
        
        PID:10952
        
        C:\Windows\SysWOW64\Ahgamo32.exe
        
        C:\Windows\system32\Ahgamo32.exe
        452⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10980
        
        C:\Windows\SysWOW64\Ajhndgjj.exe
        
        C:\Windows\system32\Ajhndgjj.exe
        453⤵
        Modifies registry class
        
        PID:11008
        
        C:\Windows\SysWOW64\Adnbapjp.exe
        
        C:\Windows\system32\Adnbapjp.exe
        454⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11036
        
        C:\Windows\SysWOW64\Ajjjjghg.exe
        
        C:\Windows\system32\Ajjjjghg.exe
        455⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\Aqdbfa32.exe
        
        C:\Windows\system32\Aqdbfa32.exe
        456⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\Agnkck32.exe
        
        C:\Windows\system32\Agnkck32.exe
        457⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\Anhcpeon.exe
        
        C:\Windows\system32\Anhcpeon.exe
        458⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        459⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\Anjpeelk.exe
        
        C:\Windows\system32\Anjpeelk.exe
        460⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\Addhbo32.exe
        
        C:\Windows\system32\Addhbo32.exe
        461⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        462⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\Bbhhlccb.exe
        
        C:\Windows\system32\Bbhhlccb.exe
        463⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\Bhbahm32.exe
        
        C:\Windows\system32\Bhbahm32.exe
        464⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\Bnoiqd32.exe
        
        C:\Windows\system32\Bnoiqd32.exe
        465⤵
        Drops file in System32 directory
        
        PID:10456
        
        C:\Windows\SysWOW64\Bdiamnpc.exe
        
        C:\Windows\system32\Bdiamnpc.exe
        466⤵
        System Location Discovery: System Language Discovery
        
        PID:10516
        
        C:\Windows\SysWOW64\Bkcjjhgp.exe
        
        C:\Windows\system32\Bkcjjhgp.exe
        467⤵
        Modifies registry class
        
        PID:10588
        
        C:\Windows\SysWOW64\Bbmbgb32.exe
        
        C:\Windows\system32\Bbmbgb32.exe
        468⤵
        Modifies registry class
        
        PID:10656
        
        C:\Windows\SysWOW64\Bgjjoi32.exe
        
        C:\Windows\system32\Bgjjoi32.exe
        469⤵
        Drops file in System32 directory
        
        PID:10720
        
        C:\Windows\SysWOW64\Bjhgke32.exe
        
        C:\Windows\system32\Bjhgke32.exe
        470⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\Bqbohocd.exe
        
        C:\Windows\system32\Bqbohocd.exe
        471⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\Bkhceh32.exe
        
        C:\Windows\system32\Bkhceh32.exe
        472⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\Bbbkbbkg.exe
        
        C:\Windows\system32\Bbbkbbkg.exe
        473⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        474⤵
        Modifies registry class
        
        PID:11044
        
        C:\Windows\SysWOW64\Bjmpfdhb.exe
        
        C:\Windows\system32\Bjmpfdhb.exe
        475⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\Cebdcmhh.exe
        
        C:\Windows\system32\Cebdcmhh.exe
        476⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\Ckmmpg32.exe
        
        C:\Windows\system32\Ckmmpg32.exe
        477⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\Cbfema32.exe
        
        C:\Windows\system32\Cbfema32.exe
        478⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\Ceeaim32.exe
        
        C:\Windows\system32\Ceeaim32.exe
        479⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\Ckoifgmb.exe
        
        C:\Windows\system32\Ckoifgmb.exe
        480⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\Cbiabq32.exe
        
        C:\Windows\system32\Cbiabq32.exe
        481⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\Cicjokll.exe
        
        C:\Windows\system32\Cicjokll.exe
        482⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        483⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\Cejjdlap.exe
        
        C:\Windows\system32\Cejjdlap.exe
        484⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\Ckcbaf32.exe
        
        C:\Windows\system32\Ckcbaf32.exe
        485⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\Cbnknpqj.exe
        
        C:\Windows\system32\Cbnknpqj.exe
        486⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\Cigcjj32.exe
        
        C:\Windows\system32\Cigcjj32.exe
        487⤵
        
        PID:11216
        
        C:\Windows\SysWOW64\Djipbbne.exe
        
        C:\Windows\system32\Djipbbne.exe
        488⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\Dndlba32.exe
        
        C:\Windows\system32\Dndlba32.exe
        489⤵
        Modifies registry class
        
        PID:11268
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        490⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\Djklgb32.exe
        
        C:\Windows\system32\Djklgb32.exe
        491⤵
        Drops file in System32 directory
        
        PID:11324
        
        C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        492⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Dgomaf32.exe
        
        C:\Windows\system32\Dgomaf32.exe
        493⤵
        
        PID:11380
        
        C:\Windows\SysWOW64\Dlkiaece.exe
        
        C:\Windows\system32\Dlkiaece.exe
        494⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\Decmjjie.exe
        
        C:\Windows\system32\Decmjjie.exe
        495⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11436
        
        C:\Windows\SysWOW64\Dlmegd32.exe
        
        C:\Windows\system32\Dlmegd32.exe
        496⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\Dbgndoho.exe
        
        C:\Windows\system32\Dbgndoho.exe
        497⤵
        
        PID:11492
        
        C:\Windows\SysWOW64\Dhcfleff.exe
        
        C:\Windows\system32\Dhcfleff.exe
        498⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11520
        
        C:\Windows\SysWOW64\Dnnoip32.exe
        
        C:\Windows\system32\Dnnoip32.exe
        499⤵
        
        PID:11548
        
        C:\Windows\SysWOW64\Dbijinfl.exe
        
        C:\Windows\system32\Dbijinfl.exe
        500⤵
        Drops file in System32 directory
        
        PID:11576
        
        C:\Windows\SysWOW64\Elaobdmm.exe
        
        C:\Windows\system32\Elaobdmm.exe
        501⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:11608
        
        C:\Windows\SysWOW64\Eblgon32.exe
        
        C:\Windows\system32\Eblgon32.exe
        502⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\Eieplhlf.exe
        
        C:\Windows\system32\Eieplhlf.exe
        503⤵
        
        PID:11664
        
        C:\Windows\SysWOW64\Enbhdojn.exe
        
        C:\Windows\system32\Enbhdojn.exe
        504⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\Eelpqi32.exe
        
        C:\Windows\system32\Eelpqi32.exe
        505⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\Elfhmc32.exe
        
        C:\Windows\system32\Elfhmc32.exe
        506⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\Ebpqjmpd.exe
        
        C:\Windows\system32\Ebpqjmpd.exe
        507⤵
        System Location Discovery: System Language Discovery
        
        PID:11780
        
        C:\Windows\SysWOW64\Eijigg32.exe
        
        C:\Windows\system32\Eijigg32.exe
        508⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11808
        
        C:\Windows\SysWOW64\Ejkenpnp.exe
        
        C:\Windows\system32\Ejkenpnp.exe
        509⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\Eaenkj32.exe
        
        C:\Windows\system32\Eaenkj32.exe
        510⤵
        
        PID:11864
        
        C:\Windows\SysWOW64\Elkbhbeb.exe
        
        C:\Windows\system32\Elkbhbeb.exe
        511⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\Ebejem32.exe
        
        C:\Windows\system32\Ebejem32.exe
        512⤵
        System Location Discovery: System Language Discovery
        
        PID:11920
        
        C:\Windows\SysWOW64\Eiobbgcl.exe
        
        C:\Windows\system32\Eiobbgcl.exe
        513⤵
        
        PID:11948
        
        C:\Windows\SysWOW64\Folkjnbc.exe
        
        C:\Windows\system32\Folkjnbc.exe
        514⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\Fefcgh32.exe
        
        C:\Windows\system32\Fefcgh32.exe
        515⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12008
        
        C:\Windows\SysWOW64\Flpkcbqm.exe
        
        C:\Windows\system32\Flpkcbqm.exe
        516⤵
        
        PID:12040
        
        C:\Windows\SysWOW64\Fongpm32.exe
        
        C:\Windows\system32\Fongpm32.exe
        517⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\Ficlmf32.exe
        
        C:\Windows\system32\Ficlmf32.exe
        518⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12096
        
        C:\Windows\SysWOW64\Fkehdnee.exe
        
        C:\Windows\system32\Fkehdnee.exe
        519⤵
        Drops file in System32 directory
        
        PID:12124
        
        C:\Windows\SysWOW64\Fblpflfg.exe
        
        C:\Windows\system32\Fblpflfg.exe
        520⤵
        Drops file in System32 directory
        
        PID:12152
        
        C:\Windows\SysWOW64\Fifhbf32.exe
        
        C:\Windows\system32\Fifhbf32.exe
        521⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:12180
        
        C:\Windows\SysWOW64\Flddoa32.exe
        
        C:\Windows\system32\Flddoa32.exe
        522⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12208
        
        C:\Windows\SysWOW64\Faamghko.exe
        
        C:\Windows\system32\Faamghko.exe
        523⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\Fhkecb32.exe
        
        C:\Windows\system32\Fhkecb32.exe
        524⤵
        
        PID:12264
        
        C:\Windows\SysWOW64\Fkiapn32.exe
        
        C:\Windows\system32\Fkiapn32.exe
        525⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11144
        
        C:\Windows\SysWOW64\Facjlhil.exe
        
        C:\Windows\system32\Facjlhil.exe
        526⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\Ghmbib32.exe
        
        C:\Windows\system32\Ghmbib32.exe
        527⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\Gklnem32.exe
        
        C:\Windows\system32\Gklnem32.exe
        528⤵
        Modifies registry class
        
        PID:11460
        
        C:\Windows\SysWOW64\Geabbfoc.exe
        
        C:\Windows\system32\Geabbfoc.exe
        529⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\Ghpooanf.exe
        
        C:\Windows\system32\Ghpooanf.exe
        530⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\Gbecljnl.exe
        
        C:\Windows\system32\Gbecljnl.exe
        531⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\Giokid32.exe
        
        C:\Windows\system32\Giokid32.exe
        532⤵
        Modifies registry class
        
        PID:11720
        
        C:\Windows\SysWOW64\Gkqhpmkg.exe
        
        C:\Windows\system32\Gkqhpmkg.exe
        533⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11788
        
        C:\Windows\SysWOW64\Geflne32.exe
        
        C:\Windows\system32\Geflne32.exe
        534⤵
        
        PID:11844
        
        C:\Windows\SysWOW64\Glpdjpbj.exe
        
        C:\Windows\system32\Glpdjpbj.exe
        535⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\Gammbfqa.exe
        
        C:\Windows\system32\Gammbfqa.exe
        536⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\Giddddad.exe
        
        C:\Windows\system32\Giddddad.exe
        537⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\Glbapoqh.exe
        
        C:\Windows\system32\Glbapoqh.exe
        538⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\Gclimi32.exe
        
        C:\Windows\system32\Gclimi32.exe
        539⤵
        Drops file in System32 directory
        
        PID:12176
        
        C:\Windows\SysWOW64\Hhiaepfl.exe
        
        C:\Windows\system32\Hhiaepfl.exe
        540⤵
        Modifies registry class
        
        PID:12244
        
        C:\Windows\SysWOW64\Haafnf32.exe
        
        C:\Windows\system32\Haafnf32.exe
        541⤵
        System Location Discovery: System Language Discovery
        
        PID:11320
        
        C:\Windows\SysWOW64\Hhlnjpdi.exe
        
        C:\Windows\system32\Hhlnjpdi.exe
        542⤵
        
        PID:11456
        
        C:\Windows\SysWOW64\Hoefgj32.exe
        
        C:\Windows\system32\Hoefgj32.exe
        543⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:11644
        
        C:\Windows\SysWOW64\Hepoddcc.exe
        
        C:\Windows\system32\Hepoddcc.exe
        544⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\Hklglk32.exe
        
        C:\Windows\system32\Hklglk32.exe
        545⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:11900
        
        C:\Windows\SysWOW64\Hccomh32.exe
        
        C:\Windows\system32\Hccomh32.exe
        546⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\Himgjbii.exe
        
        C:\Windows\system32\Himgjbii.exe
        547⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\Hkodak32.exe
        
        C:\Windows\system32\Hkodak32.exe
        548⤵
        
        PID:11616
        
        C:\Windows\SysWOW64\Hcflch32.exe
        
        C:\Windows\system32\Hcflch32.exe
        549⤵
        
        PID:11956
        
        C:\Windows\SysWOW64\Hhbdko32.exe
        
        C:\Windows\system32\Hhbdko32.exe
        550⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\Hommhi32.exe
        
        C:\Windows\system32\Hommhi32.exe
        551⤵
        
        PID:12032
        
        C:\Windows\SysWOW64\Iefedcmk.exe
        
        C:\Windows\system32\Iefedcmk.exe
        552⤵
        System Location Discovery: System Language Discovery
        
        PID:11856
        
        C:\Windows\SysWOW64\Ilqmam32.exe
        
        C:\Windows\system32\Ilqmam32.exe
        553⤵
        System Location Discovery: System Language Discovery
        
        PID:11888
        
        C:\Windows\SysWOW64\Icjengld.exe
        
        C:\Windows\system32\Icjengld.exe
        554⤵
        
        PID:12312
        
        C:\Windows\SysWOW64\Ijdnka32.exe
        
        C:\Windows\system32\Ijdnka32.exe
        555⤵
        System Location Discovery: System Language Discovery
        
        PID:12340
        
        C:\Windows\SysWOW64\Ikejbjip.exe
        
        C:\Windows\system32\Ikejbjip.exe
        556⤵
        Drops file in System32 directory
        
        PID:12368
        
        C:\Windows\SysWOW64\Iapbodql.exe
        
        C:\Windows\system32\Iapbodql.exe
        557⤵
        System Location Discovery: System Language Discovery
        
        PID:12396
        
        C:\Windows\SysWOW64\Ihjjln32.exe
        
        C:\Windows\system32\Ihjjln32.exe
        558⤵
        
        PID:12424
        
        C:\Windows\SysWOW64\Iocchhof.exe
        
        C:\Windows\system32\Iocchhof.exe
        559⤵
        
        PID:12452
        
        C:\Windows\SysWOW64\Iabodcnj.exe
        
        C:\Windows\system32\Iabodcnj.exe
        560⤵
        
        PID:12480
        
        C:\Windows\SysWOW64\Ilgcblnp.exe
        
        C:\Windows\system32\Ilgcblnp.exe
        561⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\Iofpnhmc.exe
        
        C:\Windows\system32\Iofpnhmc.exe
        562⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\Ifphkbep.exe
        
        C:\Windows\system32\Ifphkbep.exe
        563⤵
        
        PID:12564
        
        C:\Windows\SysWOW64\Iljpgl32.exe
        
        C:\Windows\system32\Iljpgl32.exe
        564⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12592
        
        C:\Windows\SysWOW64\Jbghpc32.exe
        
        C:\Windows\system32\Jbghpc32.exe
        565⤵
        
        PID:12620
        
        C:\Windows\SysWOW64\Jhqqlmba.exe
        
        C:\Windows\system32\Jhqqlmba.exe
        566⤵
        System Location Discovery: System Language Discovery
        
        PID:12652
        
        C:\Windows\SysWOW64\Jkomhhae.exe
        
        C:\Windows\system32\Jkomhhae.exe
        567⤵
        
        PID:12680
        
        C:\Windows\SysWOW64\Jfdafa32.exe
        
        C:\Windows\system32\Jfdafa32.exe
        568⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12708
        
        C:\Windows\SysWOW64\Jjpmfpid.exe
        
        C:\Windows\system32\Jjpmfpid.exe
        569⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\Jchaoe32.exe
        
        C:\Windows\system32\Jchaoe32.exe
        570⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\Jfgnka32.exe
        
        C:\Windows\system32\Jfgnka32.exe
        571⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\Jlafhkfe.exe
        
        C:\Windows\system32\Jlafhkfe.exe
        572⤵
        
        PID:12824
        
        C:\Windows\SysWOW64\Jcknee32.exe
        
        C:\Windows\system32\Jcknee32.exe
        573⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12852
        
        C:\Windows\SysWOW64\Jhhgmlli.exe
        
        C:\Windows\system32\Jhhgmlli.exe
        574⤵
        System Location Discovery: System Language Discovery
        
        PID:12880
        
        C:\Windows\SysWOW64\Joaojf32.exe
        
        C:\Windows\system32\Joaojf32.exe
        575⤵
        
        PID:12908
        
        C:\Windows\SysWOW64\Jbpkfa32.exe
        
        C:\Windows\system32\Jbpkfa32.exe
        576⤵
        Drops file in System32 directory
        
        PID:12936
        
        C:\Windows\SysWOW64\Jmepcj32.exe
        
        C:\Windows\system32\Jmepcj32.exe
        577⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\Kcphpdil.exe
        
        C:\Windows\system32\Kcphpdil.exe
        578⤵
        Drops file in System32 directory
        
        PID:12992
        
        C:\Windows\SysWOW64\Kjipmoai.exe
        
        C:\Windows\system32\Kjipmoai.exe
        579⤵
        
        PID:13020
        
        C:\Windows\SysWOW64\Kmhlijpm.exe
        
        C:\Windows\system32\Kmhlijpm.exe
        580⤵
        
        PID:13048
        
        C:\Windows\SysWOW64\Kfpqap32.exe
        
        C:\Windows\system32\Kfpqap32.exe
        581⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:13076
        
        C:\Windows\SysWOW64\Kiomnk32.exe
        
        C:\Windows\system32\Kiomnk32.exe
        582⤵
        System Location Discovery: System Language Discovery
        
        PID:13104
        
        C:\Windows\SysWOW64\Koiejemn.exe
        
        C:\Windows\system32\Koiejemn.exe
        583⤵
        Drops file in System32 directory
        
        PID:13132
        
        C:\Windows\SysWOW64\Kjnihnmd.exe
        
        C:\Windows\system32\Kjnihnmd.exe
        584⤵
        
        PID:13160
        
        C:\Windows\SysWOW64\Kkofofbb.exe
        
        C:\Windows\system32\Kkofofbb.exe
        585⤵
        Drops file in System32 directory
        
        PID:13188
        
        C:\Windows\SysWOW64\Kcfnqccd.exe
        
        C:\Windows\system32\Kcfnqccd.exe
        586⤵
        
        PID:13216
        
        C:\Windows\SysWOW64\Kicfijal.exe
        
        C:\Windows\system32\Kicfijal.exe
        587⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:13244
        
        C:\Windows\SysWOW64\Komoed32.exe
        
        C:\Windows\system32\Komoed32.exe
        588⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:13272
        
        C:\Windows\SysWOW64\Kfggbope.exe
        
        C:\Windows\system32\Kfggbope.exe
        589⤵
        Modifies registry class
        
        PID:13300
        
        C:\Windows\SysWOW64\Kifcnjpi.exe
        
        C:\Windows\system32\Kifcnjpi.exe
        590⤵
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Kkdoje32.exe
        
        C:\Windows\system32\Kkdoje32.exe
        591⤵
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Lfjchn32.exe
        
        C:\Windows\system32\Lfjchn32.exe
        592⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\Lkflpe32.exe
        
        C:\Windows\system32\Lkflpe32.exe
        593⤵
        
        PID:12476
        
        C:\Windows\SysWOW64\Lbqdmodg.exe
        
        C:\Windows\system32\Lbqdmodg.exe
        594⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Lpdefc32.exe
        
        C:\Windows\system32\Lpdefc32.exe
        595⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Lfnmcnjn.exe
        
        C:\Windows\system32\Lfnmcnjn.exe
        596⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Limioiia.exe
        
        C:\Windows\system32\Limioiia.exe
        597⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12616
        
        C:\Windows\SysWOW64\Lbenho32.exe
        
        C:\Windows\system32\Lbenho32.exe
        598⤵
        
        PID:12644
        
        C:\Windows\SysWOW64\Liofdigo.exe
        
        C:\Windows\system32\Liofdigo.exe
        599⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\Lpinac32.exe
        
        C:\Windows\system32\Lpinac32.exe
        600⤵
        
        PID:12736
        
        C:\Windows\SysWOW64\Lfcfnm32.exe
        
        C:\Windows\system32\Lfcfnm32.exe
        601⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Llpofd32.exe
        
        C:\Windows\system32\Llpofd32.exe
        602⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Mpkkgbmi.exe
        
        C:\Windows\system32\Mpkkgbmi.exe
        603⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Mfeccm32.exe
        
        C:\Windows\system32\Mfeccm32.exe
        604⤵
        
        PID:12888
        
        C:\Windows\SysWOW64\Mmokpglb.exe
        
        C:\Windows\system32\Mmokpglb.exe
        605⤵
        Drops file in System32 directory
        
        PID:12932
        
        C:\Windows\SysWOW64\Mbldhn32.exe
        
        C:\Windows\system32\Mbldhn32.exe
        606⤵
        System Location Discovery: System Language Discovery
        
        PID:12972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12972 -s 456
        607⤵
        Program crash
        
        PID:13084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 12972 -ip 12972
1⤵
PID:3032

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0JFRDE5ODAtQTU0Ni00MkY4LTkxOTAtMDBCNDFGM0JCM0IzfSIgdXNlcmlkPSJ7OUE0RTM5NTktNzEzOC00NTBDLUE3NzItNTdDNzFBNUM1REI0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzRCOEJFQkEtMEUwRi00Q0NGLUJFODMtMkFCNjdCNjAzNkJFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NTUwIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5ODYzMjgwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTYxNDI5MzQ3NSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:13212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iapjgo32.exe

Filesize
404KB

MD5
74d2461e4d384b9f222a6a1ff6344542

SHA1
ce5dfe1ac328897e07620feb42d9e534711f32cf

SHA256
7616badfea2b2c0a08d6b245455c79fcd34957b31d7bd77b595e22d10d3e2f8f

SHA512
bdb955ea3ea1d308b3aa3d79f52dda28191c3700e29687557eb097df83919930f304e91c05dbbba145ec17c0d38290d5d98535fb1bae7d8b2f6d559270e3d005

Download Submit
C:\Windows\SysWOW64\Ibbcfa32.exe

Filesize
404KB

MD5
fd8b609aa7564ee025e35ade3f887487

SHA1
812810a8facd29ff860a48ab520fb9c6bc84180f

SHA256
730147bc371b77c23d33e4caf506347774fe41d752ea0f7c50e0f86f6113cc1f

SHA512
7b43c9685f31bf3c73af0ba4e166808b5bcbd3b36e0063ee0a1c98401ede387b5225b901bb911cd101e334f8919eb3026ada664b288ab93d2e7c6abe9a942d44

Download Submit
C:\Windows\SysWOW64\Ibdplaho.exe

Filesize
404KB

MD5
08f3a334eb4c4fe3413bf87c683d925b

SHA1
367a64c26d15367325e9b4d64ad2b5ddc16760f6

SHA256
ae1f8414254fccf1f79f30bf6f296f91ae4e42bc16a31b87cd705b2b7c848ec0

SHA512
47933a9c531a7171f44349f342952f47dc7b5963f24ede38598c594369718df2cb960ddcbaf91ae009c8123dd4660864b4fa6e930c34dcb638428e904357f439

Download Submit
C:\Windows\SysWOW64\Ibpgqa32.exe

Filesize
404KB

MD5
73b0689c572ca27efd22ccb3afb4ba0e

SHA1
0aadd9980c5ec6ca231ab87744eccc43b412506b

SHA256
9f889ed7f982eb60b89a4aa9fdd303ff8e179615d82d8e1a2d8e38c504fa2ae9

SHA512
8bb72f4107f51ebeef7c1a504f6d01a5fd9b312ba522600a65f735c29c3dc1933614d92ba9c827850abf08e3406e5aa9561f45a8eb0466896d68d8140de2584d

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
404KB

MD5
e2732ceefca0cbb6ce573ebadae7d9fb

SHA1
6a87d5fd4b3f6367ca40c516314c3efd3408434d

SHA256
c4f4319bac7ed199e266a365011b2194714c3e2244846dc74e5f15662ad6bf2b

SHA512
507a147990697b0ad956f5a54fe183dc5afdc5d69cbcb29a5e12a410b13142817155b3ecbe7e6a0e4aaaab33ea0237c01949bad090cbeaffbd4176e133af1a6c

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
404KB

MD5
4f8089df3980cd0eedfd8c0dfd4db50b

SHA1
b03f492b17a1bbba55f4b5e071f43770a897e9f1

SHA256
cc237d069feee3c8d712a28c0bcfb54d36bc142ca83e8c55512f82a89e42ea09

SHA512
9023d4b7c48f27af486b093e8a561ab2a729e280b28813cc8bc64b382a3dd001e2acdd6de9a10a2bdebebddfc9aecfbc284b14d307b7a61cd12bdc62ccf801bf

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
404KB

MD5
1bce783b31a5d2860dca29593cb06cf1

SHA1
47488e1c9bd10d8495e0310995dd28ea9b8a847b

SHA256
5534aabcc83bfbf40c9e42d0d7ed75edfbf460d354cb95a6576b8e37ee0c9879

SHA512
465403010ed96f57f3477845d90e708cff0d9b8a1f18a4de778dc3b0e9a5873e983f832d9130457a14a07ca2f344d0d9376d22e47a9e0ae73ae940a0e3028705

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
404KB

MD5
89647c097577a8c4273ad78df5403b30

SHA1
6dba2d37ff46709068b1c7a984fc76721e7870bb

SHA256
54e6372456aae5fd00be3030fc9a3869c381b2a6fa1514dba0a9b9428ad29fcf

SHA512
9a223254995dd3ca86f1e87eed7612826c248c089e29310bb7c6960e902f706bac03be14d5ec5d77784f8c8be0085d933c8372351ea4aa839dffeeb892c67f89

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
404KB

MD5
a015328b22abfb54d7ec23aa6cc24406

SHA1
ba90e45baf369c57cc031fff3a1a2bfa20930eda

SHA256
120508ec95783a00bf80822986ae0e9441b76be36c58e9614ec68ddc2810254c

SHA512
9ae5b6ab5f6ad0316202dbc1dcc1a4aa84b12ce9e532808c91ebda51c43a66a63262a0384919529922f008b31fc836106c6d2d6e88c7b299463810034d2681ef

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
404KB

MD5
c76fedacbfb0ee5ba0e0bba79a9169b4

SHA1
2484f3869e40eea53f860e6697780ec2fa1182ab

SHA256
0e1c299abd08704153218eed07dc7faa4be819e2c721297aadc8ac523701c080

SHA512
f4e8c8b6eb18f1a2c16fc112dcf98d77934500019431aa5c03a9059e178df919b511af5c5052571d4dbd8f6a9ac617bbb677486a544b99a195915d0d664a6824

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
404KB

MD5
0cd96fa16d497c6a2e1cd08ae41beb81

SHA1
f42c000ee40023d5e65195bea786a620ab59ca08

SHA256
e801fba53ea0dd767e390ff3d21d52ab627d4e9fe3601b38ca2a1dffd3e544d8

SHA512
d1021c88b336028fd287fcce6c6de66987bd876c56ce54913674852b60eecfeaec7bdb9a1c32476af9f3335790078d0306f26a24c9bbbe2b712e22c3fd852b99

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
404KB

MD5
ceba7545217db3a8cc4e7b3601c85c68

SHA1
a873c0c0c7aae2ce6f15c466d3db33337abdcac1

SHA256
0daba4779e13e40efa723752504872210eac5d89d7aef718c81837eb9f68cf75

SHA512
d3453b358eb7a2630f5dacee842d95072017f56e999a1299dd22d33c2036e5b4155cb437785b53cd4f8f24bd0898de8e9cdb8297a0b59e17df9a2aee20f29a02

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
404KB

MD5
9d063866ba54cad91477b53672fce58b

SHA1
1831b16b2a2ca777eaf26aa018346bdf2ec63e16

SHA256
e75377227e390010e377bc6d530053e01e920af1b73a033b7245044a6622f2f7

SHA512
2c192ebdeaffd0191da1b7aa9f0aff3c3624b1ff657567763a5a5526d8be4fe7c0cfc7e6c95dc6daeb50ad2ffdddf5e75e130cd166f967ebe7f9fce14b16e4d1

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
404KB

MD5
38f9fa9d40b0d4d994166fe6de1501a6

SHA1
da96399b0054e16d210e1eba7a6e3eeac45272eb

SHA256
9f557a6b0344ca70dce85ce31d9bc67505eb9919ffbeab3060b906b2b0f6e8c3

SHA512
d855b9aac1db18efb5cd88e48116d942cabcabb86ab6919b08556f605c307bbe7af6a5a562f6e9573cd8c4e213ec8fb6aef7bea1bb7db040d10e6369f7437768

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
404KB

MD5
4f69654a2a08eb95815e19a74adcecc6

SHA1
d877e7553d710392a28f37b4e5914b4d6728d92a

SHA256
55bcc1e385e70f85b446a0bcfbd9b4cf14c1c6a5c1c4c139b9ea9a5ba46ad970

SHA512
18030420f3a907cb4829c337354fb69f25e72556e59f5e297a5ed3bcb2c8259018e9ffd3515b77129977632a907055b4c9343cc6212453f072221811bdbbaeb3

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
404KB

MD5
fff5848bbbcac056e23b27599d9fb2bd

SHA1
cd49f84876feef3aa9261c89f0e0681b00c2521e

SHA256
2b1391b1e821c86525c4d7989cae288903aea598e15377b73b97b96d591d746a

SHA512
40c4d54873710522470f6842fafa33913ac2e81380add93b041490ab550d9ad9b118341725a80cf7c83767d1df01ed190a0310691bee56148423b552a391bb87

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
404KB

MD5
60e189e6b587b6f4cc102e0c2beb5150

SHA1
b0917a3d898347df3c0fb4483fd86d5816bf2c20

SHA256
47ce6785cfce06bf8d497743de22320fcd31e32b54924e3cb58fdd39c7eb57c1

SHA512
f7745f694c312015cd0921d187b3f665d35121305fc7dd03b13b0c48a4954557f84b63eae67f8ce88aa288e628cd16594b5d1d2ef786eb66e323438d0c6083dc

Download Submit
C:\Windows\SysWOW64\Kehojiej.exe

Filesize
404KB

MD5
53f8f13cc1d5deb3ff41d58fdccb5562

SHA1
4ee500dba512b837a837b3454a65fe791bcdf14e

SHA256
c846c15a50be348b6dc9b6df47e933d22f6ec2d434c6a7f65f9e4f4d7f4b0dfd

SHA512
c7cad8715060b158f015f569923db42dde272346d387177a5b5fb57f8d7b1d0a99538b65a27838003d8102583fb4357d6961abe4c9e82bc795b80c43c42eac0d

Download Submit
C:\Windows\SysWOW64\Kkbkmqed.exe

Filesize
404KB

MD5
0874b6681eb4a42c8b3fb1f25b945858

SHA1
0ca25ebe300cc448fba359709ecdb994ab96362c

SHA256
1c23be4b20e51f233aa2fc7840f75be1f56238d9a8e6ef05255e421f2c5ce793

SHA512
801865ad077377532472c4557a3d547527539aa7731d6f4e467ebd5292a2ca93f981b11acf55a922eb06d5472694f44ce912fde7513a495acbb4d57e65342e3b

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
404KB

MD5
d89dff49576dde49486a8eb2edeb1046

SHA1
11459e83cf304e179b0bbf79af1750646ed98f36

SHA256
8d3a6071877e518c8502beeaf73f082f0be115de34481b09de72ce03ca3b9f16

SHA512
a25628175c0a6d3bc81a6bb28f3cb9d7401a512f17f2f6ca3e1e5c24177ac36e6164af9f8129b4f16d519abcc2a305d0fe4c9ed40d9654d7cbb6c2c46823657e

Download Submit
C:\Windows\SysWOW64\Laffpi32.exe

Filesize
404KB

MD5
7f45f0501ab00fe041468a0a49c0d68b

SHA1
9967ce663d54089c3f2289d110246d00f5b62f95

SHA256
ca9e91cc9b8276e088847c4244a05002fa18f4788699d3575a7f1583aae01e5d

SHA512
44be42314196a02f6dacbe385f494faf12f7ca46ef3725ced2f31188dc9d3d2215fa2bd4758d8a22e1cac27db992bc654e918ae63ba32dc6d623da73493b85c2

Download Submit
C:\Windows\SysWOW64\Lajokiaa.exe

Filesize
404KB

MD5
6e190e6e559b99e872b364608157fed3

SHA1
4e9ce6dd43bfc027e2b4a38bff0611bdf98de4af

SHA256
702b64d58ada7eb06398a640beaafc7353276995349c1455546b770b5c3ed640

SHA512
4f52b06ef80ce90fdec6169ffff16068353b396b396d3767262b51cdcfe8c9e972f82c599860f588039e4112eff0d3ca810e95d19a60be020361c2a15da3c19c

Download Submit
C:\Windows\SysWOW64\Lbqinm32.exe

Filesize
404KB

MD5
49a22352d20304dcb16bc1db9f461cf1

SHA1
68c220a56f7590fc126cd88dbde3f50e546900fa

SHA256
c3be511807aa6d75ce7317af9720f530cdbcb583508217b8e11665eec7253ecc

SHA512
cf0892a6ff27997760b4fc6da286b7ab865ac41582c50cda5d4dd7f27bb8bd6a076c2e28e7bfe55f951908809f5862ae330ba436b215771ded8a9bf5e708731d

Download Submit
C:\Windows\SysWOW64\Lddble32.exe

Filesize
404KB

MD5
febb664e7e269ff5af510a7fcebcc6c7

SHA1
d3bdecf77228c45cca19f06c185aadd40ead3790

SHA256
04f401c6a4397b1fde5ba8e9659acb346613ae8858b502bf736e3d598d026b07

SHA512
d5a5d3ac68ef4b79202a4733a699a5bdab86f2d4ae98c219f64dd6f1f4fa854c3a5f5f422154ea90aed315151205edf7a5564f40ed7786e7db2f553a3a516817

Download Submit
C:\Windows\SysWOW64\Ldfoad32.exe

Filesize
404KB

MD5
e832d836ff3f211bf6c39d75615c961f

SHA1
fb5b37d60746f30ef5b7e0914f1b8f50b63f4080

SHA256
c37884f433c706f364ef17d47fb14e8eeae0b37a1061910b8e8dbf90677bda09

SHA512
c61336776081260489369f31198e20089df9ed5ab0882f349aece76420a95be99abffd73c558352b97dddbfc036e9dba54b1cf42d8c2122d6b2a13aa51ba2501

Download Submit
C:\Windows\SysWOW64\Ldkhlcnb.exe

Filesize
404KB

MD5
374ae16b7fdfd4d14d69c76b07986605

SHA1
d10c6681fe9fda29bc5c027c99cac52df64efdab

SHA256
ce96dd1447b6e1ce5a0a6487dbf33f510c9bc38715c27b6927f41c4d4aa238b4

SHA512
ad4f8f0bf3bb910cba08b1204d7dcd21817549543902c3fbb1e989bb06a9a00e58419d4eeba96b5480f8a8629cf6c7381ca59edb4e916f0989a3579e5b2d122d

Download Submit
C:\Windows\SysWOW64\Leoejh32.exe

Filesize
404KB

MD5
82bc70e0b7c4dc7d240f78b6f3d4c6da

SHA1
4fb6ec2620aef646944b11dfa126f1b9bc53ccd6

SHA256
9e3c75c2bfdf4c42f13e8d47f1bd9d6dc3844a938a2a6850e56a1ab5bb98519e

SHA512
b1c364b48549267d7e3e26394f5e4ab6badd995798a1c904d17513419c3e5de3ec66a5c67ffb4fa2953c040374e8dbf390d20b964a2542975b611ec7cc06ec39

Download Submit
C:\Windows\SysWOW64\Lhmafcnf.exe

Filesize
404KB

MD5
96bb642153d10091688ddc84de3ffc20

SHA1
843581a74899206bc8f551f9430da9f916010e9a

SHA256
9ffa91df43c982f16e688fa427ea97a0412f785eeeb0b248f2ba4340b36d3a7a

SHA512
63ba9270ecb1e0f9230a9bddd9efcb1fc5c83c42f7215a16fe2111b883a302af0343822026868bbbc44fcb2b1c8d88238db9bb33eeca22b0581b33a897e16fbe

Download Submit
C:\Windows\SysWOW64\Lkqgno32.exe

Filesize
404KB

MD5
58f7267215966e658f04105fd0d4418b

SHA1
f272d3e1837d345d76fa729fd3dd6ef5d014bf29

SHA256
0acad38b4a9a9ce2b082a7252e7d8302cbc4baceb3db1b84904342b501cbc478

SHA512
fbb73d810c4c1e469658143eb70ed4b35fc28f45d6fcdb07454e355f9789dd2c60224c0e73f481dd328985b7d7ac393462ba7eefaffe828fd2a90169b9d73148

Download Submit
C:\Windows\SysWOW64\Lojfin32.exe

Filesize
404KB

MD5
5753c79f579e941c8bdb13e4333af39b

SHA1
cfa719acd48f90876e9f9380d2f2ed6f8724c976

SHA256
994a514e448c65a30947fc5e742c3a024c7bbaa69ad44485470027454a52ae7e

SHA512
6a4141d2829734136d0e9ac161281b5c956ff96c3c27b2b2478c9f6978b4a1306672d654e6cd4aecbbae3a0ffff812837924453ca557b3504ee706208888de5f

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
404KB

MD5
1339713da05e80d9cc75a38336586a69

SHA1
a8872b056fe6ef2a07cb084df94dab8fc6435070

SHA256
7cdec7ba8a29305f895bd4ada57f8977ca3f19d4555c15d2678256802d6d8872

SHA512
ac7523441e6db5b817c8e00697e1176610f79401c6cd56904ca2ddac9549235a25c813b330daa86bd81a156d5ca9d343a81495d6ac908d95cbbed698e2d87d90

Download Submit
C:\Windows\SysWOW64\Mkjjdmaj.exe

Filesize
404KB

MD5
67893a81c4ba8f3a37dd7743c79d8c01

SHA1
e04404fbcd76e1b4d4017f3a96e2663e04918ae6

SHA256
b78cb141664bb729a34d49fc77ae5f4d3fb91aebecebae1208237dc40b0987a7

SHA512
b1eeb2d3cbd78df61c455258ab9e7399b0f624c33f5b85615cada8bca0b8f93e911d9ec95475fc9cebe2e866772e7816e7d6ffe45c972f2258ea28c2b88cd666

Download Submit
C:\Windows\SysWOW64\Oapijm32.dll

Filesize
7KB

MD5
81f8be696d1af402443cdebd63697479

SHA1
e89a5b9496db60253c429c987e34ef5e3823ca61

SHA256
0b4d561c7921a634fa1539b1e69af48103d37d53632db05569ece950fcf2e546

SHA512
6307912482b8a0aaf435d26e62e6eb5f3af2016e45114314d9a12c9edae3f94ce5570621fe986df6b1fe453a240dc6eb648efc26e7e9896ec35c961b742563b4

Download Submit
memory/328-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/560-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/560-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-74-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3848-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3848-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5284-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5284-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5288-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5288-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5512-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5512-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5636-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5684-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5684-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5696-5-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5696-66-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5820-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5820-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5836-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5836-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6016-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6016-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6036-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6036-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6060-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6060-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6064-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6128-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6128-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads