berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
114s
max time network
166s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/054c96f764aef24cbdccec3be12e2350.exe
Size

257KB
MD5

054c96f764aef24cbdccec3be12e2350
SHA1

b9ef88aa7d8c48329e101f5562035bfc94128365
SHA256

f649ce3fcab3a71c0b6a2e8d583357a0174d9656020a3be0ceee4e8f010dc098
SHA512

2be4fea9781a7d201e124a2cf315b3ac89a6f473709043b0c277df8e1d3bea5230fad46414b96abbc04d5af21dff95868b9ef581b9151ec3b4db28e9d3941afb
SSDEEP

3072:SD8upQxYGLKJnRyfQzJIonOGq+NRwoutkTy27zh5cl:iTWK9RuSJhDwoSkTl7zjK

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieagmcmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngnppfgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bggnijof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhgccijm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfaqcclf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gammbfqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iofpnhmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegkpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaihonhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljoiibbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gojgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikjcmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmheph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnanioad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icminm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgnlmdcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eikpan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmmkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaqphgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjdfgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiobbgcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnbdjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfgefg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlcmgqdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlpbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahgamo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfokff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipbaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moefdljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dalkek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liofdigo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iajdgcab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpcila32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eegqldqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mklpof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nahdapae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmdjha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilhkigcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmdlflki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggbmafnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bghddp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcaie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncanhaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halhfe32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4604	Cpmapodj.exe
3968	Cammjakm.exe
3500	Coqncejg.exe
1752	Cncnob32.exe
1188	Chkobkod.exe
1580	Cpfcfmlp.exe
2520	Cogddd32.exe
3048	Dddllkbf.exe
1476	Dnmaea32.exe
3156	Dgeenfog.exe
4836	Dnonkq32.exe
3932	Dggbcf32.exe
3348	Damfao32.exe
2636	Dkekjdck.exe
1472	Edplhjhi.exe
1968	Eohmkb32.exe
4488	Ebifmm32.exe
2196	Eiekog32.exe
3688	Fnbcgn32.exe
4936	Fgjhpcmo.exe
1248	Fijdjfdb.exe
3496	Fbbicl32.exe
3160	Fkjmlaac.exe
4444	Finnef32.exe
32	Fnkfmm32.exe
2148	Fgcjfbed.exe
3540	Gegkpf32.exe
4776	Ganldgib.exe
2764	Gkdpbpih.exe
3816	Ggkqgaol.exe
4824	Geoapenf.exe
4596	Gbbajjlp.exe
3912	Hpfbcn32.exe
1700	Hiacacpg.exe
2728	Halhfe32.exe
452	Ihkjno32.exe
1980	Ipbaol32.exe
1220	Ibqnkh32.exe
976	Ilibdmgp.exe
2656	Ibcjqgnm.exe
1744	Ieagmcmq.exe
2640	Ihpcinld.exe
4744	Ibegfglj.exe
628	Ilnlom32.exe
4816	Iajdgcab.exe
1772	Ihdldn32.exe
1012	Kbhmbdle.exe
1860	Kakmna32.exe
2748	Kcjjhdjb.exe
2400	Keifdpif.exe
872	Koajmepf.exe
4208	Kifojnol.exe
1716	Kcoccc32.exe
792	Kiikpnmj.exe
1712	Kpccmhdg.exe
460	Lhnhajba.exe
1260	Lohqnd32.exe
5088	Lebijnak.exe
2860	Lhqefjpo.exe
4292	Lpgmhg32.exe
4832	Llnnmhfe.exe
4000	Lpjjmg32.exe
2036	Legben32.exe
1204	Lhenai32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ajaelc32.exe	Amnebo32.exe
File created	C:\Windows\SysWOW64\Hcljmj32.exe	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Ebpmamlm.dll	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Aocmio32.exe	Abpmpkoh.exe
File opened for modification	C:\Windows\SysWOW64\Ileflmpb.exe	Ieknpb32.exe
File created	C:\Windows\SysWOW64\Gcfcio32.dll	Kppbejka.exe
File opened for modification	C:\Windows\SysWOW64\Eiobbgcl.exe	Ejnbdp32.exe
File created	C:\Windows\SysWOW64\Abmjqe32.exe	Aalmimfd.exe
File opened for modification	C:\Windows\SysWOW64\Cgcmeh32.exe	Cnkilbni.exe
File opened for modification	C:\Windows\SysWOW64\Ilqmam32.exe	Hakidd32.exe
File opened for modification	C:\Windows\SysWOW64\Ijiopd32.exe	Icogcjde.exe
File opened for modification	C:\Windows\SysWOW64\Dehnpp32.exe	Dbjade32.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Lhenai32.exe	Legben32.exe
File created	C:\Windows\SysWOW64\Eqfnqg32.dll	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Jepplk32.dll	Hqimlihn.exe
File created	C:\Windows\SysWOW64\Afpbkicl.exe	Akjnnpcf.exe
File opened for modification	C:\Windows\SysWOW64\Gaffbg32.exe	Gogjflhf.exe
File created	C:\Windows\SysWOW64\Llnnmhfe.exe	Lpgmhg32.exe
File created	C:\Windows\SysWOW64\Ncmhko32.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Flaiho32.exe	Eegqldqg.exe
File created	C:\Windows\SysWOW64\Ofigcd32.dll	Iqdfmajd.exe
File created	C:\Windows\SysWOW64\Eeclnmik.dll	Lohqnd32.exe
File created	C:\Windows\SysWOW64\Clpkdlkd.dll	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Bggknnmj.dll	Okcogc32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkbkbfo.exe	Jkajnh32.exe
File opened for modification	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bpjmph32.exe
File opened for modification	C:\Windows\SysWOW64\Hbknebqi.exe	Hnpaec32.exe
File opened for modification	C:\Windows\SysWOW64\Iajmmm32.exe	Icfmci32.exe
File opened for modification	C:\Windows\SysWOW64\Odbgdp32.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Efopjbjg.exe	Elilmi32.exe
File opened for modification	C:\Windows\SysWOW64\Ophjdehd.exe	Okkalnjm.exe
File created	C:\Windows\SysWOW64\Ndhqmknd.dll	Cihjeq32.exe
File opened for modification	C:\Windows\SysWOW64\Nhafcd32.exe	Nmlafk32.exe
File opened for modification	C:\Windows\SysWOW64\Qbajeg32.exe	Qpbnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Fekclnif.exe	Fpnkdfko.exe
File created	C:\Windows\SysWOW64\Pgbkgmao.exe	Pnjgog32.exe
File created	C:\Windows\SysWOW64\Deejpjgc.exe	Dnkbcp32.exe
File created	C:\Windows\SysWOW64\Lbhppocd.dll	Mpkkgbmi.exe
File opened for modification	C:\Windows\SysWOW64\Cfcoblfb.exe	Cpifeb32.exe
File created	C:\Windows\SysWOW64\Bekleggo.dll	Lmqiec32.exe
File opened for modification	C:\Windows\SysWOW64\Cnebmgjj.exe	Cihjeq32.exe
File created	C:\Windows\SysWOW64\Cempebgi.dll	Lmfodn32.exe
File opened for modification	C:\Windows\SysWOW64\Jhmhpfmi.exe	Jnedgq32.exe
File opened for modification	C:\Windows\SysWOW64\Jakchf32.exe	Jffokn32.exe
File opened for modification	C:\Windows\SysWOW64\Nggjog32.exe	Nhdicjfp.exe
File created	C:\Windows\SysWOW64\Mihjhq32.dll	Ejnbdp32.exe
File created	C:\Windows\SysWOW64\Aobmce32.dll	Fbbicl32.exe
File opened for modification	C:\Windows\SysWOW64\Dgpeha32.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Mociol32.exe	Mhiabbdi.exe
File created	C:\Windows\SysWOW64\Dngnaa32.dll	Fibfbm32.exe
File opened for modification	C:\Windows\SysWOW64\Ggdbmoho.exe	Gpjjpe32.exe
File created	C:\Windows\SysWOW64\Iabbeiag.dll	Ljhchc32.exe
File opened for modification	C:\Windows\SysWOW64\Ghbkdald.exe	Gojgkl32.exe
File created	C:\Windows\SysWOW64\Dpllbp32.exe	Defheg32.exe
File created	C:\Windows\SysWOW64\Pgihanii.exe	Onqdhh32.exe
File opened for modification	C:\Windows\SysWOW64\Mhiabbdi.exe	Mclhjkfa.exe
File opened for modification	C:\Windows\SysWOW64\Kfhnme32.exe	Kpnepk32.exe
File opened for modification	C:\Windows\SysWOW64\Qkqdnkge.exe	Pnlcdg32.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Fljedg32.exe	Fepmgm32.exe
File created	C:\Windows\SysWOW64\Mpqklh32.exe	Mfhgcbfo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6260	7320	WerFault.exe	921

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icogcjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkgdhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclhjkfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egknji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mginniij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmebpbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgcjea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkqdnkge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkilbni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnkfmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhdnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moefdljc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnefieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkjfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aklciimh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjdfgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fepmgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgodjiio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlcmgqdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqdmghnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogqmee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnkbcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faopah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcjqgnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkcccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcgjhega.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnbfgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggdbmoho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihndgmdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bliajd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janpnfee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eoladdeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnjgog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akgjnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ganldgib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noppeaed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnehj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emioab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdffah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naokbokn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhghge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hofmaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgldl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpgmhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmeqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqnejaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cboibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onmahojj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkalnjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpfbcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Legben32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgnam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defajqko.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gndbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dijgjpip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjood32.dll"	Npcaie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnjmilq.dll"	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanpok32.dll"	Aohfdnil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjhjae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gklnem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eippgckc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdiebk32.dll"	Gckjlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggccllai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akjnnpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkhdmeh.dll"	Pdofpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhpheo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Didqkeeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afoaho32.dll"	Fjjcmbci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmbkfjko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Halhfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihceigec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cidgdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhbmnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieagmcmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcqjal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbedde32.dll"	Noqofdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnolif32.dll"	Eppobi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekleggo.dll"	Lmqiec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hofmaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmobii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnonkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkpjeba.dll"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kppbejka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Janpnfee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcnkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eaqdpjia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qckfid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijhhenhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbggp32.dll"	Dojlhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoomp32.dll"	Amnebo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjmodffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojahakp.dll"	Bliajd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll"	Namegfql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfijgnnj.dll"	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Dpjompqc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 4604	1340	054c96f764aef24cbdccec3be12e2350.exe	86
PID 1340 wrote to memory of 4604	1340	054c96f764aef24cbdccec3be12e2350.exe	86
PID 1340 wrote to memory of 4604	1340	054c96f764aef24cbdccec3be12e2350.exe	86
PID 4604 wrote to memory of 3968	4604	Cpmapodj.exe	87
PID 4604 wrote to memory of 3968	4604	Cpmapodj.exe	87
PID 4604 wrote to memory of 3968	4604	Cpmapodj.exe	87
PID 3968 wrote to memory of 3500	3968	Cammjakm.exe	88
PID 3968 wrote to memory of 3500	3968	Cammjakm.exe	88
PID 3968 wrote to memory of 3500	3968	Cammjakm.exe	88
PID 3500 wrote to memory of 1752	3500	Coqncejg.exe	89
PID 3500 wrote to memory of 1752	3500	Coqncejg.exe	89
PID 3500 wrote to memory of 1752	3500	Coqncejg.exe	89
PID 1752 wrote to memory of 1188	1752	Cncnob32.exe	90
PID 1752 wrote to memory of 1188	1752	Cncnob32.exe	90
PID 1752 wrote to memory of 1188	1752	Cncnob32.exe	90
PID 1188 wrote to memory of 1580	1188	Chkobkod.exe	91
PID 1188 wrote to memory of 1580	1188	Chkobkod.exe	91
PID 1188 wrote to memory of 1580	1188	Chkobkod.exe	91
PID 1580 wrote to memory of 2520	1580	Cpfcfmlp.exe	92
PID 1580 wrote to memory of 2520	1580	Cpfcfmlp.exe	92
PID 1580 wrote to memory of 2520	1580	Cpfcfmlp.exe	92
PID 2520 wrote to memory of 3048	2520	Cogddd32.exe	93
PID 2520 wrote to memory of 3048	2520	Cogddd32.exe	93
PID 2520 wrote to memory of 3048	2520	Cogddd32.exe	93
PID 3048 wrote to memory of 1476	3048	Dddllkbf.exe	94
PID 3048 wrote to memory of 1476	3048	Dddllkbf.exe	94
PID 3048 wrote to memory of 1476	3048	Dddllkbf.exe	94
PID 1476 wrote to memory of 3156	1476	Dnmaea32.exe	95
PID 1476 wrote to memory of 3156	1476	Dnmaea32.exe	95
PID 1476 wrote to memory of 3156	1476	Dnmaea32.exe	95
PID 3156 wrote to memory of 4836	3156	Dgeenfog.exe	96
PID 3156 wrote to memory of 4836	3156	Dgeenfog.exe	96
PID 3156 wrote to memory of 4836	3156	Dgeenfog.exe	96
PID 4836 wrote to memory of 3932	4836	Dnonkq32.exe	97
PID 4836 wrote to memory of 3932	4836	Dnonkq32.exe	97
PID 4836 wrote to memory of 3932	4836	Dnonkq32.exe	97
PID 3932 wrote to memory of 3348	3932	Dggbcf32.exe	98
PID 3932 wrote to memory of 3348	3932	Dggbcf32.exe	98
PID 3932 wrote to memory of 3348	3932	Dggbcf32.exe	98
PID 3348 wrote to memory of 2636	3348	Damfao32.exe	99
PID 3348 wrote to memory of 2636	3348	Damfao32.exe	99
PID 3348 wrote to memory of 2636	3348	Damfao32.exe	99
PID 2636 wrote to memory of 1472	2636	Dkekjdck.exe	100
PID 2636 wrote to memory of 1472	2636	Dkekjdck.exe	100
PID 2636 wrote to memory of 1472	2636	Dkekjdck.exe	100
PID 1472 wrote to memory of 1968	1472	Edplhjhi.exe	101
PID 1472 wrote to memory of 1968	1472	Edplhjhi.exe	101
PID 1472 wrote to memory of 1968	1472	Edplhjhi.exe	101
PID 1968 wrote to memory of 4488	1968	Eohmkb32.exe	102
PID 1968 wrote to memory of 4488	1968	Eohmkb32.exe	102
PID 1968 wrote to memory of 4488	1968	Eohmkb32.exe	102
PID 4488 wrote to memory of 2196	4488	Ebifmm32.exe	103
PID 4488 wrote to memory of 2196	4488	Ebifmm32.exe	103
PID 4488 wrote to memory of 2196	4488	Ebifmm32.exe	103
PID 2196 wrote to memory of 3688	2196	Eiekog32.exe	104
PID 2196 wrote to memory of 3688	2196	Eiekog32.exe	104
PID 2196 wrote to memory of 3688	2196	Eiekog32.exe	104
PID 3688 wrote to memory of 4936	3688	Fnbcgn32.exe	105
PID 3688 wrote to memory of 4936	3688	Fnbcgn32.exe	105
PID 3688 wrote to memory of 4936	3688	Fnbcgn32.exe	105
PID 4936 wrote to memory of 1248	4936	Fgjhpcmo.exe	106
PID 4936 wrote to memory of 1248	4936	Fgjhpcmo.exe	106
PID 4936 wrote to memory of 1248	4936	Fgjhpcmo.exe	106
PID 1248 wrote to memory of 3496	1248	Fijdjfdb.exe	107

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\054c96f764aef24cbdccec3be12e2350.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\054c96f764aef24cbdccec3be12e2350.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\Cpmapodj.exe
  C:\Windows\system32\Cpmapodj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\Cammjakm.exe
    C:\Windows\system32\Cammjakm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\Coqncejg.exe
      C:\Windows\system32\Coqncejg.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        24⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        25⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        27⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        30⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        31⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        32⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        33⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        35⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        37⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        39⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        40⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        43⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        44⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        45⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        47⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        49⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        50⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        54⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        55⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        56⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:460
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        59⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        60⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        62⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        63⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        65⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        66⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        67⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        68⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        69⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        70⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        71⤵
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        72⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        73⤵
        
        PID:644
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        74⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        75⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        76⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        80⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        81⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        82⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        83⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        84⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        85⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:220
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        87⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        88⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        89⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        90⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        91⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        92⤵
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        93⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        96⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        99⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        100⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        101⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        102⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        103⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        104⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        105⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        106⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        107⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        108⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        109⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        110⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        111⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        112⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        113⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        114⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        115⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        116⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        117⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        118⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        119⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        120⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        121⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        122⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        123⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        124⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        125⤵
        
        PID:752
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        126⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        127⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        128⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        129⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        130⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        132⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        134⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        135⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        136⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        137⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        138⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        139⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        140⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        142⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        143⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        144⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        145⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        146⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        147⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        148⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        149⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        150⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        151⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        152⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        153⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        155⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        156⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        157⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        158⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        159⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        160⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        161⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        162⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        164⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        165⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        166⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        167⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        168⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        169⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6852
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        171⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        172⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        173⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        174⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        175⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        176⤵
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7120
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        178⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        179⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6340
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        183⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        184⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        185⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        186⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:6724
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        188⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        189⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Gkefmjcj.exe
        
        C:\Windows\system32\Gkefmjcj.exe
        190⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        191⤵
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Gcqjal32.exe
        
        C:\Windows\system32\Gcqjal32.exe
        192⤵
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        193⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        194⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        195⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Hjmodffo.exe
        
        C:\Windows\system32\Hjmodffo.exe
        196⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        197⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        198⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Hkmlnimb.exe
        
        C:\Windows\system32\Hkmlnimb.exe
        199⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Hnkhjdle.exe
        
        C:\Windows\system32\Hnkhjdle.exe
        200⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        201⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        202⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        203⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        204⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        205⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        206⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        207⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        208⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        209⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        210⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        211⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        212⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7236
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        214⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        215⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        216⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        217⤵
        Drops file in System32 directory
        
        PID:7380
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        218⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        219⤵
        Modifies registry class
        
        PID:7452
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        220⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        221⤵
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        222⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        223⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:7636
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        225⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        226⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        227⤵
        Drops file in System32 directory
        
        PID:7744
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        228⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        229⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        230⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7852
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        231⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        232⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        233⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        234⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        235⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        236⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        237⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        238⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        239⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        240⤵
        Modifies registry class
        
        PID:7180
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        241⤵
        Drops file in System32 directory
        
        PID:7248
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7316
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        243⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        244⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        245⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        246⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        247⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        248⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        249⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        250⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        251⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        252⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        253⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        254⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Lkcccn32.exe
        
        C:\Windows\system32\Lkcccn32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8168
        
        C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        256⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        257⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        258⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7412
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        259⤵
        Drops file in System32 directory
        
        PID:7536
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        260⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        261⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7864
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        263⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        264⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7488
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        266⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        267⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        268⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        269⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        270⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        271⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2740
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        273⤵
        Modifies registry class
        
        PID:7944
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        274⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        275⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        276⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        277⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        278⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:7788
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        280⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        281⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        282⤵
        Drops file in System32 directory
        
        PID:8316
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        283⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        284⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        285⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        286⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        287⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        288⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        289⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        290⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        291⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        292⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        293⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        294⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        295⤵
        Drops file in System32 directory
        
        PID:8788
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        296⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8860
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8900
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        299⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        300⤵
        Drops file in System32 directory
        
        PID:8972
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        301⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        302⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        303⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        304⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:9148
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        306⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        307⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8272
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        309⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        310⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        311⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        312⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        313⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        314⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        315⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        316⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        317⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        318⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        319⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        320⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        321⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        322⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        323⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        324⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        325⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        326⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        327⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        328⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8548
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        329⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        330⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        331⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        332⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        333⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        334⤵
        Drops file in System32 directory
        
        PID:8268
        
        C:\Windows\SysWOW64\Cfcoblfb.exe
        
        C:\Windows\system32\Cfcoblfb.exe
        335⤵
        Modifies registry class
        
        PID:8668
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        336⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        337⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        338⤵
        Modifies registry class
        
        PID:9068
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        339⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        340⤵
        Modifies registry class
        
        PID:8496
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        341⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        342⤵
        System Location Discovery: System Language Discovery
        
        PID:9200
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        343⤵
        Modifies registry class
        
        PID:8688
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        345⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        346⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9232
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        347⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        348⤵
        Modifies registry class
        
        PID:9308
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        349⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        350⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        351⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        352⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9464
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        353⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        354⤵
        Drops file in System32 directory
        
        PID:9540
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        355⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        356⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\Didqkeeq.exe
        
        C:\Windows\system32\Didqkeeq.exe
        357⤵
        Modifies registry class
        
        PID:9652
        
        C:\Windows\SysWOW64\Dlcmgqdd.exe
        
        C:\Windows\system32\Dlcmgqdd.exe
        358⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9692
        
        C:\Windows\SysWOW64\Dcmedk32.exe
        
        C:\Windows\system32\Dcmedk32.exe
        359⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\Egknji32.exe
        
        C:\Windows\system32\Egknji32.exe
        360⤵
        System Location Discovery: System Language Discovery
        
        PID:9764
        
        C:\Windows\SysWOW64\Emeffcid.exe
        
        C:\Windows\system32\Emeffcid.exe
        361⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\Egmjpi32.exe
        
        C:\Windows\system32\Egmjpi32.exe
        362⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\Emgblc32.exe
        
        C:\Windows\system32\Emgblc32.exe
        363⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Eebgqe32.exe
        
        C:\Windows\system32\Eebgqe32.exe
        364⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Emioab32.exe
        
        C:\Windows\system32\Emioab32.exe
        365⤵
        System Location Discovery: System Language Discovery
        
        PID:9956
        
        C:\Windows\SysWOW64\Egbdjhlp.exe
        
        C:\Windows\system32\Egbdjhlp.exe
        366⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\Eippgckc.exe
        
        C:\Windows\system32\Eippgckc.exe
        367⤵
        Modifies registry class
        
        PID:10028
        
        C:\Windows\SysWOW64\Ecidpiad.exe
        
        C:\Windows\system32\Ecidpiad.exe
        368⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\Eegqldqg.exe
        
        C:\Windows\system32\Eegqldqg.exe
        369⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10108
        
        C:\Windows\SysWOW64\Flaiho32.exe
        
        C:\Windows\system32\Flaiho32.exe
        370⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\Fckaeioa.exe
        
        C:\Windows\system32\Fckaeioa.exe
        371⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Flcfnn32.exe
        
        C:\Windows\system32\Flcfnn32.exe
        372⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\Fgijkgeh.exe
        
        C:\Windows\system32\Fgijkgeh.exe
        373⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\Feljgd32.exe
        
        C:\Windows\system32\Feljgd32.exe
        374⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\Flfbcndo.exe
        
        C:\Windows\system32\Flfbcndo.exe
        375⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\Fcpkph32.exe
        
        C:\Windows\system32\Fcpkph32.exe
        376⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\Fjjcmbci.exe
        
        C:\Windows\system32\Fjjcmbci.exe
        377⤵
        Modifies registry class
        
        PID:9516
        
        C:\Windows\SysWOW64\Fgncff32.exe
        
        C:\Windows\system32\Fgncff32.exe
        378⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Fjlpbb32.exe
        
        C:\Windows\system32\Fjlpbb32.exe
        379⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9648
        
        C:\Windows\SysWOW64\Fpfholhc.exe
        
        C:\Windows\system32\Fpfholhc.exe
        380⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\Fgpplf32.exe
        
        C:\Windows\system32\Fgpplf32.exe
        381⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Glmhdm32.exe
        
        C:\Windows\system32\Glmhdm32.exe
        382⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Gcgqag32.exe
        
        C:\Windows\system32\Gcgqag32.exe
        383⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\Ggbmafnm.exe
        
        C:\Windows\system32\Ggbmafnm.exe
        384⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9972
        
        C:\Windows\SysWOW64\Gjqinamq.exe
        
        C:\Windows\system32\Gjqinamq.exe
        385⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\Gloejmld.exe
        
        C:\Windows\system32\Gloejmld.exe
        386⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\Gcimfg32.exe
        
        C:\Windows\system32\Gcimfg32.exe
        387⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\Ggdigekj.exe
        
        C:\Windows\system32\Ggdigekj.exe
        388⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Gqmnpk32.exe
        
        C:\Windows\system32\Gqmnpk32.exe
        389⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\Gckjlf32.exe
        
        C:\Windows\system32\Gckjlf32.exe
        390⤵
        Modifies registry class
        
        PID:9408
        
        C:\Windows\SysWOW64\Gnanioad.exe
        
        C:\Windows\system32\Gnanioad.exe
        391⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9496
        
        C:\Windows\SysWOW64\Gcngafol.exe
        
        C:\Windows\system32\Gcngafol.exe
        392⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Gjhonp32.exe
        
        C:\Windows\system32\Gjhonp32.exe
        393⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\Gqagkjne.exe
        
        C:\Windows\system32\Gqagkjne.exe
        394⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\Gcpcgfmi.exe
        
        C:\Windows\system32\Gcpcgfmi.exe
        395⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Hmhhpkcj.exe
        
        C:\Windows\system32\Hmhhpkcj.exe
        396⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\Hqddqj32.exe
        
        C:\Windows\system32\Hqddqj32.exe
        397⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Hgnlmdcp.exe
        
        C:\Windows\system32\Hgnlmdcp.exe
        398⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9224
        
        C:\Windows\SysWOW64\Hnhdjn32.exe
        
        C:\Windows\system32\Hnhdjn32.exe
        399⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\Hcembe32.exe
        
        C:\Windows\system32\Hcembe32.exe
        400⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\Hgpibdam.exe
        
        C:\Windows\system32\Hgpibdam.exe
        401⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\Hqimlihn.exe
        
        C:\Windows\system32\Hqimlihn.exe
        402⤵
        Drops file in System32 directory
        
        PID:9964
        
        C:\Windows\SysWOW64\Hcgjhega.exe
        
        C:\Windows\system32\Hcgjhega.exe
        403⤵
        System Location Discovery: System Language Discovery
        
        PID:10172
        
        C:\Windows\SysWOW64\Hmpnqj32.exe
        
        C:\Windows\system32\Hmpnqj32.exe
        404⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Hdffah32.exe
        
        C:\Windows\system32\Hdffah32.exe
        405⤵
        System Location Discovery: System Language Discovery
        
        PID:9756
        
        C:\Windows\SysWOW64\Hjcojo32.exe
        
        C:\Windows\system32\Hjcojo32.exe
        406⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Hmbkfjko.exe
        
        C:\Windows\system32\Hmbkfjko.exe
        407⤵
        Modifies registry class
        
        PID:9532
        
        C:\Windows\SysWOW64\Iggocbke.exe
        
        C:\Windows\system32\Iggocbke.exe
        408⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Ijfkpnji.exe
        
        C:\Windows\system32\Ijfkpnji.exe
        409⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\Icnphd32.exe
        
        C:\Windows\system32\Icnphd32.exe
        410⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\Ijhhenhf.exe
        
        C:\Windows\system32\Ijhhenhf.exe
        411⤵
        Modifies registry class
        
        PID:10296
        
        C:\Windows\SysWOW64\Icqmncof.exe
        
        C:\Windows\system32\Icqmncof.exe
        412⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\Ijjekn32.exe
        
        C:\Windows\system32\Ijjekn32.exe
        413⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\Infqklol.exe
        
        C:\Windows\system32\Infqklol.exe
        414⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\Iqdmghnp.exe
        
        C:\Windows\system32\Iqdmghnp.exe
        415⤵
        System Location Discovery: System Language Discovery
        
        PID:10436
        
        C:\Windows\SysWOW64\Inhmqlmj.exe
        
        C:\Windows\system32\Inhmqlmj.exe
        416⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\Iqgjmg32.exe
        
        C:\Windows\system32\Iqgjmg32.exe
        417⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\Ifcben32.exe
        
        C:\Windows\system32\Ifcben32.exe
        418⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\Inkjfk32.exe
        
        C:\Windows\system32\Inkjfk32.exe
        419⤵
        System Location Discovery: System Language Discovery
        
        PID:10588
        
        C:\Windows\SysWOW64\Iedbcebd.exe
        
        C:\Windows\system32\Iedbcebd.exe
        420⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\Icgbob32.exe
        
        C:\Windows\system32\Icgbob32.exe
        421⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\Jffokn32.exe
        
        C:\Windows\system32\Jffokn32.exe
        422⤵
        Drops file in System32 directory
        
        PID:10696
        
        C:\Windows\SysWOW64\Jakchf32.exe
        
        C:\Windows\system32\Jakchf32.exe
        423⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\Jgekdq32.exe
        
        C:\Windows\system32\Jgekdq32.exe
        424⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\Janpnfee.exe
        
        C:\Windows\system32\Janpnfee.exe
        425⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10804
        
        C:\Windows\SysWOW64\Jeilne32.exe
        
        C:\Windows\system32\Jeilne32.exe
        426⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\Jnapgjdo.exe
        
        C:\Windows\system32\Jnapgjdo.exe
        427⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\Japmcfcc.exe
        
        C:\Windows\system32\Japmcfcc.exe
        428⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\Jndmlj32.exe
        
        C:\Windows\system32\Jndmlj32.exe
        429⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\Jcaeea32.exe
        
        C:\Windows\system32\Jcaeea32.exe
        430⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\Jjknakhq.exe
        
        C:\Windows\system32\Jjknakhq.exe
        431⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\Jmijnfgd.exe
        
        C:\Windows\system32\Jmijnfgd.exe
        432⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\Kccbjq32.exe
        
        C:\Windows\system32\Kccbjq32.exe
        433⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\Kjmjgk32.exe
        
        C:\Windows\system32\Kjmjgk32.exe
        434⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\Knifging.exe
        
        C:\Windows\system32\Knifging.exe
        435⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\Kjpgmj32.exe
        
        C:\Windows\system32\Kjpgmj32.exe
        436⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\Kmncif32.exe
        
        C:\Windows\system32\Kmncif32.exe
        437⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\Khcgfo32.exe
        
        C:\Windows\system32\Khcgfo32.exe
        438⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\Kjbdbjbi.exe
        
        C:\Windows\system32\Kjbdbjbi.exe
        439⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\Khfdlnab.exe
        
        C:\Windows\system32\Khfdlnab.exe
        440⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\Knpmhh32.exe
        
        C:\Windows\system32\Knpmhh32.exe
        441⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\Kdmeqo32.exe
        
        C:\Windows\system32\Kdmeqo32.exe
        442⤵
        System Location Discovery: System Language Discovery
        
        PID:10524
        
        C:\Windows\SysWOW64\Kjfmminc.exe
        
        C:\Windows\system32\Kjfmminc.exe
        443⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\Ldoafodd.exe
        
        C:\Windows\system32\Ldoafodd.exe
        444⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\Ljijci32.exe
        
        C:\Windows\system32\Ljijci32.exe
        445⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\Lacbpccn.exe
        
        C:\Windows\system32\Lacbpccn.exe
        446⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\Ldanloba.exe
        
        C:\Windows\system32\Ldanloba.exe
        447⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\Lmjcdd32.exe
        
        C:\Windows\system32\Lmjcdd32.exe
        448⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\Lhogamih.exe
        
        C:\Windows\system32\Lhogamih.exe
        449⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\Loiong32.exe
        
        C:\Windows\system32\Loiong32.exe
        450⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\Lechkaga.exe
        
        C:\Windows\system32\Lechkaga.exe
        451⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\Lfddci32.exe
        
        C:\Windows\system32\Lfddci32.exe
        452⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\Lajhpbme.exe
        
        C:\Windows\system32\Lajhpbme.exe
        453⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\Lfgahikm.exe
        
        C:\Windows\system32\Lfgahikm.exe
        454⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\Lmqiec32.exe
        
        C:\Windows\system32\Lmqiec32.exe
        455⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10448
        
        C:\Windows\SysWOW64\Mginniij.exe
        
        C:\Windows\system32\Mginniij.exe
        456⤵
        System Location Discovery: System Language Discovery
        
        PID:10596
        
        C:\Windows\SysWOW64\Mmcfkc32.exe
        
        C:\Windows\system32\Mmcfkc32.exe
        457⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\Mgkjch32.exe
        
        C:\Windows\system32\Mgkjch32.exe
        458⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\Mmebpbod.exe
        
        C:\Windows\system32\Mmebpbod.exe
        459⤵
        System Location Discovery: System Language Discovery
        
        PID:10944
        
        C:\Windows\SysWOW64\Mdokmm32.exe
        
        C:\Windows\system32\Mdokmm32.exe
        460⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\Mgngih32.exe
        
        C:\Windows\system32\Mgngih32.exe
        461⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\Mackfa32.exe
        
        C:\Windows\system32\Mackfa32.exe
        462⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\Mgpcohcb.exe
        
        C:\Windows\system32\Mgpcohcb.exe
        463⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\Mklpof32.exe
        
        C:\Windows\system32\Mklpof32.exe
        464⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10728
        
        C:\Windows\SysWOW64\Meadlo32.exe
        
        C:\Windows\system32\Meadlo32.exe
        465⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\Mdddhlbl.exe
        
        C:\Windows\system32\Mdddhlbl.exe
        466⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\Moiheebb.exe
        
        C:\Windows\system32\Moiheebb.exe
        467⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\Nahdapae.exe
        
        C:\Windows\system32\Nahdapae.exe
        468⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10744
        
        C:\Windows\SysWOW64\Necqbo32.exe
        
        C:\Windows\system32\Necqbo32.exe
        469⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\Nhbmnj32.exe
        
        C:\Windows\system32\Nhbmnj32.exe
        470⤵
        Modifies registry class
        
        PID:10688
        
        C:\Windows\SysWOW64\Nkpijfgf.exe
        
        C:\Windows\system32\Nkpijfgf.exe
        471⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\Najagp32.exe
        
        C:\Windows\system32\Najagp32.exe
        472⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\Nhdicjfp.exe
        
        C:\Windows\system32\Nhdicjfp.exe
        473⤵
        Drops file in System32 directory
        
        PID:11304
        
        C:\Windows\SysWOW64\Nggjog32.exe
        
        C:\Windows\system32\Nggjog32.exe
        474⤵
        Modifies registry class
        
        PID:11340
        
        C:\Windows\SysWOW64\Nnabladg.exe
        
        C:\Windows\system32\Nnabladg.exe
        475⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\Nehjmnei.exe
        
        C:\Windows\system32\Nehjmnei.exe
        476⤵
        
        PID:11412
        
        C:\Windows\SysWOW64\Nhffijdm.exe
        
        C:\Windows\system32\Nhffijdm.exe
        477⤵
        
        PID:11448
        
        C:\Windows\SysWOW64\Noqofdlj.exe
        
        C:\Windows\system32\Noqofdlj.exe
        478⤵
        Modifies registry class
        
        PID:11484
        
        C:\Windows\SysWOW64\Naokbokn.exe
        
        C:\Windows\system32\Naokbokn.exe
        479⤵
        System Location Discovery: System Language Discovery
        
        PID:11520
        
        C:\Windows\SysWOW64\Nglcjfie.exe
        
        C:\Windows\system32\Nglcjfie.exe
        480⤵
        
        PID:11556
        
        C:\Windows\SysWOW64\Naaghoik.exe
        
        C:\Windows\system32\Naaghoik.exe
        481⤵
        
        PID:11592
        
        C:\Windows\SysWOW64\Ngnppfgb.exe
        
        C:\Windows\system32\Ngnppfgb.exe
        482⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11628
        
        C:\Windows\SysWOW64\Nkjlqd32.exe
        
        C:\Windows\system32\Nkjlqd32.exe
        483⤵
        
        PID:11664
        
        C:\Windows\SysWOW64\Oeopnmoa.exe
        
        C:\Windows\system32\Oeopnmoa.exe
        484⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\Ogqmee32.exe
        
        C:\Windows\system32\Ogqmee32.exe
        485⤵
        System Location Discovery: System Language Discovery
        
        PID:11736
        
        C:\Windows\SysWOW64\Oafacn32.exe
        
        C:\Windows\system32\Oafacn32.exe
        486⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\Oddmoj32.exe
        
        C:\Windows\system32\Oddmoj32.exe
        487⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\Okneldkf.exe
        
        C:\Windows\system32\Okneldkf.exe
        488⤵
        
        PID:11844
        
        C:\Windows\SysWOW64\Onmahojj.exe
        
        C:\Windows\system32\Onmahojj.exe
        489⤵
        System Location Discovery: System Language Discovery
        
        PID:11880
        
        C:\Windows\SysWOW64\Odgjdibf.exe
        
        C:\Windows\system32\Odgjdibf.exe
        490⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\Oakjnnap.exe
        
        C:\Windows\system32\Oakjnnap.exe
        491⤵
        
        PID:11960
        
        C:\Windows\SysWOW64\Oggbfdog.exe
        
        C:\Windows\system32\Oggbfdog.exe
        492⤵
        
        PID:11996
        
        C:\Windows\SysWOW64\Okcogc32.exe
        
        C:\Windows\system32\Okcogc32.exe
        493⤵
        Drops file in System32 directory
        
        PID:12032
        
        C:\Windows\SysWOW64\Ofhcdlgg.exe
        
        C:\Windows\system32\Ofhcdlgg.exe
        494⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\Poagma32.exe
        
        C:\Windows\system32\Poagma32.exe
        495⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\Pbapom32.exe
        
        C:\Windows\system32\Pbapom32.exe
        496⤵
        
        PID:12140
        
        C:\Windows\SysWOW64\Pdpmkhjl.exe
        
        C:\Windows\system32\Pdpmkhjl.exe
        497⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\Pgoigcip.exe
        
        C:\Windows\system32\Pgoigcip.exe
        498⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\Pdbiphhi.exe
        
        C:\Windows\system32\Pdbiphhi.exe
        499⤵
        
        PID:12240
        
        C:\Windows\SysWOW64\Pnknim32.exe
        
        C:\Windows\system32\Pnknim32.exe
        500⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\Pbfjjlgc.exe
        
        C:\Windows\system32\Pbfjjlgc.exe
        501⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\Pnmjomlg.exe
        
        C:\Windows\system32\Pnmjomlg.exe
        502⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\Qkakhakq.exe
        
        C:\Windows\system32\Qkakhakq.exe
        503⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\Qnpgdmjd.exe
        
        C:\Windows\system32\Qnpgdmjd.exe
        504⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\Qffoejkg.exe
        
        C:\Windows\system32\Qffoejkg.exe
        505⤵
        
        PID:11456
        
        C:\Windows\SysWOW64\Qkchna32.exe
        
        C:\Windows\system32\Qkchna32.exe
        506⤵
        
        PID:11516
        
        C:\Windows\SysWOW64\Qnbdjl32.exe
        
        C:\Windows\system32\Qnbdjl32.exe
        507⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11564
        
        C:\Windows\SysWOW64\Qhghge32.exe
        
        C:\Windows\system32\Qhghge32.exe
        508⤵
        System Location Discovery: System Language Discovery
        
        PID:11612
        
        C:\Windows\SysWOW64\Abpmpkoh.exe
        
        C:\Windows\system32\Abpmpkoh.exe
        509⤵
        Drops file in System32 directory
        
        PID:11656
        
        C:\Windows\SysWOW64\Aocmio32.exe
        
        C:\Windows\system32\Aocmio32.exe
        510⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\Afnefieo.exe
        
        C:\Windows\system32\Afnefieo.exe
        511⤵
        System Location Discovery: System Language Discovery
        
        PID:11764
        
        C:\Windows\SysWOW64\Akjnnpcf.exe
        
        C:\Windows\system32\Akjnnpcf.exe
        512⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:11816
        
        C:\Windows\SysWOW64\Afpbkicl.exe
        
        C:\Windows\system32\Afpbkicl.exe
        513⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\Aohfdnil.exe
        
        C:\Windows\system32\Aohfdnil.exe
        514⤵
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Aeeomegd.exe
        
        C:\Windows\system32\Aeeomegd.exe
        515⤵
        
        PID:11952
        
        C:\Windows\SysWOW64\Agckiqgg.exe
        
        C:\Windows\system32\Agckiqgg.exe
        516⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\Afdkfh32.exe
        
        C:\Windows\system32\Afdkfh32.exe
        517⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\Bgfhnpde.exe
        
        C:\Windows\system32\Bgfhnpde.exe
        518⤵
        
        PID:12112
        
        C:\Windows\SysWOW64\Bbklli32.exe
        
        C:\Windows\system32\Bbklli32.exe
        519⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\Bghddp32.exe
        
        C:\Windows\system32\Bghddp32.exe
        520⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12204
        
        C:\Windows\SysWOW64\Bnbmqjjo.exe
        
        C:\Windows\system32\Bnbmqjjo.exe
        521⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\Belemd32.exe
        
        C:\Windows\system32\Belemd32.exe
        522⤵
        
        PID:11372
        
        C:\Windows\SysWOW64\Bkfmjnii.exe
        
        C:\Windows\system32\Bkfmjnii.exe
        523⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\Bndjfjhl.exe
        
        C:\Windows\system32\Bndjfjhl.exe
        524⤵
        
        PID:11604
        
        C:\Windows\SysWOW64\Bgmnooom.exe
        
        C:\Windows\system32\Bgmnooom.exe
        525⤵
        
        PID:11708
        
        C:\Windows\SysWOW64\Bngfli32.exe
        
        C:\Windows\system32\Bngfli32.exe
        526⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Biljib32.exe
        
        C:\Windows\system32\Biljib32.exe
        527⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\Blkgen32.exe
        
        C:\Windows\system32\Blkgen32.exe
        528⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\Bbeobhlp.exe
        
        C:\Windows\system32\Bbeobhlp.exe
        529⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\Ciogobcm.exe
        
        C:\Windows\system32\Ciogobcm.exe
        530⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\Clmckmcq.exe
        
        C:\Windows\system32\Clmckmcq.exe
        531⤵
        
        PID:11396
        
        C:\Windows\SysWOW64\Ceehcc32.exe
        
        C:\Windows\system32\Ceehcc32.exe
        532⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\Clpppmqn.exe
        
        C:\Windows\system32\Clpppmqn.exe
        533⤵
        
        PID:12096
        
        C:\Windows\SysWOW64\Cehdib32.exe
        
        C:\Windows\system32\Cehdib32.exe
        534⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Chfaenfb.exe
        
        C:\Windows\system32\Chfaenfb.exe
        535⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Cnpibh32.exe
        
        C:\Windows\system32\Cnpibh32.exe
        536⤵
        
        PID:12016
        
        C:\Windows\SysWOW64\Cifmoa32.exe
        
        C:\Windows\system32\Cifmoa32.exe
        537⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Cnbfgh32.exe
        
        C:\Windows\system32\Cnbfgh32.exe
        538⤵
        System Location Discovery: System Language Discovery
        
        PID:11744
        
        C:\Windows\SysWOW64\Cihjeq32.exe
        
        C:\Windows\system32\Cihjeq32.exe
        539⤵
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Cnebmgjj.exe
        
        C:\Windows\system32\Cnebmgjj.exe
        540⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\Cfljnejl.exe
        
        C:\Windows\system32\Cfljnejl.exe
        541⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Dijgjpip.exe
        
        C:\Windows\system32\Dijgjpip.exe
        542⤵
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Dlicflic.exe
        
        C:\Windows\system32\Dlicflic.exe
        543⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Dfngcdhi.exe
        
        C:\Windows\system32\Dfngcdhi.exe
        544⤵
        
        PID:12316
        
        C:\Windows\SysWOW64\Dojlhg32.exe
        
        C:\Windows\system32\Dojlhg32.exe
        545⤵
        Modifies registry class
        
        PID:12348
        
        C:\Windows\SysWOW64\Decdeama.exe
        
        C:\Windows\system32\Decdeama.exe
        546⤵
        
        PID:12380
        
        C:\Windows\SysWOW64\Dolinf32.exe
        
        C:\Windows\system32\Dolinf32.exe
        547⤵
        
        PID:12412
        
        C:\Windows\SysWOW64\Defajqko.exe
        
        C:\Windows\system32\Defajqko.exe
        548⤵
        System Location Discovery: System Language Discovery
        
        PID:12440
        
        C:\Windows\SysWOW64\Diamko32.exe
        
        C:\Windows\system32\Diamko32.exe
        549⤵
        
        PID:12472
        
        C:\Windows\SysWOW64\Dbjade32.exe
        
        C:\Windows\system32\Dbjade32.exe
        550⤵
        Drops file in System32 directory
        
        PID:12504
        
        C:\Windows\SysWOW64\Dehnpp32.exe
        
        C:\Windows\system32\Dehnpp32.exe
        551⤵
        
        PID:12532
        
        C:\Windows\SysWOW64\Dlbfmjqi.exe
        
        C:\Windows\system32\Dlbfmjqi.exe
        552⤵
        
        PID:12604
        
        C:\Windows\SysWOW64\Efhjjcpo.exe
        
        C:\Windows\system32\Efhjjcpo.exe
        553⤵
        
        PID:12692
        
        C:\Windows\SysWOW64\Eppobi32.exe
        
        C:\Windows\system32\Eppobi32.exe
        554⤵
        Modifies registry class
        
        PID:12724
        
        C:\Windows\SysWOW64\Eemgkpef.exe
        
        C:\Windows\system32\Eemgkpef.exe
        555⤵
        
        PID:12756
        
        C:\Windows\SysWOW64\Ebagdddp.exe
        
        C:\Windows\system32\Ebagdddp.exe
        556⤵
        
        PID:12788
        
        C:\Windows\SysWOW64\Eikpan32.exe
        
        C:\Windows\system32\Eikpan32.exe
        557⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12816
        
        C:\Windows\SysWOW64\Elilmi32.exe
        
        C:\Windows\system32\Elilmi32.exe
        558⤵
        Drops file in System32 directory
        
        PID:12848
        
        C:\Windows\SysWOW64\Efopjbjg.exe
        
        C:\Windows\system32\Efopjbjg.exe
        559⤵
        
        PID:12876
        
        C:\Windows\SysWOW64\Ehpmbj32.exe
        
        C:\Windows\system32\Ehpmbj32.exe
        560⤵
        
        PID:12908
        
        C:\Windows\SysWOW64\Ebeapc32.exe
        
        C:\Windows\system32\Ebeapc32.exe
        561⤵
        
        PID:12940
        
        C:\Windows\SysWOW64\Ehbihj32.exe
        
        C:\Windows\system32\Ehbihj32.exe
        562⤵
        
        PID:12968
        
        C:\Windows\SysWOW64\Eoladdeo.exe
        
        C:\Windows\system32\Eoladdeo.exe
        563⤵
        System Location Discovery: System Language Discovery
        
        PID:12996
        
        C:\Windows\SysWOW64\Fgcjea32.exe
        
        C:\Windows\system32\Fgcjea32.exe
        564⤵
        System Location Discovery: System Language Discovery
        
        PID:13024
        
        C:\Windows\SysWOW64\Fibfbm32.exe
        
        C:\Windows\system32\Fibfbm32.exe
        565⤵
        Drops file in System32 directory
        
        PID:13056
        
        C:\Windows\SysWOW64\Foonjd32.exe
        
        C:\Windows\system32\Foonjd32.exe
        566⤵
        
        PID:13084
        
        C:\Windows\SysWOW64\Feifgnki.exe
        
        C:\Windows\system32\Feifgnki.exe
        567⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\Fhgccijm.exe
        
        C:\Windows\system32\Fhgccijm.exe
        568⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13144
        
        C:\Windows\SysWOW64\Fpnkdfko.exe
        
        C:\Windows\system32\Fpnkdfko.exe
        569⤵
        Drops file in System32 directory
        
        PID:13172
        
        C:\Windows\SysWOW64\Fekclnif.exe
        
        C:\Windows\system32\Fekclnif.exe
        570⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\Fifomlap.exe
        
        C:\Windows\system32\Fifomlap.exe
        571⤵
        
        PID:13228
        
        C:\Windows\SysWOW64\Fochecog.exe
        
        C:\Windows\system32\Fochecog.exe
        572⤵
        
        PID:13260
        
        C:\Windows\SysWOW64\Fcodfa32.exe
        
        C:\Windows\system32\Fcodfa32.exe
        573⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\Fofdkcmd.exe
        
        C:\Windows\system32\Fofdkcmd.exe
        574⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\Fepmgm32.exe
        
        C:\Windows\system32\Fepmgm32.exe
        575⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:12500
        
        C:\Windows\SysWOW64\Fljedg32.exe
        
        C:\Windows\system32\Fljedg32.exe
        576⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\Gccmaack.exe
        
        C:\Windows\system32\Gccmaack.exe
        577⤵
        
        PID:12584
        
        C:\Windows\SysWOW64\Ghqeihbb.exe
        
        C:\Windows\system32\Ghqeihbb.exe
        578⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Gcfjfqah.exe
        
        C:\Windows\system32\Gcfjfqah.exe
        579⤵
        
        PID:12612
        
        C:\Windows\SysWOW64\Gedfblql.exe
        
        C:\Windows\system32\Gedfblql.exe
        580⤵
        
        PID:12656
        
        C:\Windows\SysWOW64\Gpjjpe32.exe
        
        C:\Windows\system32\Gpjjpe32.exe
        581⤵
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\Ggdbmoho.exe
        
        C:\Windows\system32\Ggdbmoho.exe
        582⤵
        System Location Discovery: System Language Discovery
        
        PID:11660
        
        C:\Windows\SysWOW64\Gheodg32.exe
        
        C:\Windows\system32\Gheodg32.exe
        583⤵
        
        PID:12752
        
        C:\Windows\SysWOW64\Glqkefff.exe
        
        C:\Windows\system32\Glqkefff.exe
        584⤵
        
        PID:12780
        
        C:\Windows\SysWOW64\Geipnl32.exe
        
        C:\Windows\system32\Geipnl32.exe
        585⤵
        
        PID:12844
        
        C:\Windows\SysWOW64\Goadfa32.exe
        
        C:\Windows\system32\Goadfa32.exe
        586⤵
        
        PID:12868
        
        C:\Windows\SysWOW64\Gjghdj32.exe
        
        C:\Windows\system32\Gjghdj32.exe
        587⤵
        
        PID:12932
        
        C:\Windows\SysWOW64\Hodqlq32.exe
        
        C:\Windows\system32\Hodqlq32.exe
        588⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Hhleefhe.exe
        
        C:\Windows\system32\Hhleefhe.exe
        589⤵
        
        PID:13036
        
        C:\Windows\SysWOW64\Hofmaq32.exe
        
        C:\Windows\system32\Hofmaq32.exe
        590⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Hgmebnpd.exe
        
        C:\Windows\system32\Hgmebnpd.exe
        591⤵
        
        PID:13120
        
        C:\Windows\SysWOW64\Hjlaoioh.exe
        
        C:\Windows\system32\Hjlaoioh.exe
        592⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\Hpejlc32.exe
        
        C:\Windows\system32\Hpejlc32.exe
        593⤵
        
        PID:12308
        
        C:\Windows\SysWOW64\Hgpbhmna.exe
        
        C:\Windows\system32\Hgpbhmna.exe
        594⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\Hllkqdli.exe
        
        C:\Windows\system32\Hllkqdli.exe
        595⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Hokgmpkl.exe
        
        C:\Windows\system32\Hokgmpkl.exe
        596⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Hqjcgbbo.exe
        
        C:\Windows\system32\Hqjcgbbo.exe
        597⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Hfgloiqf.exe
        
        C:\Windows\system32\Hfgloiqf.exe
        598⤵
        
        PID:12580
        
        C:\Windows\SysWOW64\Iqmplbpl.exe
        
        C:\Windows\system32\Iqmplbpl.exe
        599⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\Igghilhi.exe
        
        C:\Windows\system32\Igghilhi.exe
        600⤵
        
        PID:12640
        
        C:\Windows\SysWOW64\Ihheqd32.exe
        
        C:\Windows\system32\Ihheqd32.exe
        601⤵
        
        PID:236
        
        C:\Windows\SysWOW64\Icminm32.exe
        
        C:\Windows\system32\Icminm32.exe
        602⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12736
        
        C:\Windows\SysWOW64\Ihjafd32.exe
        
        C:\Windows\system32\Ihjafd32.exe
        603⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Iqaiga32.exe
        
        C:\Windows\system32\Iqaiga32.exe
        604⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\Ijjnpg32.exe
        
        C:\Windows\system32\Ijjnpg32.exe
        605⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Iqdfmajd.exe
        
        C:\Windows\system32\Iqdfmajd.exe
        606⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Ignnjk32.exe
        
        C:\Windows\system32\Ignnjk32.exe
        607⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Iiokacgp.exe
        
        C:\Windows\system32\Iiokacgp.exe
        608⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Ifckkhfi.exe
        
        C:\Windows\system32\Ifckkhfi.exe
        609⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\Iiaggc32.exe
        
        C:\Windows\system32\Iiaggc32.exe
        610⤵
        
        PID:13164
        
        C:\Windows\SysWOW64\Jcgldl32.exe
        
        C:\Windows\system32\Jcgldl32.exe
        611⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Jmopmalc.exe
        
        C:\Windows\system32\Jmopmalc.exe
        612⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Jcihjl32.exe
        
        C:\Windows\system32\Jcihjl32.exe
        613⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Jfgefg32.exe
        
        C:\Windows\system32\Jfgefg32.exe
        614⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1664
        
        C:\Windows\SysWOW64\Jmamba32.exe
        
        C:\Windows\system32\Jmamba32.exe
        615⤵
        
        PID:12596
        
        C:\Windows\SysWOW64\Jggapj32.exe
        
        C:\Windows\system32\Jggapj32.exe
        616⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Jmdjha32.exe
        
        C:\Windows\system32\Jmdjha32.exe
        617⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3424
        
        C:\Windows\SysWOW64\Jobfdl32.exe
        
        C:\Windows\system32\Jobfdl32.exe
        618⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\Jjhjae32.exe
        
        C:\Windows\system32\Jjhjae32.exe
        619⤵
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Jqbbno32.exe
        
        C:\Windows\system32\Jqbbno32.exe
        620⤵
        
        PID:12904
        
        C:\Windows\SysWOW64\Jfokff32.exe
        
        C:\Windows\system32\Jfokff32.exe
        621⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1332
        
        C:\Windows\SysWOW64\Kmhccpci.exe
        
        C:\Windows\system32\Kmhccpci.exe
        622⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Kgngqico.exe
        
        C:\Windows\system32\Kgngqico.exe
        623⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Kiodha32.exe
        
        C:\Windows\system32\Kiodha32.exe
        624⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Kpilekqj.exe
        
        C:\Windows\system32\Kpilekqj.exe
        625⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\Kfcdaehf.exe
        
        C:\Windows\system32\Kfcdaehf.exe
        626⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Kiaqnagj.exe
        
        C:\Windows\system32\Kiaqnagj.exe
        627⤵
        
        PID:13208
        
        C:\Windows\SysWOW64\Kaihonhl.exe
        
        C:\Windows\system32\Kaihonhl.exe
        628⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13288
        
        C:\Windows\SysWOW64\Kjamhd32.exe
        
        C:\Windows\system32\Kjamhd32.exe
        629⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\Kpnepk32.exe
        
        C:\Windows\system32\Kpnepk32.exe
        630⤵
        Drops file in System32 directory
        
        PID:12328
        
        C:\Windows\SysWOW64\Kfhnme32.exe
        
        C:\Windows\system32\Kfhnme32.exe
        631⤵
        
        PID:12576
        
        C:\Windows\SysWOW64\Kifjip32.exe
        
        C:\Windows\system32\Kifjip32.exe
        632⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Kppbejka.exe
        
        C:\Windows\system32\Kppbejka.exe
        633⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Liifnp32.exe
        
        C:\Windows\system32\Liifnp32.exe
        634⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Lcnkli32.exe
        
        C:\Windows\system32\Lcnkli32.exe
        635⤵
        Modifies registry class
        
        PID:13168
        
        C:\Windows\SysWOW64\Ljhchc32.exe
        
        C:\Windows\system32\Ljhchc32.exe
        636⤵
        Drops file in System32 directory
        
        PID:12376
        
        C:\Windows\SysWOW64\Lmfodn32.exe
        
        C:\Windows\system32\Lmfodn32.exe
        637⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Lglcag32.exe
        
        C:\Windows\system32\Lglcag32.exe
        638⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Limpiomm.exe
        
        C:\Windows\system32\Limpiomm.exe
        639⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Lfaqcclf.exe
        
        C:\Windows\system32\Lfaqcclf.exe
        640⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1088
        
        C:\Windows\SysWOW64\Lagepl32.exe
        
        C:\Windows\system32\Lagepl32.exe
        641⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Lpjelibg.exe
        
        C:\Windows\system32\Lpjelibg.exe
        642⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\Ljoiibbm.exe
        
        C:\Windows\system32\Ljoiibbm.exe
        643⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3708
        
        C:\Windows\SysWOW64\Laiafl32.exe
        
        C:\Windows\system32\Laiafl32.exe
        644⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Lhcjbfag.exe
        
        C:\Windows\system32\Lhcjbfag.exe
        645⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\Mjafoapj.exe
        
        C:\Windows\system32\Mjafoapj.exe
        646⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Mdjjgggk.exe
        
        C:\Windows\system32\Mdjjgggk.exe
        647⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Mfhgcbfo.exe
        
        C:\Windows\system32\Mfhgcbfo.exe
        648⤵
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Mpqklh32.exe
        
        C:\Windows\system32\Mpqklh32.exe
        649⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Mmdlflki.exe
        
        C:\Windows\system32\Mmdlflki.exe
        650⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3880
        
        C:\Windows\SysWOW64\Mhjpceko.exe
        
        C:\Windows\system32\Mhjpceko.exe
        651⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Mabdlk32.exe
        
        C:\Windows\system32\Mabdlk32.exe
        652⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Mhmmieil.exe
        
        C:\Windows\system32\Mhmmieil.exe
        653⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Nfaijand.exe
        
        C:\Windows\system32\Nfaijand.exe
        654⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Nmlafk32.exe
        
        C:\Windows\system32\Nmlafk32.exe
        655⤵
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Nhafcd32.exe
        
        C:\Windows\system32\Nhafcd32.exe
        656⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Nkpbpp32.exe
        
        C:\Windows\system32\Nkpbpp32.exe
        657⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Najjmjkg.exe
        
        C:\Windows\system32\Najjmjkg.exe
        658⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\Nhcbidcd.exe
        
        C:\Windows\system32\Nhcbidcd.exe
        659⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Nmpkakak.exe
        
        C:\Windows\system32\Nmpkakak.exe
        660⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Npognfpo.exe
        
        C:\Windows\system32\Npognfpo.exe
        661⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Ngipjp32.exe
        
        C:\Windows\system32\Ngipjp32.exe
        662⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Nandhi32.exe
        
        C:\Windows\system32\Nandhi32.exe
        663⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Nhhldc32.exe
        
        C:\Windows\system32\Nhhldc32.exe
        664⤵
        
        PID:792
        
        C:\Windows\SysWOW64\Npcaie32.exe
        
        C:\Windows\system32\Npcaie32.exe
        665⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        666⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\Omgabj32.exe
        
        C:\Windows\system32\Omgabj32.exe
        667⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Odaiodbp.exe
        
        C:\Windows\system32\Odaiodbp.exe
        668⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Okkalnjm.exe
        
        C:\Windows\system32\Okkalnjm.exe
        669⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Ophjdehd.exe
        
        C:\Windows\system32\Ophjdehd.exe
        670⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Omlkmign.exe
        
        C:\Windows\system32\Omlkmign.exe
        671⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Odfcjc32.exe
        
        C:\Windows\system32\Odfcjc32.exe
        672⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Okpkgm32.exe
        
        C:\Windows\system32\Okpkgm32.exe
        673⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Odhppclh.exe
        
        C:\Windows\system32\Odhppclh.exe
        674⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Onqdhh32.exe
        
        C:\Windows\system32\Onqdhh32.exe
        675⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Pgihanii.exe
        
        C:\Windows\system32\Pgihanii.exe
        676⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Pncanhaf.exe
        
        C:\Windows\system32\Pncanhaf.exe
        677⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4500
        
        C:\Windows\SysWOW64\Phiekaql.exe
        
        C:\Windows\system32\Phiekaql.exe
        678⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\Paaidf32.exe
        
        C:\Windows\system32\Paaidf32.exe
        679⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Pdofpb32.exe
        
        C:\Windows\system32\Pdofpb32.exe
        680⤵
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Pjlnhi32.exe
        
        C:\Windows\system32\Pjlnhi32.exe
        681⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Pdbbfadn.exe
        
        C:\Windows\system32\Pdbbfadn.exe
        682⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Pgpobmca.exe
        
        C:\Windows\system32\Pgpobmca.exe
        683⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Pnjgog32.exe
        
        C:\Windows\system32\Pnjgog32.exe
        684⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Pgbkgmao.exe
        
        C:\Windows\system32\Pgbkgmao.exe
        685⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Pnlcdg32.exe
        
        C:\Windows\system32\Pnlcdg32.exe
        686⤵
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Qkqdnkge.exe
        
        C:\Windows\system32\Qkqdnkge.exe
        687⤵
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Qpmmfbfl.exe
        
        C:\Windows\system32\Qpmmfbfl.exe
        688⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Qkcackeb.exe
        
        C:\Windows\system32\Qkcackeb.exe
        689⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\Qnamofdf.exe
        
        C:\Windows\system32\Qnamofdf.exe
        690⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Ahgamo32.exe
        
        C:\Windows\system32\Ahgamo32.exe
        691⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Aaofedkl.exe
        
        C:\Windows\system32\Aaofedkl.exe
        692⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Aglnnkid.exe
        
        C:\Windows\system32\Aglnnkid.exe
        693⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Akgjnj32.exe
        
        C:\Windows\system32\Akgjnj32.exe
        694⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Windows\SysWOW64\Anffje32.exe
        
        C:\Windows\system32\Anffje32.exe
        695⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\Adpogp32.exe
        
        C:\Windows\system32\Adpogp32.exe
        696⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Ajmgof32.exe
        
        C:\Windows\system32\Ajmgof32.exe
        697⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Anhcpeon.exe
        
        C:\Windows\system32\Anhcpeon.exe
        698⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Adbkmo32.exe
        
        C:\Windows\system32\Adbkmo32.exe
        699⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Aklciimh.exe
        
        C:\Windows\system32\Aklciimh.exe
        700⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Aqilaplo.exe
        
        C:\Windows\system32\Aqilaplo.exe
        701⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Agcdnjcl.exe
        
        C:\Windows\system32\Agcdnjcl.exe
        702⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Anmmkd32.exe
        
        C:\Windows\system32\Anmmkd32.exe
        703⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Bqkigp32.exe
        
        C:\Windows\system32\Bqkigp32.exe
        704⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        705⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Bggnijof.exe
        
        C:\Windows\system32\Bggnijof.exe
        706⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Bnaffdfc.exe
        
        C:\Windows\system32\Bnaffdfc.exe
        707⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Bhgjcmfi.exe
        
        C:\Windows\system32\Bhgjcmfi.exe
        708⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Bkefphem.exe
        
        C:\Windows\system32\Bkefphem.exe
        709⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Bbpolb32.exe
        
        C:\Windows\system32\Bbpolb32.exe
        710⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Biigildg.exe
        
        C:\Windows\system32\Biigildg.exe
        711⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Bnfoac32.exe
        
        C:\Windows\system32\Bnfoac32.exe
        712⤵
        
        PID:60
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        713⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Cqghcn32.exe
        
        C:\Windows\system32\Cqghcn32.exe
        714⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Cgaqphgl.exe
        
        C:\Windows\system32\Cgaqphgl.exe
        715⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Cnkilbni.exe
        
        C:\Windows\system32\Cnkilbni.exe
        716⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Cgcmeh32.exe
        
        C:\Windows\system32\Cgcmeh32.exe
        717⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Calbnnkj.exe
        
        C:\Windows\system32\Calbnnkj.exe
        718⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        719⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Canocm32.exe
        
        C:\Windows\system32\Canocm32.exe
        720⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Cghgpgqd.exe
        
        C:\Windows\system32\Cghgpgqd.exe
        721⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Cgjcfgoa.exe
        
        C:\Windows\system32\Cgjcfgoa.exe
        722⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Dndlba32.exe
        
        C:\Windows\system32\Dndlba32.exe
        723⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Dendok32.exe
        
        C:\Windows\system32\Dendok32.exe
        724⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Dgmpkg32.exe
        
        C:\Windows\system32\Dgmpkg32.exe
        725⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        726⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Deqqek32.exe
        
        C:\Windows\system32\Deqqek32.exe
        727⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Djmima32.exe
        
        C:\Windows\system32\Djmima32.exe
        728⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Dbdano32.exe
        
        C:\Windows\system32\Dbdano32.exe
        729⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Dagajlal.exe
        
        C:\Windows\system32\Dagajlal.exe
        730⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Dnkbcp32.exe
        
        C:\Windows\system32\Dnkbcp32.exe
        731⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Deejpjgc.exe
        
        C:\Windows\system32\Deejpjgc.exe
        732⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Dnnoip32.exe
        
        C:\Windows\system32\Dnnoip32.exe
        733⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Dalkek32.exe
        
        C:\Windows\system32\Dalkek32.exe
        734⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1516
        
        C:\Windows\SysWOW64\Elaobdmm.exe
        
        C:\Windows\system32\Elaobdmm.exe
        735⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Eangjkkd.exe
        
        C:\Windows\system32\Eangjkkd.exe
        736⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Ehhpge32.exe
        
        C:\Windows\system32\Ehhpge32.exe
        737⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Eaqdpjia.exe
        
        C:\Windows\system32\Eaqdpjia.exe
        738⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Ehklmd32.exe
        
        C:\Windows\system32\Ehklmd32.exe
        739⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Ebpqjmpd.exe
        
        C:\Windows\system32\Ebpqjmpd.exe
        740⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Eeomfioh.exe
        
        C:\Windows\system32\Eeomfioh.exe
        741⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Ejkenpnp.exe
        
        C:\Windows\system32\Ejkenpnp.exe
        742⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Ebbmpmnb.exe
        
        C:\Windows\system32\Ebbmpmnb.exe
        743⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Ehofhdli.exe
        
        C:\Windows\system32\Ehofhdli.exe
        744⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Ejnbdp32.exe
        
        C:\Windows\system32\Ejnbdp32.exe
        745⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Eiobbgcl.exe
        
        C:\Windows\system32\Eiobbgcl.exe
        746⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Flmonbbp.exe
        
        C:\Windows\system32\Flmonbbp.exe
        747⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Fbggkl32.exe
        
        C:\Windows\system32\Fbggkl32.exe
        748⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Fhdocc32.exe
        
        C:\Windows\system32\Fhdocc32.exe
        749⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Fkbkoo32.exe
        
        C:\Windows\system32\Fkbkoo32.exe
        750⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Falcli32.exe
        
        C:\Windows\system32\Falcli32.exe
        751⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Faopah32.exe
        
        C:\Windows\system32\Faopah32.exe
        752⤵
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Fifhbf32.exe
        
        C:\Windows\system32\Fifhbf32.exe
        753⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Focakm32.exe
        
        C:\Windows\system32\Focakm32.exe
        754⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Femigg32.exe
        
        C:\Windows\system32\Femigg32.exe
        755⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Flgadake.exe
        
        C:\Windows\system32\Flgadake.exe
        756⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Foenplji.exe
        
        C:\Windows\system32\Foenplji.exe
        757⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Gikbneio.exe
        
        C:\Windows\system32\Gikbneio.exe
        758⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Gklnem32.exe
        
        C:\Windows\system32\Gklnem32.exe
        759⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Gogjflhf.exe
        
        C:\Windows\system32\Gogjflhf.exe
        760⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Gaffbg32.exe
        
        C:\Windows\system32\Gaffbg32.exe
        761⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Gojgkl32.exe
        
        C:\Windows\system32\Gojgkl32.exe
        762⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6884
        
        C:\Windows\SysWOW64\Ghbkdald.exe
        
        C:\Windows\system32\Ghbkdald.exe
        763⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Golcak32.exe
        
        C:\Windows\system32\Golcak32.exe
        764⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Geflne32.exe
        
        C:\Windows\system32\Geflne32.exe
        765⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Gooqfkan.exe
        
        C:\Windows\system32\Gooqfkan.exe
        766⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Gammbfqa.exe
        
        C:\Windows\system32\Gammbfqa.exe
        767⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6620
        
        C:\Windows\SysWOW64\Giddddad.exe
        
        C:\Windows\system32\Giddddad.exe
        768⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Glbapoqh.exe
        
        C:\Windows\system32\Glbapoqh.exe
        769⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Gclimi32.exe
        
        C:\Windows\system32\Gclimi32.exe
        770⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Hhiaepfl.exe
        
        C:\Windows\system32\Hhiaepfl.exe
        771⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Haafnf32.exe
        
        C:\Windows\system32\Haafnf32.exe
        772⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Hkjjfkcm.exe
        
        C:\Windows\system32\Hkjjfkcm.exe
        773⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Hepoddcc.exe
        
        C:\Windows\system32\Hepoddcc.exe
        774⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Hhnkppbf.exe
        
        C:\Windows\system32\Hhnkppbf.exe
        775⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Hklglk32.exe
        
        C:\Windows\system32\Hklglk32.exe
        776⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Hccomh32.exe
        
        C:\Windows\system32\Hccomh32.exe
        777⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Hhpheo32.exe
        
        C:\Windows\system32\Hhpheo32.exe
        778⤵
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Hcflch32.exe
        
        C:\Windows\system32\Hcflch32.exe
        779⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Hkaqgjme.exe
        
        C:\Windows\system32\Hkaqgjme.exe
        780⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Hakidd32.exe
        
        C:\Windows\system32\Hakidd32.exe
        781⤵
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Ilqmam32.exe
        
        C:\Windows\system32\Ilqmam32.exe
        782⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Iooimi32.exe
        
        C:\Windows\system32\Iooimi32.exe
        783⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Ijdnka32.exe
        
        C:\Windows\system32\Ijdnka32.exe
        784⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Ioafchai.exe
        
        C:\Windows\system32\Ioafchai.exe
        785⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Ieknpb32.exe
        
        C:\Windows\system32\Ieknpb32.exe
        786⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Ileflmpb.exe
        
        C:\Windows\system32\Ileflmpb.exe
        787⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Iocchhof.exe
        
        C:\Windows\system32\Iocchhof.exe
        788⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Ijigfaol.exe
        
        C:\Windows\system32\Ijigfaol.exe
        789⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Ikjcmi32.exe
        
        C:\Windows\system32\Ikjcmi32.exe
        790⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Iofpnhmc.exe
        
        C:\Windows\system32\Iofpnhmc.exe
        791⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Iadljc32.exe
        
        C:\Windows\system32\Iadljc32.exe
        792⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Ihndgmdd.exe
        
        C:\Windows\system32\Ihndgmdd.exe
        793⤵
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\Ikmpcicg.exe
        
        C:\Windows\system32\Ikmpcicg.exe
        794⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Jjnqap32.exe
        
        C:\Windows\system32\Jjnqap32.exe
        795⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Jbieebha.exe
        
        C:\Windows\system32\Jbieebha.exe
        796⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Jkajnh32.exe
        
        C:\Windows\system32\Jkajnh32.exe
        797⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Jbkbkbfo.exe
        
        C:\Windows\system32\Jbkbkbfo.exe
        798⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Jcknee32.exe
        
        C:\Windows\system32\Jcknee32.exe
        799⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Jjefao32.exe
        
        C:\Windows\system32\Jjefao32.exe
        800⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Joaojf32.exe
        
        C:\Windows\system32\Joaojf32.exe
        801⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Jhjcbljf.exe
        
        C:\Windows\system32\Jhjcbljf.exe
        802⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Jkhpogij.exe
        
        C:\Windows\system32\Jkhpogij.exe
        803⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Kcphpdil.exe
        
        C:\Windows\system32\Kcphpdil.exe
        804⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Kilphk32.exe
        
        C:\Windows\system32\Kilphk32.exe
        805⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Kofheeoq.exe
        
        C:\Windows\system32\Kofheeoq.exe
        806⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Kfpqap32.exe
        
        C:\Windows\system32\Kfpqap32.exe
        807⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Kmjinjnj.exe
        
        C:\Windows\system32\Kmjinjnj.exe
        808⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Koiejemn.exe
        
        C:\Windows\system32\Koiejemn.exe
        809⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Kcfnqccd.exe
        
        C:\Windows\system32\Kcfnqccd.exe
        810⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Kmobii32.exe
        
        C:\Windows\system32\Kmobii32.exe
        811⤵
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Komoed32.exe
        
        C:\Windows\system32\Komoed32.exe
        812⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Kmaooihb.exe
        
        C:\Windows\system32\Kmaooihb.exe
        813⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Lopkkdgf.exe
        
        C:\Windows\system32\Lopkkdgf.exe
        814⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Ljephmgl.exe
        
        C:\Windows\system32\Ljephmgl.exe
        815⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Lobhqdec.exe
        
        C:\Windows\system32\Lobhqdec.exe
        816⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Lflpmn32.exe
        
        C:\Windows\system32\Lflpmn32.exe
        817⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Lmfhjhdm.exe
        
        C:\Windows\system32\Lmfhjhdm.exe
        818⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Lbcabo32.exe
        
        C:\Windows\system32\Lbcabo32.exe
        819⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Lmheph32.exe
        
        C:\Windows\system32\Lmheph32.exe
        820⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7344
        
        C:\Windows\SysWOW64\Lcbmlbig.exe
        
        C:\Windows\system32\Lcbmlbig.exe
        821⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Liofdigo.exe
        
        C:\Windows\system32\Liofdigo.exe
        822⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7524
        
        C:\Windows\SysWOW64\Llmbqdfb.exe
        
        C:\Windows\system32\Llmbqdfb.exe
        823⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Lfcfnm32.exe
        
        C:\Windows\system32\Lfcfnm32.exe
        824⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Liabjh32.exe
        
        C:\Windows\system32\Liabjh32.exe
        825⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Mpkkgbmi.exe
        
        C:\Windows\system32\Mpkkgbmi.exe
        826⤵
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Mfeccm32.exe
        
        C:\Windows\system32\Mfeccm32.exe
        827⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Midoph32.exe
        
        C:\Windows\system32\Midoph32.exe
        828⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Mlbllc32.exe
        
        C:\Windows\system32\Mlbllc32.exe
        829⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Mbldhn32.exe
        
        C:\Windows\system32\Mbldhn32.exe
        830⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 452
        831⤵
        Program crash
        
        PID:6260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7320 -ip 7320
1⤵
PID:7352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cammjakm.exe

Filesize
257KB

MD5
3f76c95c28fd24d78c6d8ba401825043

SHA1
8a9d1d4923eaa8345956c54e3011f534ef0977ba

SHA256
a5dbb220a64503457825ada2dbe579d24a088d887ed54883e26d281556fc0634

SHA512
fcceadff055f4c1cc7267c9da5b5ac335bc98de9f49636c0631619e8886ae94dcd369f3459b0e270818f47a2b3d9abfb5d7654342249cf4320da53879206841f

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
257KB

MD5
4bd2bf1d2a9abd2c6a597a83f37be300

SHA1
8db048b619d4b7db406ecf627643d258d70dbec7

SHA256
1297f4ddae4b02829272a42799ab3368529c37be8cecbd17a1cba14a6254650b

SHA512
01c3248459a51b910adbac45004836b20f490b2c0460ccd2bbf213badd947a0990f58070a2bd6df8fab9443cb66bf261b312792d57b1ca4626889be4ca36a735

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
257KB

MD5
f3afda9c291082a4ddbcdc05fa0e1bfe

SHA1
4a8a43a14ddad6a2d8aaeef73e7810c8e1e55d00

SHA256
d69577045a27e84c5030bc225e9bf02599531ad8a975a656d1d908ed010c2493

SHA512
802525e5030c21a1541c086acba88b7bf0541708bad02d1da2b5cb771c3be8082632be7755f20382b3548a0554328bf5cd2fb08137e2ccbc8835eab2116e9c95

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
257KB

MD5
d4050c7c923313b3b43a8b8fa420e9b2

SHA1
1563d73b895b1f4c66678337ffd55346f5c4871e

SHA256
e238aa504bdb96895eef60f30e5657ce23376a09175c314c38306fe8fcd5d175

SHA512
10d54a12028ab98b85f7b0c0b9a1ffefd9684b19723a9d5be9cd1681d648259ccea0cb7cc527ffced4ad6b4ba857b6a46738980221c906edda3e78e88649d821

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
257KB

MD5
0d9efae44b3781ec06a11a3c7c4bdd6b

SHA1
3598e8881ed75efa12b6a97c1e0be5175375b00a

SHA256
da3a8efd74dc946427843f71ec1a091e95b8c9fa937befe1403d845ccbe403ce

SHA512
d0bc5b0380d4e6657149be5b315f11f86ca25438262a3478de3c3dfc523edc8e0515da248b976e143fd88d562ca7fd691008c49a0b5a0dda3bd7d613ff3e8c7d

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
257KB

MD5
5a55010c94447921ea30852a36188c34

SHA1
226d949906d84115c6b9278a1a710b5444669b8f

SHA256
f3e6d58127e53e25423f54c602121f70c4c277bed6ef8a843f1af8675822cd3b

SHA512
ae1654d486036b49ba73998176fc3e4b422bad6aef6ba975cf179414520620fc2f51385d6214ee3bf3decf30876cbc87b175cf36f3dcccfd0ea9d8359112ecdd

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
257KB

MD5
da6390efa2fcbf5c4df9e23db8d65b8b

SHA1
1f06c8cdd30781981478ce23e857fb35a6f3bf60

SHA256
6f3cbdefb7c557dea52277911408e9b16ad7b38e26210e66ab8874754f7ca8ec

SHA512
ce9193dbd180bd5660b6f91a343e1dd3d786cd825b1d4d0ac530c9422f87aba9aab933fce9afb7a701bc5b86defb279d9b35c1c814f60e67fb0e9a5cf4a1d887

Download Submit
C:\Windows\SysWOW64\Damfao32.exe

Filesize
257KB

MD5
dd090026cd01a7b4dc9d58742fa17fa7

SHA1
e013eff20c247e1389364389d49b2c07a4843d37

SHA256
391db22ee5a7b722947a9399b1deed035ed0f7ba65db107c6d31b30e018fef4a

SHA512
394f1e4fb18ffb896e80fafc8b672152f1b8c46fed5ef31040e1f3c8bbe812f40cf627785f4cebb124ffce4d0fd405b824776ab807af7dc525cb11a6e1204150

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
257KB

MD5
14498eb85a93c0fbce71e60ebed797be

SHA1
8b08bb1682565bca5a3fa9b025d4d91206a9cefb

SHA256
c3811eb744bcb88da1869952e13342fa64f63ae2687131b51c7bafdfd00a9505

SHA512
644f06aa348d2017877048d2d6f0df40ecef6fc830d3de39b153cacf1b782fd1580d29f91656edb16f9e0c06b264c89bf2477a3fd65aed6e862cddaeb8e1c2b5

Download Submit
C:\Windows\SysWOW64\Dgeenfog.exe

Filesize
257KB

MD5
1450688125280acdc1c2269abe202c65

SHA1
542fcb88a39d0fb1c10ffc369ce9f7c417422a4f

SHA256
e23d46f1cb1e471097493e57be5eec9e9dea9efcb7fcc3235e7a228622f8c015

SHA512
e3c722c8d10d26354130e7a1cd2937613dc2ea7e7ecf0bb1ede23edf6577b53e868b6113b07957a11da6b552af3577c0a5856c701d330947699034235306c1d7

Download Submit
C:\Windows\SysWOW64\Dggbcf32.exe

Filesize
257KB

MD5
b4cdeaa9c9189271b3c97f4d0788486a

SHA1
3adf51555612b4f97e991676879a7b10b1d8307e

SHA256
dbd3e81fe5e55ecd2de62c0081d892b773215926d5de166ca17abf3559e23dfa

SHA512
4671e0f671e9999ba3717ca5aeb0240c59edfc53ed6264faa60cb81b238ca53d12d55ec5e0a9ad835f0ca42de3b54fdb45bf1bd8b353c06f7636b97cee1dc857

Download Submit
C:\Windows\SysWOW64\Dkekjdck.exe

Filesize
257KB

MD5
3a3db7815d606ff47f2833075426565a

SHA1
f35108d967a452c2972ed2116bed25e631e1b374

SHA256
956d11cef04dbb284e0c34e242a3d124ada222257fe94b94eadf0a06aeec91ea

SHA512
8a697d6dceaa5f2a9b8bad5ca36e40a6f9053244da0f9170fe54be3ed46b4b416e41ed64dfe678a3f0f64c94c100a5975091632cb8deedf5774a73da3895bc8a

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
257KB

MD5
44efc2c370a43ec06a7cbdb3c97dda4d

SHA1
a17e97fbab1ac310766acced60c9cfaeb1990d99

SHA256
71a9f308d3dfe5b0ac9b9b80cf25ea08ca008eb723e6760b8aff1ddd3386d93c

SHA512
5f884ee925b960ece5ecab35c6b983a3a78eb72d648cba09e5a75026fa7a0b56525c54ef52009b4fb06efdeb1a75b5a2b453321044be0a6974a5674484110aae

Download Submit
C:\Windows\SysWOW64\Dnonkq32.exe

Filesize
257KB

MD5
fc53c6296ff6e16b8b8420faaac799f6

SHA1
280411a836e78a640f76417c7051214b0be19aee

SHA256
bb4dad89ad1a38beddc0d5e7e1cb2b5e342575684cfa6e5143fe05c3607bb74e

SHA512
7ee0315097748b63b00de2bb77e84b98ec02d04ad2aa68ffd4caddfd3546e00ace3f02266309dc7050faf90e3dda44192a04365512c1c84ca7768551b1949ce0

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
257KB

MD5
3dc2971f673b4798eaca2f7bd8dddbfe

SHA1
b119dfe556ff86221dd616e102a775d3c98b107c

SHA256
66864e6ae689a2b0d9892d471d2109a1278771558387dc95f684fec2062f677b

SHA512
6bc144e7762faec44f9f1e1e93357fe0dd518e2ff1196377d801b590f45fd30d188a334eed5e8fe559a8f949b282494a66fd7a37dca0478a0b83bd0e2d417542

Download Submit
C:\Windows\SysWOW64\Edplhjhi.exe

Filesize
257KB

MD5
62a02e917d2b95293596b1aba4f22082

SHA1
02297b9720a9fe0c6638f3ff108fd12eed9bb5de

SHA256
ac243a29dbece0fcd41908a6373d952cc2cb957619ab4cbc072c01f96a00bc12

SHA512
61b5d26906e57543babe2aca77736296f2ca10f3b0d919a416ab2e452134c02c5cf1ac92bb5ec70e5d964ce226c54ca74acd59a1dc5f91038344586e50eb622d

Download Submit
C:\Windows\SysWOW64\Eiekog32.exe

Filesize
257KB

MD5
2709c8b8939d954c8b80f2a35db25f00

SHA1
31b6abef3c0bc6110e0e042fea220bb3f7409a74

SHA256
4242e60f63eebcc7beab5bb1c3ae9091d8c2d7b0a2687c95980852b8d9a49ac2

SHA512
67e1a416a18541b5743864807ea814a93369271442d033f7bdb285b0d34a61fbf36bec5d797e84c529bd5f7cf889fb38b17c1884903050b6cc73a0197da0e634

Download Submit
C:\Windows\SysWOW64\Eohmkb32.exe

Filesize
257KB

MD5
071e979a437c0dc8a34383bd70c0ca29

SHA1
37c5665ab65f0a59ba6322f69474d1a771977569

SHA256
d699b6e468d910e87dff5166946cb771360ea53ef0291681470799fb28835e0a

SHA512
37f1eeaae1c162e17fb99dfd19decb1c443cb326e224b43449f9a62c9e459ede66f5f3dcfdd448a0ec74cf266c07e878beda458ed858364ee1cea5f921d806af

Download Submit
C:\Windows\SysWOW64\Fbbicl32.exe

Filesize
257KB

MD5
e8ef4c315b0bddcde58c5abdfe9eb09a

SHA1
92947acafd30374016c06a27abde4e9f131f0bfa

SHA256
6b422367bccba4c8007456c2363fd42ca79943a216087fc98ed42b7be34b7b33

SHA512
4459919fa2ed7e9970a9f8f7c85beb55fa1534261b0d4a534937c931e71a6ccf80f248d27be60223e5cf4c7f62fc340ff134ca5c0d2c1b05c5c4f13d925f32bb

Download Submit
C:\Windows\SysWOW64\Fgcjfbed.exe

Filesize
257KB

MD5
14f2e82cda2a860247907eb714565814

SHA1
21fc8bf5d2798302e86688aa53ed1d6824be5825

SHA256
7ccec6928170d68af021b4e8821a7eccb95215c6bb6f405691487087dcbc0a3a

SHA512
4be6a29b65195751c096e7f63b865b23dbf1f96785f1ec853abfd41e630f00bb8ed41b79872136912676ee0150d6bda7ece12092bd8b869dd3d9ce15ba63bed1

Download Submit
C:\Windows\SysWOW64\Fgjhpcmo.exe

Filesize
257KB

MD5
0afd29b1641fe4ec146d17f2fdb66e04

SHA1
be2ff7854aa86ed84d627dd4c6a87e078d93cfc6

SHA256
24740beed89c0b30d693df8ecdef845aa10e98cb1c8d5ac574e2f30089a4647a

SHA512
2fdacda6c039cf751e181b1aeb5f1e6fa9e298817c54ad6a12d9b8f814ffd708b6ad08d640ed2cdc5e1ae72f9fdcafa4f249ec3651c815557068d94ac87771b6

Download Submit
C:\Windows\SysWOW64\Fijdjfdb.exe

Filesize
257KB

MD5
f340a77eb56ce619145dbe2cb62a6443

SHA1
b7ab78dc7b78cb17ffcf7814be32a1f35f09f743

SHA256
aefd7f59d08f1fe271510f84773a76722636e6b4f64290eae77ce08f503d47a1

SHA512
c6d9b8c69334f8d50b398421a53893e9322acaac82456c995d52a3e10c03bb39685d3e31865a7fc5980dadf8b8be320cc8eff0d1c074f3d4280d0a9215d5a80d

Download Submit
C:\Windows\SysWOW64\Finnef32.exe

Filesize
257KB

MD5
e2e835ead968d21610dcdc2ccd6983f2

SHA1
4fa35928ed02baa68fd6b5ca08a59372947e03a5

SHA256
bdbcc968f14ed82c87acd401d9d6eb3d25e06203c5055074dc45529764cfaf09

SHA512
42447a5910d4bc40daa5cacaee851d32558f62823946d315ea89a60c0327bbcf65e8effd71889b6831be2e89a3dec5536808c5239d2e0ad62437fa50b4beab91

Download Submit
C:\Windows\SysWOW64\Fkjmlaac.exe

Filesize
257KB

MD5
d726c1ef896f5fee81ed2a2d9522aa70

SHA1
97fc20901ed383c51e2630db71b53e0987e86ae2

SHA256
dc24822d14d27d2dad8a7d5661db90769776eb0f567c2f25b476986ad8c6bb12

SHA512
a845866ecfa9a5482499a5e7634dad5a81db874e728f2767b9a239fc0f4927d631de9c45e277f81002ba1eff33b7df42fb028a2b06bf0c645b50bde2b4a71082

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe

Filesize
257KB

MD5
24c3a9e11ca1ae402f4ee973475616b6

SHA1
b42fd1e89bf5181f9dc654616f210ec817fed338

SHA256
4ed0b014f853dc5712cc238b33c383e799cf3d7ce5e03f86c8fe23e5b20a431c

SHA512
6ada4a4654c233067423f5d5e6c57424708a7a03ba934e45c45541efaa8d3c8c021d502b604e2f93554e748bd598fb005cd76bdb529f1fd4160c9a82bc713761

Download Submit
C:\Windows\SysWOW64\Fnkfmm32.exe

Filesize
257KB

MD5
149468fe5d2298ad43a85a328ac1f92b

SHA1
d629c84554cf1221062378cd0a8a5ffe1697a2fc

SHA256
929e103e32bb9cf97fdb2d692bcaf078dc65722dcf251a67cf291f1983d135b4

SHA512
365727c9586368131d71e7d46269c993528b8bdecb10ae5c99aec3acf03bc2939a3d8bfda2fadda9c311101faa59a59e5ea03a8809f15b15ffd7d5acd26f9c15

Download Submit
C:\Windows\SysWOW64\Ganldgib.exe

Filesize
257KB

MD5
5b3342a137046604bc17da255da38feb

SHA1
68368b207d7b2007b89194b0d02fac2b8b706e2a

SHA256
141373af483bd110005b8c411c53809e3ebf608f736da33808b3e7393365b1c7

SHA512
8644a14bcb43206eeae3a26620fb4e8fe929d59d4bc53147a7cfd15f2dfe82167dcefc03075daff1f315238d8fbe2d1965a1e5e1d90dcfb12488fff89d13589c

Download Submit
C:\Windows\SysWOW64\Gbbajjlp.exe

Filesize
257KB

MD5
8a4d90ba94fc5706ec2f0107deab73a1

SHA1
93857050432458b3c221bdfa6c432d552fccb540

SHA256
2ead67054bd31f3514fc299dd9964d0be7fca6fe1ac448050e00237d076172ff

SHA512
aab9b329003dd854843460be32342185e5464ca407168eee3326b22905308897eae0e403993471d36816651552c404af3b2e051e59a77faf81af2813994f335c

Download Submit
C:\Windows\SysWOW64\Gegkpf32.exe

Filesize
257KB

MD5
07d6855dad4593e318d9174026a87496

SHA1
321f7d15e3bed7afe02705b4ad69e5a83c7c5fa0

SHA256
4f29fd6244d46fa7af0dacf9fb8b3b0af4aa6861157e55cf9a7969325b459e55

SHA512
9585aeb7b224dc02a46c0ea96c4cec0f4a83e537ebdcf9f924c003ef515d652d4b1496b4b7629f440fd9227446417013169db2df3e8d5d928859c7f48c21b231

Download Submit
C:\Windows\SysWOW64\Geoapenf.exe

Filesize
257KB

MD5
0cce66d3dc941a78efa826948ff71f20

SHA1
b788fd9201b8e603c7dba49a399a746c0cb955ee

SHA256
cda7aa3f496a8d16b68e6031e635a956e54ad31f45385eadcfdf46b3a8c28f77

SHA512
a7f40e64323e1723bedb4605dce79d1fc550726cafb95beecb391ffda5d21321e678ea55cfb3a6bef5ab097595858fe18dcd6afba2f14669412de42ee7716325

Download Submit
C:\Windows\SysWOW64\Ggkqgaol.exe

Filesize
257KB

MD5
646c1e89723dbe0aca30c908db34d006

SHA1
5a210242ffb0e7f078283b47e26c1b26e1d2d736

SHA256
94bcd64fd62c71341c5f64012dabd9faadb42528904a01b8f001eb9109e84ca4

SHA512
0bd5a74bc3612bdaa7459d339097d573dc890d9437b2ad4e86246dece2ec209377787ff1950f4249908ebabe17125c7659da12d46787052cc9edc9dba39f2588

Download Submit
C:\Windows\SysWOW64\Gkdpbpih.exe

Filesize
257KB

MD5
b32720e9e06a8b8036c385a37ae4a60b

SHA1
54d8f03f8b39f053567ffb6b6752b28d7ea2bc9f

SHA256
ac27ad1568a3249ebfb2afe1ee8ee15783ff3f5c592a202ef3f40bf3415f86d1

SHA512
01dd5f158ad02b90e5ef0c03a853300c24c4e0458c2a07aa597c5527839dad8ed0d1b8315cfb39c5747e6d3e40635e1b7e98b156f68a07822e61eb13de811d6f

Download Submit
C:\Windows\SysWOW64\Mbkkam32.dll

Filesize
7KB

MD5
8fb6d750a60e84987383873240bd1d89

SHA1
1db04fe6efb195c7d1fad01b37cc2af4492337f5

SHA256
8a26bfe35ccaaa89aa626c3a5435518abf69dd724c68ee4bd10f6f2a0b301b51

SHA512
9d56e14c5df4690f69513d104e9e86e4890767f26ed887699c005871d3b5a8415b5f0732a50c5940a77cbaedef9f5967b061c3da4c729fb54680741770e175db

Download Submit
memory/32-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/644-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3156-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-6-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads