berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
136s
max time network
178s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/05777e787a0105c14320a2426794b5b9.exe
Size

93KB
MD5

05777e787a0105c14320a2426794b5b9
SHA1

d590bdf58527e51ba581920a8c65945dad008a75
SHA256

8066abc449cfb2f3d87561d3d9547f7a1ce211d6db7fed509e6859c148f1ec36
SHA512

285c17ca3a6282a21d5c4ac8afef207682fa729570e940790e55220675afb662e000da5cf033ab6e8c62915fdb7c59a3cb0e62b0692a2a78a32870d5923fff8c
SSDEEP

1536:HwXFNxy76WBjMGn9dpJFjXgkygmd2k2tyQZvx+XGJtJNosRQWRkRLJzeLD9N0iQH:uWtJJFf9mR2Ae4XGreWSJdEN0s4WE+3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgobel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkohaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhnbhok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbbpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gncchb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfgcakon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njfagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qlimed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbeejp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dimenegi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbjkngo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fideeaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmbmkpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbcke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cleegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efblbbqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmdlmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgmjmjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lopmii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iciaqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jklinohd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebdcld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbndfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcbdgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlkipgpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnmdme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkgcea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dflmlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Plbfdekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jilfifme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqkgbcff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njkkbehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paelfmaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdjibj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipflihfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiloco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bahkih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodjjimm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giinpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgninn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cleegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gehbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Plmmif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chnbbqpn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Downloads MZ/PE file 1 IoCs

flow	pid	Process
21	11576	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
828	Dbjkkl32.exe
1048	Dmoohe32.exe
4936	Dkbocbog.exe
1880	Dpnkdq32.exe
4228	Dfgcakon.exe
3784	Difpmfna.exe
332	Dmalne32.exe
1156	Dbndfl32.exe
5080	Djelgied.exe
4292	Dlghoa32.exe
2252	Dpbdopck.exe
4564	Dflmlj32.exe
3632	Dmfeidbe.exe
3236	Dbcmakpl.exe
3024	Dimenegi.exe
2000	Dmhand32.exe
3416	Ecbjkngo.exe
772	Emkndc32.exe
3188	Epikpo32.exe
4284	Eiaoid32.exe
3836	Ebjcajjd.exe
1744	Epndknin.exe
1952	Efhlhh32.exe
3640	Eclmamod.exe
2868	Eiieicml.exe
4216	Ffmfchle.exe
2772	Fbcfhibj.exe
1980	Fimodc32.exe
4236	Fjmkoeqi.exe
3520	Fpjcgm32.exe
3856	Fdglmkeg.exe
1200	Fideeaco.exe
2856	Gdjibj32.exe
4492	Gmbmkpie.exe
1840	Gbofcghl.exe
4496	Giinpa32.exe
1416	Gdobnj32.exe
448	Gikkfqmf.exe
3584	Gpecbk32.exe
3600	Gbdoof32.exe
1152	Glldgljg.exe
5092	Gbfldf32.exe
4516	Gkmdecbg.exe
2604	Hpjmnjqn.exe
2076	Hgdejd32.exe
232	Hibafp32.exe
1220	Hlambk32.exe
1588	Hckeoeno.exe
564	Hpofii32.exe
4308	Hkdjfb32.exe
3552	Hmbfbn32.exe
3368	Hcpojd32.exe
3280	Hiiggoaf.exe
1884	Hlhccj32.exe
1600	Hcblpdgg.exe
1296	Hkicaahi.exe
3212	Ingpmmgm.exe
4612	Ipflihfq.exe
1568	Igpdfb32.exe
2936	Iinqbn32.exe
4764	Ilmmni32.exe
2536	Icfekc32.exe
4776	Iknmla32.exe
1656	Inlihl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iocbnhog.dll	Mjaabq32.exe
File opened for modification	C:\Windows\SysWOW64\Digehphc.exe	Dfiildio.exe
File created	C:\Windows\SysWOW64\Fmmmfj32.exe	Ffceip32.exe
File opened for modification	C:\Windows\SysWOW64\Efeihb32.exe	Eokqkh32.exe
File created	C:\Windows\SysWOW64\Npdopj32.dll	Iibccgep.exe
File created	C:\Windows\SysWOW64\Phonha32.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Lqpamb32.exe	Lnadagbm.exe
File created	C:\Windows\SysWOW64\Cqglioac.dll	Nnbnhedj.exe
File created	C:\Windows\SysWOW64\Mnokgcbe.dll	Omdppiif.exe
File opened for modification	C:\Windows\SysWOW64\Qacameaj.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Bpcaaeme.dll	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Aknbkjfh.exe
File opened for modification	C:\Windows\SysWOW64\Lnohlgep.exe	Lkalplel.exe
File created	C:\Windows\SysWOW64\Efjbcakl.exe	Ebnfbcbc.exe
File created	C:\Windows\SysWOW64\Idaiki32.dll	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Lcccepbd.dll	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Fbqdpi32.dll	Ipjoja32.exe
File opened for modification	C:\Windows\SysWOW64\Mmkdcm32.exe	Mnhdgpii.exe
File created	C:\Windows\SysWOW64\Fmggcl32.dll	Kcidmkpq.exe
File created	C:\Windows\SysWOW64\Dohjem32.dll	Kgnbdh32.exe
File opened for modification	C:\Windows\SysWOW64\Onmfimga.exe	Offnhpfo.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Ifaciolc.dll	Ebdcld32.exe
File opened for modification	C:\Windows\SysWOW64\Igfclkdj.exe	Ickglm32.exe
File opened for modification	C:\Windows\SysWOW64\Efgemb32.exe	Enpmld32.exe
File created	C:\Windows\SysWOW64\Fmkqpkla.exe	Fiodpl32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaekqhh.exe	Jmbhoeid.exe
File created	C:\Windows\SysWOW64\Gikgni32.dll	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Mjijkmod.dll	Oloahhki.exe
File opened for modification	C:\Windows\SysWOW64\Bhpfqcln.exe	Bddjpd32.exe
File opened for modification	C:\Windows\SysWOW64\Bffcpg32.exe	Bomkcm32.exe
File created	C:\Windows\SysWOW64\Ppioondd.dll	Ddgplado.exe
File created	C:\Windows\SysWOW64\Ddnfmqng.exe	Doaneiop.exe
File created	C:\Windows\SysWOW64\Mhjmpfcl.dll	Dodjjimm.exe
File opened for modification	C:\Windows\SysWOW64\Imkbnf32.exe	Iedjmioj.exe
File created	C:\Windows\SysWOW64\Lfcpgb32.dll	Jekqmhia.exe
File opened for modification	C:\Windows\SysWOW64\Poimpapp.exe	Plkpcfal.exe
File created	C:\Windows\SysWOW64\Bohbhmfm.exe	Bhnikc32.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Lmdnbn32.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Apodoq32.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Mfcjqc32.dll	Kegpifod.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Qobhkjdi.exe
File created	C:\Windows\SysWOW64\Qfmmplad.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Pjdhhc32.dll	Pmoiqneg.exe
File created	C:\Windows\SysWOW64\Ilmifh32.dll	Eiokinbk.exe
File created	C:\Windows\SysWOW64\Cglblmfn.dll	Qklmpalf.exe
File created	C:\Windows\SysWOW64\Iahici32.dll	Bhkmec32.exe
File opened for modification	C:\Windows\SysWOW64\Bhnikc32.exe	Bnhenj32.exe
File created	C:\Windows\SysWOW64\Dfiildio.exe	Dnbakghm.exe
File created	C:\Windows\SysWOW64\Bdifpa32.dll	Gfhndpol.exe
File created	C:\Windows\SysWOW64\Bgqoll32.dll	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Pbjnik32.dll	Ffmfchle.exe
File opened for modification	C:\Windows\SysWOW64\Lklbdm32.exe	Lgqfdnah.exe
File created	C:\Windows\SysWOW64\Jpmcbhlp.dll	Qachgk32.exe
File created	C:\Windows\SysWOW64\Aoalgn32.exe	Adkgje32.exe
File opened for modification	C:\Windows\SysWOW64\Bochmn32.exe	Ahippdbe.exe
File created	C:\Windows\SysWOW64\Bgaclkia.dll	Hpqldc32.exe
File created	C:\Windows\SysWOW64\Eieijp32.dll	Jocefm32.exe
File created	C:\Windows\SysWOW64\Ilmmni32.exe	Iinqbn32.exe
File opened for modification	C:\Windows\SysWOW64\Jklinohd.exe	Jdaaaeqg.exe
File created	C:\Windows\SysWOW64\Bomkcm32.exe	Blnoga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
12052	11840	WerFault.exe	608

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbofcghl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqbncb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hemdlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllokajf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpnkdq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkmdecbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gppcmeem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbocbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpbdopck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klcekpdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmalne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efhlhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahippdbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhkfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgnbdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkbfeab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nabfjpak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iibccgep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqhafffk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qklmpalf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aefjii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bohbhmfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgjndno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpbecod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmonl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fimhjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jekqmhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmkdcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlimed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkgje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgnbaeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlfnaicd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paoollik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmfbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfhgkmpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgkfnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoiqneg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hplbickp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igfclkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjaabq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npepkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpkdjofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inlihl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhokljge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmhpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efblbbqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqpamb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpfqcln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmkqpkla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgobel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcmakpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffmfchle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilmmni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idkkpf32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
8236	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	05777e787a0105c14320a2426794b5b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khacqh32.dll"	Dmoohe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fealin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fpjcgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegiklal.dll"	Mebcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhokljge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgbhl32.dll"	Ckmonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbbffdlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmafajfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmkigh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgkfnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eiieicml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgdejd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkicaahi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimcmnpn.dll"	Ahbjoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fimhjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlelal32.dll"	Iomoenej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcidmkpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdaaaeqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikikigb.dll"	Cdbfab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eiloco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmbmkpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emcnmpcj.dll"	Goglcahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeehbgh.dll"	Ahippdbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dijbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icfekc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jghpbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Alpbecod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Impliekg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Plkpcfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnbakghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hoaojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll"	Eifaim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpkjpdi.dll"	Lkalplel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oanfen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aekddhcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klfaapbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbdadm32.dll"	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dlghoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jllokajf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klahfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll"	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpecbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckoph32.dll"	Hlambk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 828	3712	05777e787a0105c14320a2426794b5b9.exe	87
PID 3712 wrote to memory of 828	3712	05777e787a0105c14320a2426794b5b9.exe	87
PID 3712 wrote to memory of 828	3712	05777e787a0105c14320a2426794b5b9.exe	87
PID 828 wrote to memory of 1048	828	Dbjkkl32.exe	88
PID 828 wrote to memory of 1048	828	Dbjkkl32.exe	88
PID 828 wrote to memory of 1048	828	Dbjkkl32.exe	88
PID 1048 wrote to memory of 4936	1048	Dmoohe32.exe	89
PID 1048 wrote to memory of 4936	1048	Dmoohe32.exe	89
PID 1048 wrote to memory of 4936	1048	Dmoohe32.exe	89
PID 4936 wrote to memory of 1880	4936	Dkbocbog.exe	90
PID 4936 wrote to memory of 1880	4936	Dkbocbog.exe	90
PID 4936 wrote to memory of 1880	4936	Dkbocbog.exe	90
PID 1880 wrote to memory of 4228	1880	Dpnkdq32.exe	91
PID 1880 wrote to memory of 4228	1880	Dpnkdq32.exe	91
PID 1880 wrote to memory of 4228	1880	Dpnkdq32.exe	91
PID 4228 wrote to memory of 3784	4228	Dfgcakon.exe	92
PID 4228 wrote to memory of 3784	4228	Dfgcakon.exe	92
PID 4228 wrote to memory of 3784	4228	Dfgcakon.exe	92
PID 3784 wrote to memory of 332	3784	Difpmfna.exe	93
PID 3784 wrote to memory of 332	3784	Difpmfna.exe	93
PID 3784 wrote to memory of 332	3784	Difpmfna.exe	93
PID 332 wrote to memory of 1156	332	Dmalne32.exe	94
PID 332 wrote to memory of 1156	332	Dmalne32.exe	94
PID 332 wrote to memory of 1156	332	Dmalne32.exe	94
PID 1156 wrote to memory of 5080	1156	Dbndfl32.exe	95
PID 1156 wrote to memory of 5080	1156	Dbndfl32.exe	95
PID 1156 wrote to memory of 5080	1156	Dbndfl32.exe	95
PID 5080 wrote to memory of 4292	5080	Djelgied.exe	96
PID 5080 wrote to memory of 4292	5080	Djelgied.exe	96
PID 5080 wrote to memory of 4292	5080	Djelgied.exe	96
PID 4292 wrote to memory of 2252	4292	Dlghoa32.exe	97
PID 4292 wrote to memory of 2252	4292	Dlghoa32.exe	97
PID 4292 wrote to memory of 2252	4292	Dlghoa32.exe	97
PID 2252 wrote to memory of 4564	2252	Dpbdopck.exe	98
PID 2252 wrote to memory of 4564	2252	Dpbdopck.exe	98
PID 2252 wrote to memory of 4564	2252	Dpbdopck.exe	98
PID 4564 wrote to memory of 3632	4564	Dflmlj32.exe	99
PID 4564 wrote to memory of 3632	4564	Dflmlj32.exe	99
PID 4564 wrote to memory of 3632	4564	Dflmlj32.exe	99
PID 3632 wrote to memory of 3236	3632	Dmfeidbe.exe	100
PID 3632 wrote to memory of 3236	3632	Dmfeidbe.exe	100
PID 3632 wrote to memory of 3236	3632	Dmfeidbe.exe	100
PID 3236 wrote to memory of 3024	3236	Dbcmakpl.exe	101
PID 3236 wrote to memory of 3024	3236	Dbcmakpl.exe	101
PID 3236 wrote to memory of 3024	3236	Dbcmakpl.exe	101
PID 3024 wrote to memory of 2000	3024	Dimenegi.exe	102
PID 3024 wrote to memory of 2000	3024	Dimenegi.exe	102
PID 3024 wrote to memory of 2000	3024	Dimenegi.exe	102
PID 2000 wrote to memory of 3416	2000	Dmhand32.exe	103
PID 2000 wrote to memory of 3416	2000	Dmhand32.exe	103
PID 2000 wrote to memory of 3416	2000	Dmhand32.exe	103
PID 3416 wrote to memory of 772	3416	Ecbjkngo.exe	104
PID 3416 wrote to memory of 772	3416	Ecbjkngo.exe	104
PID 3416 wrote to memory of 772	3416	Ecbjkngo.exe	104
PID 772 wrote to memory of 3188	772	Emkndc32.exe	105
PID 772 wrote to memory of 3188	772	Emkndc32.exe	105
PID 772 wrote to memory of 3188	772	Emkndc32.exe	105
PID 3188 wrote to memory of 4284	3188	Epikpo32.exe	106
PID 3188 wrote to memory of 4284	3188	Epikpo32.exe	106
PID 3188 wrote to memory of 4284	3188	Epikpo32.exe	106
PID 4284 wrote to memory of 3836	4284	Eiaoid32.exe	107
PID 4284 wrote to memory of 3836	4284	Eiaoid32.exe	107
PID 4284 wrote to memory of 3836	4284	Eiaoid32.exe	107
PID 3836 wrote to memory of 1744	3836	Ebjcajjd.exe	108

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\05777e787a0105c14320a2426794b5b9.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\05777e787a0105c14320a2426794b5b9.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\SysWOW64\Dbjkkl32.exe
  C:\Windows\system32\Dbjkkl32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\SysWOW64\Dmoohe32.exe
    C:\Windows\system32\Dmoohe32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\Dkbocbog.exe
      C:\Windows\system32\Dkbocbog.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\SysWOW64\Dpnkdq32.exe
        
        C:\Windows\system32\Dpnkdq32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
      - C:\Windows\SysWOW64\Dfgcakon.exe
        
        C:\Windows\system32\Dfgcakon.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Difpmfna.exe
        
        C:\Windows\system32\Difpmfna.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Dmalne32.exe
        
        C:\Windows\system32\Dmalne32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Dbndfl32.exe
        
        C:\Windows\system32\Dbndfl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Djelgied.exe
        
        C:\Windows\system32\Djelgied.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Dlghoa32.exe
        
        C:\Windows\system32\Dlghoa32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Dpbdopck.exe
        
        C:\Windows\system32\Dpbdopck.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Dflmlj32.exe
        
        C:\Windows\system32\Dflmlj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Dmfeidbe.exe
        
        C:\Windows\system32\Dmfeidbe.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Dbcmakpl.exe
        
        C:\Windows\system32\Dbcmakpl.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Dimenegi.exe
        
        C:\Windows\system32\Dimenegi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Dmhand32.exe
        
        C:\Windows\system32\Dmhand32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Ecbjkngo.exe
        
        C:\Windows\system32\Ecbjkngo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Emkndc32.exe
        
        C:\Windows\system32\Emkndc32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Epikpo32.exe
        
        C:\Windows\system32\Epikpo32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Eiaoid32.exe
        
        C:\Windows\system32\Eiaoid32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Ebjcajjd.exe
        
        C:\Windows\system32\Ebjcajjd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Epndknin.exe
        
        C:\Windows\system32\Epndknin.exe
        23⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Efhlhh32.exe
        
        C:\Windows\system32\Efhlhh32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Eclmamod.exe
        
        C:\Windows\system32\Eclmamod.exe
        25⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Eiieicml.exe
        
        C:\Windows\system32\Eiieicml.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Ffmfchle.exe
        
        C:\Windows\system32\Ffmfchle.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Fbcfhibj.exe
        
        C:\Windows\system32\Fbcfhibj.exe
        28⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Fimodc32.exe
        
        C:\Windows\system32\Fimodc32.exe
        29⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\Fjmkoeqi.exe
        
        C:\Windows\system32\Fjmkoeqi.exe
        30⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Fpjcgm32.exe
        
        C:\Windows\system32\Fpjcgm32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Fdglmkeg.exe
        
        C:\Windows\system32\Fdglmkeg.exe
        32⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Fideeaco.exe
        
        C:\Windows\system32\Fideeaco.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\Gdjibj32.exe
        
        C:\Windows\system32\Gdjibj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Gmbmkpie.exe
        
        C:\Windows\system32\Gmbmkpie.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Gbofcghl.exe
        
        C:\Windows\system32\Gbofcghl.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\Giinpa32.exe
        
        C:\Windows\system32\Giinpa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Gdobnj32.exe
        
        C:\Windows\system32\Gdobnj32.exe
        38⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Gikkfqmf.exe
        
        C:\Windows\system32\Gikkfqmf.exe
        39⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Gpecbk32.exe
        
        C:\Windows\system32\Gpecbk32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Gbdoof32.exe
        
        C:\Windows\system32\Gbdoof32.exe
        41⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        42⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        43⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Gkmdecbg.exe
        
        C:\Windows\system32\Gkmdecbg.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Hpjmnjqn.exe
        
        C:\Windows\system32\Hpjmnjqn.exe
        45⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Hgdejd32.exe
        
        C:\Windows\system32\Hgdejd32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Hibafp32.exe
        
        C:\Windows\system32\Hibafp32.exe
        47⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Hlambk32.exe
        
        C:\Windows\system32\Hlambk32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Hckeoeno.exe
        
        C:\Windows\system32\Hckeoeno.exe
        49⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Hpofii32.exe
        
        C:\Windows\system32\Hpofii32.exe
        50⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Windows\SysWOW64\Hkdjfb32.exe
        
        C:\Windows\system32\Hkdjfb32.exe
        51⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Hmbfbn32.exe
        
        C:\Windows\system32\Hmbfbn32.exe
        52⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Hcpojd32.exe
        
        C:\Windows\system32\Hcpojd32.exe
        53⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Hiiggoaf.exe
        
        C:\Windows\system32\Hiiggoaf.exe
        54⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Hlhccj32.exe
        
        C:\Windows\system32\Hlhccj32.exe
        55⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Hcblpdgg.exe
        
        C:\Windows\system32\Hcblpdgg.exe
        56⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Hkicaahi.exe
        
        C:\Windows\system32\Hkicaahi.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Ingpmmgm.exe
        
        C:\Windows\system32\Ingpmmgm.exe
        58⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Ipflihfq.exe
        
        C:\Windows\system32\Ipflihfq.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Igpdfb32.exe
        
        C:\Windows\system32\Igpdfb32.exe
        60⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Ilmmni32.exe
        
        C:\Windows\system32\Ilmmni32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Icfekc32.exe
        
        C:\Windows\system32\Icfekc32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Iknmla32.exe
        
        C:\Windows\system32\Iknmla32.exe
        64⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Inlihl32.exe
        
        C:\Windows\system32\Inlihl32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\Iciaqc32.exe
        
        C:\Windows\system32\Iciaqc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2152
        
        C:\Windows\SysWOW64\Ikpjbq32.exe
        
        C:\Windows\system32\Ikpjbq32.exe
        67⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        68⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Idhnkf32.exe
        
        C:\Windows\system32\Idhnkf32.exe
        69⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Iggjga32.exe
        
        C:\Windows\system32\Iggjga32.exe
        70⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Ijegcm32.exe
        
        C:\Windows\system32\Ijegcm32.exe
        71⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Inqbclob.exe
        
        C:\Windows\system32\Inqbclob.exe
        72⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\Igigla32.exe
        
        C:\Windows\system32\Igigla32.exe
        74⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Jncoikmp.exe
        
        C:\Windows\system32\Jncoikmp.exe
        75⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Jpaleglc.exe
        
        C:\Windows\system32\Jpaleglc.exe
        76⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Jjjpnlbd.exe
        
        C:\Windows\system32\Jjjpnlbd.exe
        77⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Jpdhkf32.exe
        
        C:\Windows\system32\Jpdhkf32.exe
        78⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Jcbdgb32.exe
        
        C:\Windows\system32\Jcbdgb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3052
        
        C:\Windows\SysWOW64\Jkimho32.exe
        
        C:\Windows\system32\Jkimho32.exe
        80⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Jlkipgpe.exe
        
        C:\Windows\system32\Jlkipgpe.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3876
        
        C:\Windows\SysWOW64\Jdaaaeqg.exe
        
        C:\Windows\system32\Jdaaaeqg.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:932
        
        C:\Windows\SysWOW64\Jnjejjgh.exe
        
        C:\Windows\system32\Jnjejjgh.exe
        84⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Jcgnbaeo.exe
        
        C:\Windows\system32\Jcgnbaeo.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Jgbjbp32.exe
        
        C:\Windows\system32\Jgbjbp32.exe
        87⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Jqknkedi.exe
        
        C:\Windows\system32\Jqknkedi.exe
        88⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        89⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        90⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Kmaopfjm.exe
        
        C:\Windows\system32\Kmaopfjm.exe
        91⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        92⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        93⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\Kcpahpmd.exe
        
        C:\Windows\system32\Kcpahpmd.exe
        94⤵
        
        PID:656
        
        C:\Windows\SysWOW64\Kglmio32.exe
        
        C:\Windows\system32\Kglmio32.exe
        95⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Kgninn32.exe
        
        C:\Windows\system32\Kgninn32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4108
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        97⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\Kmkbfeab.exe
        
        C:\Windows\system32\Kmkbfeab.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\Kdbjhbbd.exe
        
        C:\Windows\system32\Kdbjhbbd.exe
        99⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        100⤵
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Lklbdm32.exe
        
        C:\Windows\system32\Lklbdm32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Lmmolepp.exe
        
        C:\Windows\system32\Lmmolepp.exe
        102⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Lgccinoe.exe
        
        C:\Windows\system32\Lgccinoe.exe
        103⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Lknojl32.exe
        
        C:\Windows\system32\Lknojl32.exe
        104⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3288
        
        C:\Windows\SysWOW64\Lcjcnoej.exe
        
        C:\Windows\system32\Lcjcnoej.exe
        106⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Lnohlgep.exe
        
        C:\Windows\system32\Lnohlgep.exe
        108⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Ldipha32.exe
        
        C:\Windows\system32\Ldipha32.exe
        109⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        110⤵
        
        PID:672
        
        C:\Windows\SysWOW64\Lnadagbm.exe
        
        C:\Windows\system32\Lnadagbm.exe
        111⤵
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Lqpamb32.exe
        
        C:\Windows\system32\Lqpamb32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Lgjijmin.exe
        
        C:\Windows\system32\Lgjijmin.exe
        113⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        114⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Lqbncb32.exe
        
        C:\Windows\system32\Lqbncb32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Mcqjon32.exe
        
        C:\Windows\system32\Mcqjon32.exe
        116⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        117⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Mnfnlf32.exe
        
        C:\Windows\system32\Mnfnlf32.exe
        118⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Mepfiq32.exe
        
        C:\Windows\system32\Mepfiq32.exe
        119⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Mgobel32.exe
        
        C:\Windows\system32\Mgobel32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Mjmoag32.exe
        
        C:\Windows\system32\Mjmoag32.exe
        121⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        122⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Mkmkkjko.exe
        
        C:\Windows\system32\Mkmkkjko.exe
        123⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        124⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        125⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Mkohaj32.exe
        
        C:\Windows\system32\Mkohaj32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Mnmdme32.exe
        
        C:\Windows\system32\Mnmdme32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Malpia32.exe
        
        C:\Windows\system32\Malpia32.exe
        128⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        129⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Mkadfj32.exe
        
        C:\Windows\system32\Mkadfj32.exe
        130⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        131⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Manmoq32.exe
        
        C:\Windows\system32\Manmoq32.exe
        132⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Nghekkmn.exe
        
        C:\Windows\system32\Nghekkmn.exe
        133⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Njfagf32.exe
        
        C:\Windows\system32\Njfagf32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Nnbnhedj.exe
        
        C:\Windows\system32\Nnbnhedj.exe
        135⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        136⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Ngjbaj32.exe
        
        C:\Windows\system32\Ngjbaj32.exe
        137⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        139⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Nenbjo32.exe
        
        C:\Windows\system32\Nenbjo32.exe
        141⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Njkkbehl.exe
        
        C:\Windows\system32\Njkkbehl.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Naecop32.exe
        
        C:\Windows\system32\Naecop32.exe
        143⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Nlkgmh32.exe
        
        C:\Windows\system32\Nlkgmh32.exe
        145⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Nmlddqem.exe
        
        C:\Windows\system32\Nmlddqem.exe
        146⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        147⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        148⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Najmjokc.exe
        
        C:\Windows\system32\Najmjokc.exe
        149⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Odhifjkg.exe
        
        C:\Windows\system32\Odhifjkg.exe
        150⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Oloahhki.exe
        
        C:\Windows\system32\Oloahhki.exe
        151⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Ojbacd32.exe
        
        C:\Windows\system32\Ojbacd32.exe
        152⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Oalipoiq.exe
        
        C:\Windows\system32\Oalipoiq.exe
        153⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Oeheqm32.exe
        
        C:\Windows\system32\Oeheqm32.exe
        154⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Olanmgig.exe
        
        C:\Windows\system32\Olanmgig.exe
        155⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        156⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Oanfen32.exe
        
        C:\Windows\system32\Oanfen32.exe
        157⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Omegjomb.exe
        
        C:\Windows\system32\Omegjomb.exe
        160⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Odoogi32.exe
        
        C:\Windows\system32\Odoogi32.exe
        161⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Olfghg32.exe
        
        C:\Windows\system32\Olfghg32.exe
        162⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Ojigdcll.exe
        
        C:\Windows\system32\Ojigdcll.exe
        163⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        164⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        165⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Oogpjbbb.exe
        
        C:\Windows\system32\Oogpjbbb.exe
        166⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Paelfmaf.exe
        
        C:\Windows\system32\Paelfmaf.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        168⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Plkpcfal.exe
        
        C:\Windows\system32\Plkpcfal.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        170⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Pahilmoc.exe
        
        C:\Windows\system32\Pahilmoc.exe
        171⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Pdfehh32.exe
        
        C:\Windows\system32\Pdfehh32.exe
        172⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Plmmif32.exe
        
        C:\Windows\system32\Plmmif32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Poliea32.exe
        
        C:\Windows\system32\Poliea32.exe
        174⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\Phdnngdn.exe
        
        C:\Windows\system32\Phdnngdn.exe
        176⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Pkbjjbda.exe
        
        C:\Windows\system32\Pkbjjbda.exe
        177⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Ponfka32.exe
        
        C:\Windows\system32\Ponfka32.exe
        178⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        179⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Phfjcf32.exe
        
        C:\Windows\system32\Phfjcf32.exe
        180⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        182⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6440
        
        C:\Windows\SysWOW64\Pdmkhgho.exe
        
        C:\Windows\system32\Pdmkhgho.exe
        184⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Pkgcea32.exe
        
        C:\Windows\system32\Pkgcea32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Qmepam32.exe
        
        C:\Windows\system32\Qmepam32.exe
        186⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Qemhbj32.exe
        
        C:\Windows\system32\Qemhbj32.exe
        187⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Qhkdof32.exe
        
        C:\Windows\system32\Qhkdof32.exe
        188⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        189⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Qachgk32.exe
        
        C:\Windows\system32\Qachgk32.exe
        190⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Qdbdcg32.exe
        
        C:\Windows\system32\Qdbdcg32.exe
        191⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Qhmqdemc.exe
        
        C:\Windows\system32\Qhmqdemc.exe
        192⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6804
        
        C:\Windows\SysWOW64\Qklmpalf.exe
        
        C:\Windows\system32\Qklmpalf.exe
        194⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6840
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        195⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        196⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:6952
        
        C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        198⤵
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        199⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:7060
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        201⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        202⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        203⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        204⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6216
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        205⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        206⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        207⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        208⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Bhkmec32.exe
        
        C:\Windows\system32\Bhkmec32.exe
        209⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6604
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        211⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        212⤵
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:6800
        
        C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        214⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        215⤵
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\Bhpfqcln.exe
        
        C:\Windows\system32\Bhpfqcln.exe
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:7004
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7068
        
        C:\Windows\SysWOW64\Bedgjgkg.exe
        
        C:\Windows\system32\Bedgjgkg.exe
        218⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        219⤵
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        220⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        221⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        222⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        223⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        224⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        225⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        226⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        228⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        229⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        230⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        231⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        232⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        233⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        235⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Cnkkjh32.exe
        
        C:\Windows\system32\Cnkkjh32.exe
        236⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:7176
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        239⤵
        Drops file in System32 directory
        
        PID:7212
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7248
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        241⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        242⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        243⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Dkceokii.exe
        
        C:\Windows\system32\Dkceokii.exe
        244⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        245⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7428
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        246⤵
        Drops file in System32 directory
        
        PID:7464
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        247⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        248⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        249⤵
        Drops file in System32 directory
        
        PID:7572
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        250⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        251⤵
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\Dodjjimm.exe
        
        C:\Windows\system32\Dodjjimm.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7680
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        253⤵
        Modifies registry class
        
        PID:7716
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7752
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        255⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        256⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7864
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        258⤵
        Drops file in System32 directory
        
        PID:7900
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        259⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7976
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        261⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        262⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        263⤵
        Drops file in System32 directory
        
        PID:8084
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        264⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        265⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        266⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        267⤵
        Drops file in System32 directory
        
        PID:7228
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        268⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        269⤵
        Modifies registry class
        
        PID:7364
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        270⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        271⤵
        Drops file in System32 directory
        
        PID:7488
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        272⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        273⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        274⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        275⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        276⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        277⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7948
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        279⤵
        Modifies registry class
        
        PID:8008
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        280⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8092
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        281⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        282⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        283⤵
        Drops file in System32 directory
        
        PID:7316
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        284⤵
        System Location Discovery: System Language Discovery
        
        PID:7420
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        285⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        286⤵
        Drops file in System32 directory
        
        PID:7636
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        287⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        288⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        289⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8140
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        291⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        292⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        293⤵
        Drops file in System32 directory
        
        PID:7664
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        294⤵
        Modifies registry class
        
        PID:7932
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        295⤵
        System Location Discovery: System Language Discovery
        
        PID:8164
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7472
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        297⤵
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        298⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        299⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        300⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        301⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        302⤵
        Modifies registry class
        
        PID:8256
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        303⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        304⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8364
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        306⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        307⤵
        Modifies registry class
        
        PID:8436
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        308⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        309⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        310⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:8580
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        312⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        313⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        314⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        315⤵
        Modifies registry class
        
        PID:8724
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        316⤵
        System Location Discovery: System Language Discovery
        
        PID:8760
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        317⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        318⤵
        Drops file in System32 directory
        
        PID:8832
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        319⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        320⤵
        System Location Discovery: System Language Discovery
        
        PID:8908
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        321⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8944
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        322⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        323⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        324⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        325⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        326⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        327⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        328⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        329⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        330⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        331⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        332⤵
        Drops file in System32 directory
        
        PID:8412
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        333⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        334⤵
        Drops file in System32 directory
        
        PID:8560
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        335⤵
        Modifies registry class
        
        PID:8664
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        336⤵
        System Location Discovery: System Language Discovery
        
        PID:8788
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        337⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        338⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8924
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        339⤵
        Drops file in System32 directory
        
        PID:8972
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        340⤵
        System Location Discovery: System Language Discovery
        
        PID:9044
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        341⤵
        Modifies registry class
        
        PID:9104
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        342⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        343⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        344⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        345⤵
        Modifies registry class
        
        PID:8576
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        346⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8808
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        347⤵
        Drops file in System32 directory
        
        PID:8940
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        348⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        349⤵
        Drops file in System32 directory
        
        PID:9192
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        350⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        351⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        352⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        353⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8416
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        354⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8916
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        355⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        356⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        357⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        358⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9264
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        359⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        360⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9336
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        361⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        362⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9408
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        363⤵
        Drops file in System32 directory
        
        PID:9444
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        364⤵
        Modifies registry class
        
        PID:9480
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        365⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        366⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        367⤵
        System Location Discovery: System Language Discovery
        
        PID:9592
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        368⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        369⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        370⤵
        Modifies registry class
        
        PID:9700
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        371⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        372⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9772
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        373⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        374⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        375⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9884
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        376⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        377⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        378⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        379⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        380⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        381⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        382⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        383⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        384⤵
        Drops file in System32 directory
        
        PID:10208
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        385⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        386⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9188
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        387⤵
        Drops file in System32 directory
        
        PID:9352
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        388⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        389⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        390⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        391⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        392⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        393⤵
        Drops file in System32 directory
        
        PID:9752
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        394⤵
        System Location Discovery: System Language Discovery
        
        PID:9816
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        395⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        396⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        397⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        398⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:10008
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        399⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        400⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        401⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        402⤵
        Modifies registry class
        
        PID:9256
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        403⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        404⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        405⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9568
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        406⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        407⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        408⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        409⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9856
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        410⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        411⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        412⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        413⤵
        System Location Discovery: System Language Discovery
        
        PID:10216
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        414⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        415⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        416⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        417⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        418⤵
        Modifies registry class
        
        PID:10132
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        419⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        420⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        421⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9364
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        422⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        423⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        424⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        425⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        426⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        427⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        428⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        429⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        430⤵
        Drops file in System32 directory
        
        PID:10456
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        431⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        432⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        433⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        434⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10572
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        435⤵
        Modifies registry class
        
        PID:10600
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        436⤵
        Modifies registry class
        
        PID:10628
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        437⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        438⤵
        Drops file in System32 directory
        
        PID:10684
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        439⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10712
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        440⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        441⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10768
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        442⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        443⤵
        Modifies registry class
        
        PID:10828
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        444⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        445⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        446⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        447⤵
        System Location Discovery: System Language Discovery
        
        PID:10944
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        448⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        449⤵
        Drops file in System32 directory
        
        PID:11040
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        450⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11080
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        451⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        452⤵
        System Location Discovery: System Language Discovery
        
        PID:11136
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        453⤵
        Modifies registry class
        
        PID:11164
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        454⤵
        
        PID:11216
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        455⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        456⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        457⤵
        Drops file in System32 directory
        
        PID:10480
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        458⤵
        Modifies registry class
        
        PID:10552
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        459⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10636
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        460⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10708
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        461⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        462⤵
        Drops file in System32 directory
        
        PID:10852
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        463⤵
        Modifies registry class
        
        PID:10924
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        464⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10976
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        465⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        466⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        467⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11208
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        468⤵
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        469⤵
        Drops file in System32 directory
        
        PID:10624
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        470⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        471⤵
        Modifies registry class
        
        PID:10912
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        472⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        473⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        474⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        475⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        476⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10720
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        477⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        478⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        479⤵
        
        PID:11320
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        480⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11348
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        481⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11376
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        482⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        483⤵
        
        PID:11436
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        484⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:11464
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        485⤵
        
        PID:11492
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        486⤵
        Drops file in System32 directory
        
        PID:11520
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        487⤵
        System Location Discovery: System Language Discovery
        
        PID:11560
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        488⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        489⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:11640
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        490⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:11684
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        491⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        492⤵
        
        PID:11768
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        493⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        494⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        495⤵
        System Location Discovery: System Language Discovery
        
        PID:11860
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        496⤵
        System Location Discovery: System Language Discovery
        
        PID:11888
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        497⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:11916
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        498⤵
        
        PID:11944
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        499⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        500⤵
        Modifies registry class
        
        PID:12004
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        501⤵
        
        PID:12032
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        502⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        503⤵
        System Location Discovery: System Language Discovery
        
        PID:12088
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        504⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        505⤵
        
        PID:12144
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        506⤵
        
        PID:12172
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        507⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        508⤵
        
        PID:12228
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        509⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        510⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        511⤵
        Modifies registry class
        
        PID:11312
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        512⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        513⤵
        
        PID:11456
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        514⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        515⤵
        Drops file in System32 directory
        
        PID:11604
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        516⤵
        Modifies registry class
        
        PID:11728
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        517⤵
        Modifies registry class
        
        PID:11776
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        518⤵
        System Location Discovery: System Language Discovery
        
        PID:11840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11840 -s 448
        519⤵
        Program crash
        
        PID:12052

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzI5NjcyRDAtMThFNC00MjJELThGODQtQUE5RkIyRjJCOUQ2fSIgdXNlcmlkPSJ7NUFGMjVBRjItMzc2OC00N0I5LUIwQkMtOEY3OTBFOEYzNUE1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEYzMzFCQTYtMUE0Ny00OEVBLUFGMDctNjA1OEY2RDE1RDk2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM2MzkxIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDg5MTA1NjUwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA0NTgyMzQyNCIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:8236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 244 -p 11840 -ip 11840
1⤵
PID:11996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dbcmakpl.exe

Filesize
93KB

MD5
c5514b275dec2714bc440859f02ad6fa

SHA1
3d3923ecddd561d342f8c396caabccece77835e0

SHA256
c7359eee99fab3b83f053c9f5b70c6020eb17428dbbce9048bbdb1849c4c81ba

SHA512
326b0d36cab2c78bb735c8f492ad92c284b348b8c8c35691913c2ac3bb297bdbdda5930ad775c336a7677fce1a239854813db77964d18a8f5b1bdf32ccfcc643

Download Submit
C:\Windows\SysWOW64\Dbjkkl32.exe

Filesize
93KB

MD5
1cdd26705f26c83a43b3c2471b1afd71

SHA1
41d7010617c3f546d35dc45d126a3859849d447e

SHA256
89ffed97995f953779d5f2eaeb7a15abe08a074ae0e1985037ae224045b9eb58

SHA512
a497e0aaf9e8a0742cccb7fc7c7ea03ebbff55a931d21339dee564de7c1f5c5883df30abca78c15b7c8b672271d8a18dfffa35e2338765ae751957a4ff164e1d

Download Submit
C:\Windows\SysWOW64\Dbndfl32.exe

Filesize
93KB

MD5
727dffebc062be855520d8eaf0496d90

SHA1
d5106018cd90d249e795a8816ace4f6c46586841

SHA256
f5ecbdbed090652f846c0e26845fab86945756cf353e22732230ef02e3fcc698

SHA512
bd1ac716a4bfd753d3122ae4e38e22c6cacb8a1c2544c480fee48d33181d68b502469541c476da2b5cce3bf9ff32e49243f2369f1b68141f875663fce53aea72

Download Submit
C:\Windows\SysWOW64\Dfgcakon.exe

Filesize
93KB

MD5
d996365329871e134cd185c249492c4e

SHA1
ab249265fde97b23e82e3df5a0b119beb9657df2

SHA256
fa8e3facc0ac31289f5dbabee40ad467e8b06a569beb2b2db723c1f2ba711206

SHA512
a61aa5fe579f93e744964af4aa51285a5ad3a38ffb67b99d6bbdd82ebed91be82d80a6d7272ccb8493248ce9f431b6bfe710a7aefed7a4c4bc0033934ddd19a5

Download Submit
C:\Windows\SysWOW64\Dflmlj32.exe

Filesize
93KB

MD5
7e422b3f5d02577ea00709b7bce61e07

SHA1
12d5131cfdd5cc4b4d836ba020d20cf829b6256b

SHA256
d8f9af79a0e79bf5472fc52270462c3085bbc094c4e8a6cc0681a6b5bffe5a73

SHA512
ba72760c650eb1262519334c331e8ed24dafca474157e11d2ee3f28c7bd7273c2b649285346378969c12791cea26149f3c88073ce6bda9fcfc6407d84f80678d

Download Submit
C:\Windows\SysWOW64\Difpmfna.exe

Filesize
93KB

MD5
233f7b8c8db85ee9edd1f8fce3fd8f00

SHA1
6f8d5ebb4a3c96ae7bc9d070941e073ec0117d0f

SHA256
540a069d631f4efda1515a4ae88746ef4d7ce44a66025089e799b14e11f21f4d

SHA512
585f5aa3766335a331ebacc6cea6287a9f16d88d8d39137027597a798bf6bba562d8fa546506c19879632b76a15f30d66f576b96570a65252548b0453cf86672

Download Submit
C:\Windows\SysWOW64\Dimenegi.exe

Filesize
93KB

MD5
bd58acbf7dfef0b39b3f7dad6aaaa2f7

SHA1
bb5eb68e8fb89a9efa3d787d8245add1d09ad9c8

SHA256
931390a87082b6c5b52501e24a7587ac3666949520a247dc157f99c668541a6b

SHA512
aff355b4bbe8abd4d65607ee782760d8a833f897a8f1ad16a9a0ae9a0ab2a18f2f0267da136d60685066ac9109e72305ca6f8f52e470b7fe5e1c395a9ad37e72

Download Submit
C:\Windows\SysWOW64\Djelgied.exe

Filesize
93KB

MD5
d5246c5d6da38d42c3f3185cf1f7f0a1

SHA1
f8f1e73087306a04e00ab75ca83f43798af6067d

SHA256
b96db427596b08cb12b2c68416545d293a22566ee870726d348fc6f8c0af6b74

SHA512
61ccb121079dc482ee61571c2b4cd43d32c6bf9fe00c36264c38ca7c28107f4196f0002d103d837ded78aa1d9ee468288ff9903f6848963878c76af5ee63dbf1

Download Submit
C:\Windows\SysWOW64\Dkbocbog.exe

Filesize
93KB

MD5
73c356004c1fabcf21400484064d8c23

SHA1
0b24c4924d4ec465c41e23be056ebe3beb1000c9

SHA256
5e6b4cc036d6e1ecf677b86d157a3e31437475cb7863f621ca53cf10a6d82e5c

SHA512
c0afceb3b91379911db22de1aae9ca33caf7258937164c27bb50aafacf40a13e6530f81291059862d245018dce25d64eee9ce488b2b8453d430d4dc81060d4a0

Download Submit
C:\Windows\SysWOW64\Dlghoa32.exe

Filesize
93KB

MD5
e01ffb2562483ee6d4a09a9d471e16f5

SHA1
e26a868cf74f346c7fc77605d4249c61a2dd01a2

SHA256
a7afaaef87a00a8b25980a68fcc5338bcae54254e6ac2daf88fa30d24d63f790

SHA512
7d5d7c7bc71d9b914d1572824539dc1ab9b8251e16a27154a09f2e3232df915527d5ade4beacb3fe0ceb153acbf2ef5407fc22cc6a4b88c493b81a142b1d8efa

Download Submit
C:\Windows\SysWOW64\Dmalne32.exe

Filesize
93KB

MD5
fcc6487df80566e991e505486c1b193e

SHA1
d4d4a40a573661e2e68c03e782c2ec9111c05bd7

SHA256
b8c194d8ff1ebbebb6086b34ab2f32ab5af594165544410f61ce552b4be6c65b

SHA512
38953492566e5117fcdfbceb91b7c8044634e402b2a7b37fe31ad3fe4c8df86941e4dd4b0412d257e9827ba413bd1a416fa535d5b6af84e744c193d8addb3a9e

Download Submit
C:\Windows\SysWOW64\Dmfeidbe.exe

Filesize
93KB

MD5
a80b0516bb85b71fcc2872d8c88729eb

SHA1
d4407cdebeb98b22ac2ba32b339532b4aacc667b

SHA256
5287caf04623de6dc734acc629cfb592631c06d8101b7899080d381d7f1aadd9

SHA512
b7463f69f340445836e5bfa22b088042654ba2a98f49f5b7e832efbbcc9f0d8bb5e00eaee17f69a6026ca3e85603bba3f4fafef3185dde394617b678d0ce262a

Download Submit
C:\Windows\SysWOW64\Dmhand32.exe

Filesize
93KB

MD5
3df7e219689c775fe18f06aa0fe9b0cb

SHA1
7f2dab2e17255f27786b0dbbc124d58bd327dc85

SHA256
bf6e89a355b99ae7b566c041b336d5fed8a5c4d79f3ebe8d8657ed3df2be54db

SHA512
3b848c7d21d3eb6cfb51eee8aee8e61b6dcd0ac0ea85caf0fe2309fa1fca0af115de88218114746e101850b03dfc1fb1049a895a3fa6e1dc808d4d2555e7753d

Download Submit
C:\Windows\SysWOW64\Dmoohe32.exe

Filesize
93KB

MD5
ab3b72e0f94609c43131816f15ad566e

SHA1
1498e6525a770a144a815925e1abb9f999549376

SHA256
6b4f77d809a313b29d1c67fac18dd74738764b4903f531d5be20568eec237737

SHA512
985cc1fce77bc3490ef50f9786ef8205daa6deb7d4fd6f0b3190e424c99a38027d41b957db78376ed838ab7e9edad74326d4029899346b868b93a8f7b8adf108

Download Submit
C:\Windows\SysWOW64\Dpbdopck.exe

Filesize
93KB

MD5
7cad574688642aa9c42960b5f25e27fc

SHA1
e1cfdaa9e158c7fbab99a7e02956f266d21280a0

SHA256
5e981f1655c7ed306c5e3624490dd8eae0eeb5ef912290c5583bec7d15bb6b36

SHA512
dfd264fa4240910f820e6bb0af949bad241159df5790787f749e3538ef6b5a50db61aa5087572f4663291063cc55f2e49429cea750830650c9a96800f36d97ff

Download Submit
C:\Windows\SysWOW64\Dpnkdq32.exe

Filesize
93KB

MD5
476eebd28a2d78358ebe39e12b3705d9

SHA1
0cf9bd7c84b0f76c959e28832460b644e78f2d47

SHA256
17f80a5c84a77aedd89f19ffa5058e811eeee5d488a66aea9a92ddb86cb07cf0

SHA512
de408faf4f54ec9b61aca7bc337a5d9ca555c11317caf3c5a84f95d1686e1a7809b8787271ed1d02fc31dcd38ea77f1571d1432268ed704ac57121d3f4545519

Download Submit
C:\Windows\SysWOW64\Ebjcajjd.exe

Filesize
93KB

MD5
d6cf044bb4deccd266b6b0aec0481ddd

SHA1
662bcc2d9ff24984bd47f09578423c7e5e62b623

SHA256
a8dfd4d433fd472c217bc7fe87581444133e0f7a7f2e190d3573e060dab4530c

SHA512
758efb9ae7b48185a7a9e2c56d15168e5f9e3b3b151947a1ea021bb174389926b07a35529fe4e8a2af31b0f51925dfa1d0be282a6a59f1e9c762a27d7d1afed0

Download Submit
C:\Windows\SysWOW64\Ecbjkngo.exe

Filesize
93KB

MD5
32d9621de1cfcecd75d358bef300076e

SHA1
38f430e12f29f8d95ea63315fe1d7d0ed2b50413

SHA256
bb287c9cf3c1ff4f91bf4b9ad1b9cac59843fc66b0eb2148f2ec4c5936dfae22

SHA512
038684c54a935095ee6fc73b255e698afa817511e69c68770cf3198c5cf992b3f30871b3a01a4ae8a348d1833b6c39ec7b0ca0584018a1a655ad462498829cc0

Download Submit
C:\Windows\SysWOW64\Eclmamod.exe

Filesize
93KB

MD5
ce6b349e3310f83bb2c6da76de6fe084

SHA1
bd7a8e80276933abdf1281440627da3b57168ba6

SHA256
325d473008e576e892d506645a8bb43f700528ee43da840d447032caeef67184

SHA512
3e9472887d163ae150df80a5ef7f2d37977179d0105471b9894c467b30e1c6eba3d4990977c5376f466b155beab640cd3c1b905fcf2a6681a6ad4dfe919668b7

Download Submit
C:\Windows\SysWOW64\Efhlhh32.exe

Filesize
93KB

MD5
f8ea6d09a93a38a31e783b507211656a

SHA1
bbd4e5a0f74482e0b3c2ac3570ede82d9fbb051c

SHA256
e4d83016fb8f252d11a859a800cb760fa312a24ba734fe56cc8db3588e627d88

SHA512
e7b302249ca2fdd78daaa1946568d92a495f9101b40aea723e2d62aab42c02cd1310d1bedfb321a1dd68262c8a9efa129bbeb69534720e0890506cb21f95be39

Download Submit
C:\Windows\SysWOW64\Eiaoid32.exe

Filesize
93KB

MD5
f304d7080492aee34c93d3726fa30461

SHA1
5b334eefdd9f5e33ac9613f83ec58123fc820f6c

SHA256
bbd18119390712ee2b2eb8817b6f226fe7d4c23b868b963a357f2fd1700f3cd2

SHA512
d08f861833e25da0f0061a590b17daf023602faf5676fd8780cd3a1b322f0f48b87d9d9b06014fc1443eec6e445c26545c27907c13e3524417b849844796e3c2

Download Submit
C:\Windows\SysWOW64\Eiieicml.exe

Filesize
93KB

MD5
0abab033a5768af541051b0c2bdc38e5

SHA1
debb9e0afa6718d54f7b4d8def8d018b3af10ef0

SHA256
1a095281ca8610deadd3030686c43e9acaa18e6e7b8918468fc9872743bf6088

SHA512
fe6f9e4a19bdc2392e584b683018afd91c676a8d099cf41d1f7dffb196fdd8edc63e544415bc663c69f049698622c1a6be49c99511910a5e630bcefcfe83556f

Download Submit
C:\Windows\SysWOW64\Emkndc32.exe

Filesize
93KB

MD5
77e773bc70500a07771a4f32180e8202

SHA1
1093102b8182d7a3fbf772abbc7d472f7e389fb9

SHA256
0844ff548a2b1532727d9bec063baa6644b920da51e1d1d8bf2a14f31f056f46

SHA512
1a433e1bbf38f1c4c0c23c3d3fe28b5f0b05eb9c8e9ef9b4259509e7335c9c7e7028a98318e3ad5693332f977b6b10e7afc6f0ea609ab0cffb8b45f3669ce10d

Download Submit
C:\Windows\SysWOW64\Epikpo32.exe

Filesize
93KB

MD5
341dbb5fbf85773358e85ec36c96b1d2

SHA1
3f6befbeddeaca591c0ab40d4700cf21f41e294d

SHA256
bc9b86bd05f2a6598b7a5e1ffb787ca107384eaed32561e8f09233219eed414d

SHA512
7904337f7c888357e39ee3b4b0a48e5cc15aeb9f9716ae9404e0503eba267d40868e71cac60e049e4b4b62c09a41750bab4098b957536ecab374fe9b5e541f21

Download Submit
C:\Windows\SysWOW64\Epndknin.exe

Filesize
93KB

MD5
ccdf0a647862d418ebae62c88d142374

SHA1
5c1a6d3f26e575e65e7d7114cb4dd211c0e1e3cc

SHA256
d40b47085302ccabe2ca22bf8bbc27b37cdfcdf29c30ed8209cc7b775cb2fd92

SHA512
371dd8c80dc169b294d7f7bd5a852a4e1c8dea22d44006a4fdaa39493f10d5e1b07816ecfc03ee357fef4ab0262d57b5e31d4fb5618d654a282330c6ee1fa878

Download Submit
C:\Windows\SysWOW64\Fbcfhibj.exe

Filesize
93KB

MD5
e64ad347e030d3018fb8d41910a2ba09

SHA1
00e85c150ef9487ec586d4e11af44d81c76ae084

SHA256
1e8df58138ff7aabad8bdd1510a8622df62ca0a39b80491e11b2528813784973

SHA512
86f24f71c1e41654a1dc8bad55ca102d5418bd4e2b55ff803b8d129361e99b30f80ed76540a6d5c695f0ef2c7fb69548147d10f65ab3ac7f13b596d6482e2683

Download Submit
C:\Windows\SysWOW64\Fdglmkeg.exe

Filesize
93KB

MD5
4f235c48dc6e2a21520c9e3d7fa2268b

SHA1
202eb239360b20f15432b837c8e1681b866d3acd

SHA256
2b4883fd129d925ec6c38f0fd9bfe74481449b05fc698f6a2ac6eec8dfdde374

SHA512
3a1e7a1535a9c829a6d49234af6756a426a9a8a9ce154b9bb3244972b2ff18ea69dcba900d304dafa74239cffe07c727f0ed8dcfd71414fe0c2855a361bdd830

Download Submit
C:\Windows\SysWOW64\Ffmfchle.exe

Filesize
93KB

MD5
9475dc7db43ccaa41c321874845f033a

SHA1
7b70cfc8f49c087ea7ef1dc3c01fe8c5ccb136b2

SHA256
60f818d34c3ce57e689d67286f8fb8f3786961d0083e8dc61fe310919435c105

SHA512
85f8145cbba9dbfe4ccf8ccdc5e7891c1bc9426c59c7a42f3fec733f6863960bc2c2369bc6db0e97d1853a66a7987a022a1b61d14ff3a96a732fb05bb7551756

Download Submit
C:\Windows\SysWOW64\Fideeaco.exe

Filesize
93KB

MD5
97ca280b299e611f44e76c48ba760b87

SHA1
0387ad04e177ca0ef8f41474e644e1202913935c

SHA256
4f94b57e589ad26dc6d130bc7089d825d89091abc05d95cb65b3b4f95ed7446f

SHA512
9663d3624e60c7beee7879c956ec86874abf20596efbc4a2439b96ffe69a714b3bbeebd0e0ec2c10a2ba5b7ee621d9f6014c3ed7d0c189910183575b9aa10652

Download Submit
C:\Windows\SysWOW64\Fimodc32.exe

Filesize
93KB

MD5
fecb738a080d8f45b6e9bffd0d31fade

SHA1
362814eb8d20f303507455e75393c74bfa2478fa

SHA256
16a8e2e3ca77de7499f571da9f3cc5452d306c2389f7f3ded5f77f692338cc71

SHA512
7580a5c6ee54b8823f1fc7abb7364b7e198f5441f2795137a9b07af81de69f00039f4d91d8b950a2b5e4a5a51a9cc72e0cfbf8ba5cd001043c0a73420829c1f0

Download Submit
C:\Windows\SysWOW64\Fjmkoeqi.exe

Filesize
93KB

MD5
4dd30f97d1dcc05fbc52174481d1205f

SHA1
7b3c9a68e33e3931e38d551adc4b8337b0647ad0

SHA256
74dff8db98e1530fc4793885b94b79dba5bef8db3c33e7a2646904380b82c561

SHA512
5efe06f7431d12749f569c15c819b113ddf8702927845f2c57d84eee4d9d3b75193482e0bfa15256cdcbe397cfecbdaf3d2385046cd0a2cc692b768c40496831

Download Submit
C:\Windows\SysWOW64\Fpjcgm32.exe

Filesize
93KB

MD5
4add8f31eb89786b905bc3cb002af69e

SHA1
2b1a53739dde246b14abddcbde5b780730d236c8

SHA256
35f9edcc224ca809cb736e8dbae57b8a0343b31846803f44935d13f1dacc3bb4

SHA512
442854ec9f9e0eadfbfc1edbaace35719b1c01861de69a11a0ada91fb8ebacbd8818d93c844b647de64ac156f640edfb134692d36c12050b1471ea6f4a211a1c

Download Submit
C:\Windows\SysWOW64\Gpbkpm32.dll

Filesize
7KB

MD5
e5ee339eec25fe6fb793c83725ae294a

SHA1
394ed17fde9287997514ad23328fda65ff45ce11

SHA256
0bc4b671d389fd6cf1b2671e486cadfb4535d6d9f31a8e1ca08054799ca936ff

SHA512
406de57458c4df5906175d41cfd5ad983e69d7d383a665406dd9d7aa469ae8e30ffffcb5aee62396b07ccca2ca165d593af3a3a50a1767a93c913981723cbee5

Download Submit
memory/232-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/332-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/332-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/564-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-5-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1048-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1048-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1220-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1980-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1980-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-38-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3836-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3836-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4216-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4216-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-61-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads