berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
124s
max time network
179s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/03ed3d089e222fe691a1ce1ad04450a2.exe
Size

1.1MB
MD5

03ed3d089e222fe691a1ce1ad04450a2
SHA1

d04429e687f7fd84bcf234c558ee5fc140c2fd62
SHA256

45bd0afb29391b80cb711efd4ae6e1fbc7749feef8f4b0dd8b3fe75a400614cf
SHA512

5f7e0c38a61d77a66b984597ae3fb11c8ed3f36e28d57ef91f4a27710a078e85672200e60d1e8ca80171552d092235c758f7a893ee4d0848cbfd904373dc96fa
SSDEEP

6144:ptu6S1vlfY/m0UU/vlf0DrBqvl8ZV4U/vlfl+9DvlEZV4U9:Djcvgm0UIveDVqvQ6IvYvc6+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihmnldib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Minipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjomldfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmqjjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoconenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdddhlbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Donecfao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dehnpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijedehgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblflp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jqofippg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfeagefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjgemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hembndee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epcbbohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eljchpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egdqph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjcojo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldhdlnli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hllkqdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiokacgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epjhcnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhldc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agqhik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajnol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oogdfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnebmgjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfaqcclf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahinbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhdocc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kakmna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejeebpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohnljine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goamlkpk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoefgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnknim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnppkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfjllnnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijonfmbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Komoed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcqjal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapbodql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjgpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goadfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifckkhfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbenho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggicbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mopeofjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmppneal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfmlok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgffka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoefgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabodcnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgddd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Downloads MZ/PE file 1 IoCs

flow	pid	Process
22	7616	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
1284	Hhaggp32.exe
1320	Hicpgc32.exe
4104	Iialhaad.exe
1612	Jidinqpb.exe
2468	Jhifomdj.exe
1292	Joekag32.exe
3420	Jeocna32.exe
4780	Jlikkkhn.exe
4732	Kakmna32.exe
1464	Keifdpif.exe
2220	Kekbjo32.exe
2420	Kiikpnmj.exe
3236	Lhnhajba.exe
2836	Ljpaqmgb.exe
1084	Lhenai32.exe
4456	Llcghg32.exe
420	Modpib32.exe
4576	Mcdeeq32.exe
2852	Mlofcf32.exe
1252	Momcpa32.exe
5092	Nfldgk32.exe
4680	Nimmifgo.exe
5112	Obgohklm.exe
3052	Oqklkbbi.exe
2628	Ojcpdg32.exe
472	Pqbala32.exe
2068	Ppgomnai.exe
3824	Piapkbeg.exe
4024	Pidlqb32.exe
5060	Qamago32.exe
3852	Qapnmopa.exe
4112	Ajjokd32.exe
1848	Afcmfe32.exe
3452	Adjjeieh.exe
2280	Banjnm32.exe
4936	Bdlfjh32.exe
3728	Biiobo32.exe
232	Bpcgpihi.exe
3704	Bjhkmbho.exe
4664	Babcil32.exe
2484	Bbdpad32.exe
3880	Binhnomg.exe
3168	Baepolni.exe
3016	Bfaigclq.exe
1836	Bipecnkd.exe
2572	Bdeiqgkj.exe
4640	Ckpamabg.exe
3776	Cpljehpo.exe
4080	Ckbncapd.exe
4880	Cpogkhnl.exe
1272	Cigkdmel.exe
4180	Cdmoafdb.exe
1500	Ciihjmcj.exe
4744	Caqpkjcl.exe
4120	Cgmhcaac.exe
1140	Cmgqpkip.exe
1768	Cpfmlghd.exe
4888	Dkkaiphj.exe
3080	Daeifj32.exe
1372	Dcffnbee.exe
1840	Dknnoofg.exe
3856	Dpjfgf32.exe
3128	Dkpjdo32.exe
4132	Dajbaika.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmphdomb.dll	Ehhpge32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Decdeama.exe	Dpglmjoj.exe
File created	C:\Windows\SysWOW64\Mnedig32.dll	Hfeoijbi.exe
File created	C:\Windows\SysWOW64\Bipecnkd.exe	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Jbppgona.exe	Jhkljfok.exe
File created	C:\Windows\SysWOW64\Jjopdl32.dll	Fdogjk32.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Mabdlk32.exe	Miklkm32.exe
File created	C:\Windows\SysWOW64\Ohobebig.exe	Odcfdc32.exe
File opened for modification	C:\Windows\SysWOW64\Maoakaip.exe	Mopeofjl.exe
File opened for modification	C:\Windows\SysWOW64\Dpglmjoj.exe	Dimcppgm.exe
File created	C:\Windows\SysWOW64\Pjgemi32.exe	Phfhfa32.exe
File created	C:\Windows\SysWOW64\Lpjelibg.exe	Lmkipncc.exe
File created	C:\Windows\SysWOW64\Nhhldc32.exe	Nandhi32.exe
File created	C:\Windows\SysWOW64\Gijaekjb.dll	Oalpigkb.exe
File created	C:\Windows\SysWOW64\Fqgelfgf.dll	Fongpm32.exe
File opened for modification	C:\Windows\SysWOW64\Kjnihnmd.exe	Kbgafqla.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Bknappeg.dll	Dcmedk32.exe
File created	C:\Windows\SysWOW64\Egjmiege.dll	Mhmcck32.exe
File created	C:\Windows\SysWOW64\Egheil32.dll	Bhbahm32.exe
File created	C:\Windows\SysWOW64\Bhcdcbcl.dll	Cjfclcpg.exe
File opened for modification	C:\Windows\SysWOW64\Dbbdip32.exe	Dlhlleeh.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Daeifj32.exe
File created	C:\Windows\SysWOW64\Jmdjlcnk.dll	Fqikob32.exe
File opened for modification	C:\Windows\SysWOW64\Fcddkggf.exe	Fpfholhc.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Efcicm32.dll	Kffhakjp.exe
File opened for modification	C:\Windows\SysWOW64\Meljappg.exe	Mobbdf32.exe
File created	C:\Windows\SysWOW64\Mnailf32.dll	Opjgidfa.exe
File created	C:\Windows\SysWOW64\Hoengj32.dll	Fajgfiag.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Khihld32.exe	Kejloi32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmoncl.exe	Mdnebc32.exe
File created	C:\Windows\SysWOW64\Eifffoob.exe	Dblnid32.exe
File created	C:\Windows\SysWOW64\Miklkm32.exe	Mfmpob32.exe
File created	C:\Windows\SysWOW64\Dckoia32.exe	Dajbaika.exe
File opened for modification	C:\Windows\SysWOW64\Klmnkdal.exe	Keceoj32.exe
File opened for modification	C:\Windows\SysWOW64\Nhgmcp32.exe	Ncjdki32.exe
File opened for modification	C:\Windows\SysWOW64\Hicpgc32.exe	Hhaggp32.exe
File opened for modification	C:\Windows\SysWOW64\Kfidgk32.exe	Kdjhkp32.exe
File created	C:\Windows\SysWOW64\Qkcackeb.exe	Qdihfq32.exe
File created	C:\Windows\SysWOW64\Lapncl32.dll	Bggnijof.exe
File created	C:\Windows\SysWOW64\Hcflch32.exe	Hkodak32.exe
File opened for modification	C:\Windows\SysWOW64\Jjfdfl32.exe	Janpnfee.exe
File created	C:\Windows\SysWOW64\Khcgfo32.exe	Kmncif32.exe
File created	C:\Windows\SysWOW64\Jedoeg32.dll	Pocdba32.exe
File created	C:\Windows\SysWOW64\Aobgiafa.dll	Decdeama.exe
File created	C:\Windows\SysWOW64\Olanmmjm.dll	Mfmpob32.exe
File created	C:\Windows\SysWOW64\Qidimpef.dll	Ajmgof32.exe
File created	C:\Windows\SysWOW64\Fbbnpn32.dll	Modpib32.exe
File created	C:\Windows\SysWOW64\Gmoikj32.dll	Mcabej32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmahknh.exe	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Mihjhq32.dll	Ebejem32.exe
File created	C:\Windows\SysWOW64\Dfangk32.dll	Lbcabo32.exe
File created	C:\Windows\SysWOW64\Bpcgpihi.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Fllinoed.dll	Enjfli32.exe
File created	C:\Windows\SysWOW64\Bggnijof.exe	Bqnemp32.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Poidhg32.exe
File created	C:\Windows\SysWOW64\Mdddhlbl.exe	Maehlqch.exe
File opened for modification	C:\Windows\SysWOW64\Mcggga32.exe	Llpofd32.exe
File created	C:\Windows\SysWOW64\Pfppoa32.exe	Pkklbh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5396	5408	WerFault.exe	889

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjfmminc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhammfci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okiefn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kffhakjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bichcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flghognq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dilmeida.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghmbib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flaiho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hannao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjllnnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bihhhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhhbngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fefjanml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miklkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkoplk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqnemp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfclcpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfcfnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfhfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmfkjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmdqbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oamgcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eedmlo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiehhjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnaffdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baepolni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnknim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gckcap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidmcqeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpcgpihi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egdqph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmjlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djbbhafj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqdkkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnoacp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebbmpmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goamlkpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgocgjgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohdbkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfmghdpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnanioad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmqjjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bflagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpbokjho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbldhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qapnmopa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepkkefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aocmio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modpib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekbjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpchaqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdnpeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfcdaehf.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1712	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdibmjj.dll"	Kiodha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcaie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfbkfaa.dll"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll"	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfbakio.dll"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamiaq32.dll"	Jokpcmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agmehamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkjpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flbhia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjjmdm.dll"	Hchqbkkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfgke32.dll"	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcgfpia.dll"	Medglemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpijjbj.dll"	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbehhfik.dll"	Kdjhkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mapgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlbcolh.dll"	Pdmikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biledggj.dll"	Hebkid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgfep32.dll"	Pklkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdpcn32.dll"	Dilmeida.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakfglam.dll"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kelpjn32.dll"	Gnanioad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfdklllb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnehdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oamgcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohkijc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alihodif.dll"	Gbcffk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicpgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooeqo32.dll"	Ibpgqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdeffgff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fikihlmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgbhdkml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jglkkiea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkclkjqn.dll"	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiagoigj.dll"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgajg32.dll"	Gmfkjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgjeppkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnknim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpjelibg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpkdlkd.dll"	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldhdlnli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eacaej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbikolk.dll"	Kkkldg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Najagp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfhnme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okiefn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebejem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikmpcicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljephmgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkcdfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meljappg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bndjfjhl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 1284	4464	03ed3d089e222fe691a1ce1ad04450a2.exe	84
PID 4464 wrote to memory of 1284	4464	03ed3d089e222fe691a1ce1ad04450a2.exe	84
PID 4464 wrote to memory of 1284	4464	03ed3d089e222fe691a1ce1ad04450a2.exe	84
PID 1284 wrote to memory of 1320	1284	Hhaggp32.exe	85
PID 1284 wrote to memory of 1320	1284	Hhaggp32.exe	85
PID 1284 wrote to memory of 1320	1284	Hhaggp32.exe	85
PID 1320 wrote to memory of 4104	1320	Hicpgc32.exe	86
PID 1320 wrote to memory of 4104	1320	Hicpgc32.exe	86
PID 1320 wrote to memory of 4104	1320	Hicpgc32.exe	86
PID 4104 wrote to memory of 1612	4104	Iialhaad.exe	87
PID 4104 wrote to memory of 1612	4104	Iialhaad.exe	87
PID 4104 wrote to memory of 1612	4104	Iialhaad.exe	87
PID 1612 wrote to memory of 2468	1612	Jidinqpb.exe	88
PID 1612 wrote to memory of 2468	1612	Jidinqpb.exe	88
PID 1612 wrote to memory of 2468	1612	Jidinqpb.exe	88
PID 2468 wrote to memory of 1292	2468	Jhifomdj.exe	89
PID 2468 wrote to memory of 1292	2468	Jhifomdj.exe	89
PID 2468 wrote to memory of 1292	2468	Jhifomdj.exe	89
PID 1292 wrote to memory of 3420	1292	Joekag32.exe	90
PID 1292 wrote to memory of 3420	1292	Joekag32.exe	90
PID 1292 wrote to memory of 3420	1292	Joekag32.exe	90
PID 3420 wrote to memory of 4780	3420	Jeocna32.exe	91
PID 3420 wrote to memory of 4780	3420	Jeocna32.exe	91
PID 3420 wrote to memory of 4780	3420	Jeocna32.exe	91
PID 4780 wrote to memory of 4732	4780	Jlikkkhn.exe	92
PID 4780 wrote to memory of 4732	4780	Jlikkkhn.exe	92
PID 4780 wrote to memory of 4732	4780	Jlikkkhn.exe	92
PID 4732 wrote to memory of 1464	4732	Kakmna32.exe	93
PID 4732 wrote to memory of 1464	4732	Kakmna32.exe	93
PID 4732 wrote to memory of 1464	4732	Kakmna32.exe	93
PID 1464 wrote to memory of 2220	1464	Keifdpif.exe	94
PID 1464 wrote to memory of 2220	1464	Keifdpif.exe	94
PID 1464 wrote to memory of 2220	1464	Keifdpif.exe	94
PID 2220 wrote to memory of 2420	2220	Kekbjo32.exe	95
PID 2220 wrote to memory of 2420	2220	Kekbjo32.exe	95
PID 2220 wrote to memory of 2420	2220	Kekbjo32.exe	95
PID 2420 wrote to memory of 3236	2420	Kiikpnmj.exe	96
PID 2420 wrote to memory of 3236	2420	Kiikpnmj.exe	96
PID 2420 wrote to memory of 3236	2420	Kiikpnmj.exe	96
PID 3236 wrote to memory of 2836	3236	Lhnhajba.exe	97
PID 3236 wrote to memory of 2836	3236	Lhnhajba.exe	97
PID 3236 wrote to memory of 2836	3236	Lhnhajba.exe	97
PID 2836 wrote to memory of 1084	2836	Ljpaqmgb.exe	98
PID 2836 wrote to memory of 1084	2836	Ljpaqmgb.exe	98
PID 2836 wrote to memory of 1084	2836	Ljpaqmgb.exe	98
PID 1084 wrote to memory of 4456	1084	Lhenai32.exe	99
PID 1084 wrote to memory of 4456	1084	Lhenai32.exe	99
PID 1084 wrote to memory of 4456	1084	Lhenai32.exe	99
PID 4456 wrote to memory of 420	4456	Llcghg32.exe	100
PID 4456 wrote to memory of 420	4456	Llcghg32.exe	100
PID 4456 wrote to memory of 420	4456	Llcghg32.exe	100
PID 420 wrote to memory of 4576	420	Modpib32.exe	101
PID 420 wrote to memory of 4576	420	Modpib32.exe	101
PID 420 wrote to memory of 4576	420	Modpib32.exe	101
PID 4576 wrote to memory of 2852	4576	Mcdeeq32.exe	102
PID 4576 wrote to memory of 2852	4576	Mcdeeq32.exe	102
PID 4576 wrote to memory of 2852	4576	Mcdeeq32.exe	102
PID 2852 wrote to memory of 1252	2852	Mlofcf32.exe	104
PID 2852 wrote to memory of 1252	2852	Mlofcf32.exe	104
PID 2852 wrote to memory of 1252	2852	Mlofcf32.exe	104
PID 1252 wrote to memory of 5092	1252	Momcpa32.exe	105
PID 1252 wrote to memory of 5092	1252	Momcpa32.exe	105
PID 1252 wrote to memory of 5092	1252	Momcpa32.exe	105
PID 5092 wrote to memory of 4680	5092	Nfldgk32.exe	106

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\03ed3d089e222fe691a1ce1ad04450a2.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\03ed3d089e222fe691a1ce1ad04450a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SysWOW64\Hhaggp32.exe
  C:\Windows\system32\Hhaggp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\Hicpgc32.exe
    C:\Windows\system32\Hicpgc32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\Iialhaad.exe
      C:\Windows\system32\Iialhaad.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:420
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        23⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        24⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        25⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        26⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        27⤵
        Executes dropped EXE
        
        PID:472
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        28⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        29⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        30⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        31⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        33⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        34⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        35⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        37⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        41⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        42⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        43⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        46⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        48⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        50⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        51⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        52⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        55⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        56⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        57⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        58⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        59⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        61⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        62⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        63⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        64⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        66⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        67⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        68⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        69⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        70⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        72⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        73⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        74⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        76⤵
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        77⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        78⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        79⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3396
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        81⤵
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        82⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        84⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        85⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        86⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        87⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        88⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        89⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        91⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        92⤵
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        94⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        95⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        96⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        97⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        98⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        99⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        100⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        101⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Gqbneq32.exe
        
        C:\Windows\system32\Gqbneq32.exe
        102⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Gcqjal32.exe
        
        C:\Windows\system32\Gcqjal32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        104⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        107⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        108⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        109⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        110⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        111⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Hbiapb32.exe
        
        C:\Windows\system32\Hbiapb32.exe
        112⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        113⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        114⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        116⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        118⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        119⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        120⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        121⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        122⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        123⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        124⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        125⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        127⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        128⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        129⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        130⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        131⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        132⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        134⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        136⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        137⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        138⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        139⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        140⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        141⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        142⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        143⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        145⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        146⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        148⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        150⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        151⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        153⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        154⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        156⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        158⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        159⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        160⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        161⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        162⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        163⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        165⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        166⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        167⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Mkgmoncl.exe
        
        C:\Windows\system32\Mkgmoncl.exe
        169⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        170⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        171⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        172⤵
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        174⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        175⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        176⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        177⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        178⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        179⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        180⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        181⤵
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        182⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        184⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        185⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        186⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        187⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        188⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        189⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        190⤵
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        192⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        193⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        195⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        196⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        197⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        198⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        199⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        200⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        201⤵
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        202⤵
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:6852
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        204⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        205⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        206⤵
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        207⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        208⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        209⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        210⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        211⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        212⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        213⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        214⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        215⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        216⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        217⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        218⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        219⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        220⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        221⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        222⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        223⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        224⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Abemep32.exe
        
        C:\Windows\system32\Abemep32.exe
        225⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Aecialmb.exe
        
        C:\Windows\system32\Aecialmb.exe
        226⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        227⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        228⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        229⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        230⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        231⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        232⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        233⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        234⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7392
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:7428
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7464
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        238⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        239⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Bikeni32.exe
        
        C:\Windows\system32\Bikeni32.exe
        240⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        241⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        242⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        243⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        244⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        245⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        246⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        247⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        248⤵
        Modifies registry class
        
        PID:7864
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        249⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        250⤵
        Drops file in System32 directory
        
        PID:7932
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        251⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        252⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        253⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        254⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        255⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        256⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        257⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        258⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        259⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:7348
        
        C:\Windows\SysWOW64\Dgfdojfm.exe
        
        C:\Windows\system32\Dgfdojfm.exe
        261⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Dpoiho32.exe
        
        C:\Windows\system32\Dpoiho32.exe
        262⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Dcmedk32.exe
        
        C:\Windows\system32\Dcmedk32.exe
        263⤵
        Drops file in System32 directory
        
        PID:7528
        
        C:\Windows\SysWOW64\Dmbiackg.exe
        
        C:\Windows\system32\Dmbiackg.exe
        264⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Epaemojk.exe
        
        C:\Windows\system32\Epaemojk.exe
        265⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Eennefib.exe
        
        C:\Windows\system32\Eennefib.exe
        266⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Epcbbohh.exe
        
        C:\Windows\system32\Epcbbohh.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7796
        
        C:\Windows\SysWOW64\Eepkkefp.exe
        
        C:\Windows\system32\Eepkkefp.exe
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:7856
        
        C:\Windows\SysWOW64\Eljchpnl.exe
        
        C:\Windows\system32\Eljchpnl.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7940
        
        C:\Windows\SysWOW64\Edakimoo.exe
        
        C:\Windows\system32\Edakimoo.exe
        270⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Eebgqe32.exe
        
        C:\Windows\system32\Eebgqe32.exe
        271⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Ephlnn32.exe
        
        C:\Windows\system32\Ephlnn32.exe
        272⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Ecfhji32.exe
        
        C:\Windows\system32\Ecfhji32.exe
        273⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Eippgckc.exe
        
        C:\Windows\system32\Eippgckc.exe
        274⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Epjhcnbp.exe
        
        C:\Windows\system32\Epjhcnbp.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7384
        
        C:\Windows\SysWOW64\Egdqph32.exe
        
        C:\Windows\system32\Egdqph32.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7532
        
        C:\Windows\SysWOW64\Eibmlc32.exe
        
        C:\Windows\system32\Eibmlc32.exe
        277⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Flaiho32.exe
        
        C:\Windows\system32\Flaiho32.exe
        278⤵
        System Location Discovery: System Language Discovery
        
        PID:7780
        
        C:\Windows\SysWOW64\Fdhail32.exe
        
        C:\Windows\system32\Fdhail32.exe
        279⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Fgfmeg32.exe
        
        C:\Windows\system32\Fgfmeg32.exe
        280⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Fjeibc32.exe
        
        C:\Windows\system32\Fjeibc32.exe
        281⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Flcfnn32.exe
        
        C:\Windows\system32\Flcfnn32.exe
        282⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Fcmnkh32.exe
        
        C:\Windows\system32\Fcmnkh32.exe
        283⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Fncbha32.exe
        
        C:\Windows\system32\Fncbha32.exe
        284⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Fgkfqgce.exe
        
        C:\Windows\system32\Fgkfqgce.exe
        285⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Fdogjk32.exe
        
        C:\Windows\system32\Fdogjk32.exe
        286⤵
        Drops file in System32 directory
        
        PID:7368
        
        C:\Windows\SysWOW64\Fjlpbb32.exe
        
        C:\Windows\system32\Fjlpbb32.exe
        287⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Fpfholhc.exe
        
        C:\Windows\system32\Fpfholhc.exe
        288⤵
        Drops file in System32 directory
        
        PID:8204
        
        C:\Windows\SysWOW64\Fcddkggf.exe
        
        C:\Windows\system32\Fcddkggf.exe
        289⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Gnjhhpgl.exe
        
        C:\Windows\system32\Gnjhhpgl.exe
        290⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Gcgqag32.exe
        
        C:\Windows\system32\Gcgqag32.exe
        291⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Ggbmafnm.exe
        
        C:\Windows\system32\Ggbmafnm.exe
        292⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Gjqinamq.exe
        
        C:\Windows\system32\Gjqinamq.exe
        293⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Gloejmld.exe
        
        C:\Windows\system32\Gloejmld.exe
        294⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Gdfmkjlg.exe
        
        C:\Windows\system32\Gdfmkjlg.exe
        295⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Gfgjbb32.exe
        
        C:\Windows\system32\Gfgjbb32.exe
        296⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Gnoacp32.exe
        
        C:\Windows\system32\Gnoacp32.exe
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:8640
        
        C:\Windows\SysWOW64\Gqmnpk32.exe
        
        C:\Windows\system32\Gqmnpk32.exe
        298⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Gggfme32.exe
        
        C:\Windows\system32\Gggfme32.exe
        299⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Gnanioad.exe
        
        C:\Windows\system32\Gnanioad.exe
        300⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8772
        
        C:\Windows\SysWOW64\Gqokekph.exe
        
        C:\Windows\system32\Gqokekph.exe
        301⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Ggicbe32.exe
        
        C:\Windows\system32\Ggicbe32.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8848
        
        C:\Windows\SysWOW64\Gmfkjl32.exe
        
        C:\Windows\system32\Gmfkjl32.exe
        303⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8884
        
        C:\Windows\SysWOW64\Gdmcki32.exe
        
        C:\Windows\system32\Gdmcki32.exe
        304⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Gglpgd32.exe
        
        C:\Windows\system32\Gglpgd32.exe
        305⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Hnehdo32.exe
        
        C:\Windows\system32\Hnehdo32.exe
        306⤵
        Modifies registry class
        
        PID:8992
        
        C:\Windows\SysWOW64\Hgnlmdcp.exe
        
        C:\Windows\system32\Hgnlmdcp.exe
        307⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Hmkeekag.exe
        
        C:\Windows\system32\Hmkeekag.exe
        308⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Hjoeoo32.exe
        
        C:\Windows\system32\Hjoeoo32.exe
        309⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Hjabdo32.exe
        
        C:\Windows\system32\Hjabdo32.exe
        310⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Hjcojo32.exe
        
        C:\Windows\system32\Hjcojo32.exe
        311⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9172
        
        C:\Windows\SysWOW64\Hdicggla.exe
        
        C:\Windows\system32\Hdicggla.exe
        312⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\Inagpm32.exe
        
        C:\Windows\system32\Inagpm32.exe
        313⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Idkpmgjo.exe
        
        C:\Windows\system32\Idkpmgjo.exe
        314⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Ifmldo32.exe
        
        C:\Windows\system32\Ifmldo32.exe
        315⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Imfdaigj.exe
        
        C:\Windows\system32\Imfdaigj.exe
        316⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Ienlbf32.exe
        
        C:\Windows\system32\Ienlbf32.exe
        317⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Ijjekn32.exe
        
        C:\Windows\system32\Ijjekn32.exe
        318⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\Imiagi32.exe
        
        C:\Windows\system32\Imiagi32.exe
        319⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Icciccmd.exe
        
        C:\Windows\system32\Icciccmd.exe
        320⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Ijmapm32.exe
        
        C:\Windows\system32\Ijmapm32.exe
        321⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Iebfmfdg.exe
        
        C:\Windows\system32\Iebfmfdg.exe
        322⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\Ijonfmbn.exe
        
        C:\Windows\system32\Ijonfmbn.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3808
        
        C:\Windows\SysWOW64\Iaifbg32.exe
        
        C:\Windows\system32\Iaifbg32.exe
        324⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Jgcooaah.exe
        
        C:\Windows\system32\Jgcooaah.exe
        325⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Jnmglk32.exe
        
        C:\Windows\system32\Jnmglk32.exe
        326⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Jcjodbgl.exe
        
        C:\Windows\system32\Jcjodbgl.exe
        327⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Jmbdmg32.exe
        
        C:\Windows\system32\Jmbdmg32.exe
        328⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\Janpnfee.exe
        
        C:\Windows\system32\Janpnfee.exe
        329⤵
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Jjfdfl32.exe
        
        C:\Windows\system32\Jjfdfl32.exe
        330⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Jmdqbg32.exe
        
        C:\Windows\system32\Jmdqbg32.exe
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:8488
        
        C:\Windows\SysWOW64\Jgjeppkp.exe
        
        C:\Windows\system32\Jgjeppkp.exe
        332⤵
        Modifies registry class
        
        PID:8648
        
        C:\Windows\SysWOW64\Jjhalkjc.exe
        
        C:\Windows\system32\Jjhalkjc.exe
        333⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Jcaeea32.exe
        
        C:\Windows\system32\Jcaeea32.exe
        334⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\Jglaepim.exe
        
        C:\Windows\system32\Jglaepim.exe
        335⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Jaefne32.exe
        
        C:\Windows\system32\Jaefne32.exe
        336⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Khonkogj.exe
        
        C:\Windows\system32\Khonkogj.exe
        337⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Knifging.exe
        
        C:\Windows\system32\Knifging.exe
        338⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Kebodc32.exe
        
        C:\Windows\system32\Kebodc32.exe
        339⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Kfdklllb.exe
        
        C:\Windows\system32\Kfdklllb.exe
        340⤵
        Modifies registry class
        
        PID:8728
        
        C:\Windows\SysWOW64\Kmncif32.exe
        
        C:\Windows\system32\Kmncif32.exe
        341⤵
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Khcgfo32.exe
        
        C:\Windows\system32\Khcgfo32.exe
        342⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Kffhakjp.exe
        
        C:\Windows\system32\Kffhakjp.exe
        343⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8300
        
        C:\Windows\SysWOW64\Kmppneal.exe
        
        C:\Windows\system32\Kmppneal.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8780
        
        C:\Windows\SysWOW64\Keghocao.exe
        
        C:\Windows\system32\Keghocao.exe
        345⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Kdjhkp32.exe
        
        C:\Windows\system32\Kdjhkp32.exe
        346⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8676
        
        C:\Windows\SysWOW64\Kfidgk32.exe
        
        C:\Windows\system32\Kfidgk32.exe
        347⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Kejeebpl.exe
        
        C:\Windows\system32\Kejeebpl.exe
        348⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8720
        
        C:\Windows\SysWOW64\Khhaanop.exe
        
        C:\Windows\system32\Khhaanop.exe
        349⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\Kjfmminc.exe
        
        C:\Windows\system32\Kjfmminc.exe
        350⤵
        System Location Discovery: System Language Discovery
        
        PID:9268
        
        C:\Windows\SysWOW64\Lhjnfn32.exe
        
        C:\Windows\system32\Lhjnfn32.exe
        351⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\Ljijci32.exe
        
        C:\Windows\system32\Ljijci32.exe
        352⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\Lacbpccn.exe
        
        C:\Windows\system32\Lacbpccn.exe
        353⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Lhmjlm32.exe
        
        C:\Windows\system32\Lhmjlm32.exe
        354⤵
        System Location Discovery: System Language Discovery
        
        PID:9408
        
        C:\Windows\SysWOW64\Ljkghi32.exe
        
        C:\Windows\system32\Ljkghi32.exe
        355⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Laeoec32.exe
        
        C:\Windows\system32\Laeoec32.exe
        356⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Ldckan32.exe
        
        C:\Windows\system32\Ldckan32.exe
        357⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Loiong32.exe
        
        C:\Windows\system32\Loiong32.exe
        358⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Lechkaga.exe
        
        C:\Windows\system32\Lechkaga.exe
        359⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\Lokldg32.exe
        
        C:\Windows\system32\Lokldg32.exe
        360⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\Ldhdlnli.exe
        
        C:\Windows\system32\Ldhdlnli.exe
        361⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9652
        
        C:\Windows\SysWOW64\Lkbmih32.exe
        
        C:\Windows\system32\Lkbmih32.exe
        362⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Mehafq32.exe
        
        C:\Windows\system32\Mehafq32.exe
        363⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\Mginniij.exe
        
        C:\Windows\system32\Mginniij.exe
        364⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\Mopeofjl.exe
        
        C:\Windows\system32\Mopeofjl.exe
        365⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9792
        
        C:\Windows\SysWOW64\Maoakaip.exe
        
        C:\Windows\system32\Maoakaip.exe
        366⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Mdmngm32.exe
        
        C:\Windows\system32\Mdmngm32.exe
        367⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\Mgkjch32.exe
        
        C:\Windows\system32\Mgkjch32.exe
        368⤵
        System Location Discovery: System Language Discovery
        
        PID:9952
        
        C:\Windows\SysWOW64\Mobbdf32.exe
        
        C:\Windows\system32\Mobbdf32.exe
        369⤵
        Drops file in System32 directory
        
        PID:9996
        
        C:\Windows\SysWOW64\Meljappg.exe
        
        C:\Windows\system32\Meljappg.exe
        370⤵
        Modifies registry class
        
        PID:10036
        
        C:\Windows\SysWOW64\Mmhofbma.exe
        
        C:\Windows\system32\Mmhofbma.exe
        371⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\Mhmcck32.exe
        
        C:\Windows\system32\Mhmcck32.exe
        372⤵
        Drops file in System32 directory
        
        PID:10108
        
        C:\Windows\SysWOW64\Moglpedd.exe
        
        C:\Windows\system32\Moglpedd.exe
        373⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\Maehlqch.exe
        
        C:\Windows\system32\Maehlqch.exe
        374⤵
        Drops file in System32 directory
        
        PID:10180
        
        C:\Windows\SysWOW64\Mdddhlbl.exe
        
        C:\Windows\system32\Mdddhlbl.exe
        375⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10216
        
        C:\Windows\SysWOW64\Mknlef32.exe
        
        C:\Windows\system32\Mknlef32.exe
        376⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Necqbo32.exe
        
        C:\Windows\system32\Necqbo32.exe
        377⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\Nhbmnj32.exe
        
        C:\Windows\system32\Nhbmnj32.exe
        378⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\Nolekd32.exe
        
        C:\Windows\system32\Nolekd32.exe
        379⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\Najagp32.exe
        
        C:\Windows\system32\Najagp32.exe
        380⤵
        Modifies registry class
        
        PID:9492
        
        C:\Windows\SysWOW64\Namnmp32.exe
        
        C:\Windows\system32\Namnmp32.exe
        381⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\Nhffijdm.exe
        
        C:\Windows\system32\Nhffijdm.exe
        382⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\Noqofdlj.exe
        
        C:\Windows\system32\Noqofdlj.exe
        383⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Ndmgnkja.exe
        
        C:\Windows\system32\Ndmgnkja.exe
        384⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Nhicoi32.exe
        
        C:\Windows\system32\Nhicoi32.exe
        385⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\Nnfkgp32.exe
        
        C:\Windows\system32\Nnfkgp32.exe
        386⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Ndpcdjho.exe
        
        C:\Windows\system32\Ndpcdjho.exe
        387⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\Ngnppfgb.exe
        
        C:\Windows\system32\Ngnppfgb.exe
        388⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\Onhhmpoo.exe
        
        C:\Windows\system32\Onhhmpoo.exe
        389⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\Ohnljine.exe
        
        C:\Windows\system32\Ohnljine.exe
        390⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10208
        
        C:\Windows\SysWOW64\Oogdfc32.exe
        
        C:\Windows\system32\Oogdfc32.exe
        391⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9280
        
        C:\Windows\SysWOW64\Oddmoj32.exe
        
        C:\Windows\system32\Oddmoj32.exe
        392⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Okneldkf.exe
        
        C:\Windows\system32\Okneldkf.exe
        393⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\Oahnhncc.exe
        
        C:\Windows\system32\Oahnhncc.exe
        394⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Ohbfeh32.exe
        
        C:\Windows\system32\Ohbfeh32.exe
        395⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\Okqbac32.exe
        
        C:\Windows\system32\Okqbac32.exe
        396⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Oeffnl32.exe
        
        C:\Windows\system32\Oeffnl32.exe
        397⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\Ohdbkh32.exe
        
        C:\Windows\system32\Ohdbkh32.exe
        398⤵
        System Location Discovery: System Language Discovery
        
        PID:10160
        
        C:\Windows\SysWOW64\Okcogc32.exe
        
        C:\Windows\system32\Okcogc32.exe
        399⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\Oamgcm32.exe
        
        C:\Windows\system32\Oamgcm32.exe
        400⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9452
        
        C:\Windows\SysWOW64\Okeklcen.exe
        
        C:\Windows\system32\Okeklcen.exe
        401⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\Paocim32.exe
        
        C:\Windows\system32\Paocim32.exe
        402⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\Pdnpeh32.exe
        
        C:\Windows\system32\Pdnpeh32.exe
        403⤵
        System Location Discovery: System Language Discovery
        
        PID:9252
        
        C:\Windows\SysWOW64\Pocdba32.exe
        
        C:\Windows\system32\Pocdba32.exe
        404⤵
        Drops file in System32 directory
        
        PID:9436
        
        C:\Windows\SysWOW64\Pfmlok32.exe
        
        C:\Windows\system32\Pfmlok32.exe
        405⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9992
        
        C:\Windows\SysWOW64\Pgoigcip.exe
        
        C:\Windows\system32\Pgoigcip.exe
        406⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Pnhacn32.exe
        
        C:\Windows\system32\Pnhacn32.exe
        407⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\Pdbiphhi.exe
        
        C:\Windows\system32\Pdbiphhi.exe
        408⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Pklamb32.exe
        
        C:\Windows\system32\Pklamb32.exe
        409⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Pnknim32.exe
        
        C:\Windows\system32\Pnknim32.exe
        410⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10284
        
        C:\Windows\SysWOW64\Pdeffgff.exe
        
        C:\Windows\system32\Pdeffgff.exe
        411⤵
        Modifies registry class
        
        PID:10320
        
        C:\Windows\SysWOW64\Pgcbbc32.exe
        
        C:\Windows\system32\Pgcbbc32.exe
        412⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Pojjcp32.exe
        
        C:\Windows\system32\Pojjcp32.exe
        413⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\Pdgckg32.exe
        
        C:\Windows\system32\Pdgckg32.exe
        414⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\Qnpgdmjd.exe
        
        C:\Windows\system32\Qnpgdmjd.exe
        415⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\Qdipag32.exe
        
        C:\Windows\system32\Qdipag32.exe
        416⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\Qghlmbae.exe
        
        C:\Windows\system32\Qghlmbae.exe
        417⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\Qfilkj32.exe
        
        C:\Windows\system32\Qfilkj32.exe
        418⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\Qhghge32.exe
        
        C:\Windows\system32\Qhghge32.exe
        419⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\Aoapcood.exe
        
        C:\Windows\system32\Aoapcood.exe
        420⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\Agmehamp.exe
        
        C:\Windows\system32\Agmehamp.exe
        421⤵
        Modifies registry class
        
        PID:10688
        
        C:\Windows\SysWOW64\Aocmio32.exe
        
        C:\Windows\system32\Aocmio32.exe
        422⤵
        System Location Discovery: System Language Discovery
        
        PID:10724
        
        C:\Windows\SysWOW64\Afnefieo.exe
        
        C:\Windows\system32\Afnefieo.exe
        423⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\Ailabddb.exe
        
        C:\Windows\system32\Ailabddb.exe
        424⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\Abdfkj32.exe
        
        C:\Windows\system32\Abdfkj32.exe
        425⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\Aecbge32.exe
        
        C:\Windows\system32\Aecbge32.exe
        426⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\Akmjdpac.exe
        
        C:\Windows\system32\Akmjdpac.exe
        427⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\Aeeomegd.exe
        
        C:\Windows\system32\Aeeomegd.exe
        428⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\Akogio32.exe
        
        C:\Windows\system32\Akogio32.exe
        429⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\Abipfifn.exe
        
        C:\Windows\system32\Abipfifn.exe
        430⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\Bichcc32.exe
        
        C:\Windows\system32\Bichcc32.exe
        431⤵
        System Location Discovery: System Language Discovery
        
        PID:11048
        
        C:\Windows\SysWOW64\Bnppkj32.exe
        
        C:\Windows\system32\Bnppkj32.exe
        432⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11084
        
        C:\Windows\SysWOW64\Bejhhd32.exe
        
        C:\Windows\system32\Bejhhd32.exe
        433⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\Bghddp32.exe
        
        C:\Windows\system32\Bghddp32.exe
        434⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\Bnbmqjjo.exe
        
        C:\Windows\system32\Bnbmqjjo.exe
        435⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:11192
        
        C:\Windows\SysWOW64\Bfieagka.exe
        
        C:\Windows\system32\Bfieagka.exe
        436⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\Bkfmjnii.exe
        
        C:\Windows\system32\Bkfmjnii.exe
        437⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Bndjfjhl.exe
        
        C:\Windows\system32\Bndjfjhl.exe
        438⤵
        Modifies registry class
        
        PID:10292
        
        C:\Windows\SysWOW64\Bflagg32.exe
        
        C:\Windows\system32\Bflagg32.exe
        439⤵
        System Location Discovery: System Language Discovery
        
        PID:10352
        
        C:\Windows\SysWOW64\Bkhjpn32.exe
        
        C:\Windows\system32\Bkhjpn32.exe
        440⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\Bgokdomj.exe
        
        C:\Windows\system32\Bgokdomj.exe
        441⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\Bpfcelml.exe
        
        C:\Windows\system32\Bpfcelml.exe
        442⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\Bfpkbfdi.exe
        
        C:\Windows\system32\Bfpkbfdi.exe
        443⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\Cgagjo32.exe
        
        C:\Windows\system32\Cgagjo32.exe
        444⤵
        
        PID:324
        
        C:\Windows\SysWOW64\Cpipkl32.exe
        
        C:\Windows\system32\Cpipkl32.exe
        445⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\Ciaddaaj.exe
        
        C:\Windows\system32\Ciaddaaj.exe
        446⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\Clpppmqn.exe
        
        C:\Windows\system32\Clpppmqn.exe
        447⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\Cnnllhpa.exe
        
        C:\Windows\system32\Cnnllhpa.exe
        448⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\Chfaenfb.exe
        
        C:\Windows\system32\Chfaenfb.exe
        449⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\Cnpibh32.exe
        
        C:\Windows\system32\Cnpibh32.exe
        450⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Cifmoa32.exe
        
        C:\Windows\system32\Cifmoa32.exe
        451⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\Chinkndp.exe
        
        C:\Windows\system32\Chinkndp.exe
        452⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\Cnbfgh32.exe
        
        C:\Windows\system32\Cnbfgh32.exe
        453⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\Cemndbci.exe
        
        C:\Windows\system32\Cemndbci.exe
        454⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\Chkjpm32.exe
        
        C:\Windows\system32\Chkjpm32.exe
        455⤵
        Modifies registry class
        
        PID:10316
        
        C:\Windows\SysWOW64\Cnebmgjj.exe
        
        C:\Windows\system32\Cnebmgjj.exe
        456⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10420
        
        C:\Windows\SysWOW64\Deokja32.exe
        
        C:\Windows\system32\Deokja32.exe
        457⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10528
        
        C:\Windows\SysWOW64\Dpdogj32.exe
        
        C:\Windows\system32\Dpdogj32.exe
        458⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Dbckcf32.exe
        
        C:\Windows\system32\Dbckcf32.exe
        459⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Dimcppgm.exe
        
        C:\Windows\system32\Dimcppgm.exe
        460⤵
        Drops file in System32 directory
        
        PID:10768
        
        C:\Windows\SysWOW64\Dpglmjoj.exe
        
        C:\Windows\system32\Dpglmjoj.exe
        461⤵
        Drops file in System32 directory
        
        PID:10884
        
        C:\Windows\SysWOW64\Decdeama.exe
        
        C:\Windows\system32\Decdeama.exe
        462⤵
        Drops file in System32 directory
        
        PID:10996
        
        C:\Windows\SysWOW64\Dpihbjmg.exe
        
        C:\Windows\system32\Dpihbjmg.exe
        463⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\Dfcqod32.exe
        
        C:\Windows\system32\Dfcqod32.exe
        464⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\Dhdmfljb.exe
        
        C:\Windows\system32\Dhdmfljb.exe
        465⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\Donecfao.exe
        
        C:\Windows\system32\Donecfao.exe
        466⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2224
        
        C:\Windows\SysWOW64\Dehnpp32.exe
        
        C:\Windows\system32\Dehnpp32.exe
        467⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4872
        
        C:\Windows\SysWOW64\Dhgjll32.exe
        
        C:\Windows\system32\Dhgjll32.exe
        468⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\Dblnid32.exe
        
        C:\Windows\system32\Dblnid32.exe
        469⤵
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Eifffoob.exe
        
        C:\Windows\system32\Eifffoob.exe
        470⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\Eoconenj.exe
        
        C:\Windows\system32\Eoconenj.exe
        471⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10280
        
        C:\Windows\SysWOW64\Efjgpc32.exe
        
        C:\Windows\system32\Efjgpc32.exe
        472⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2812
        
        C:\Windows\SysWOW64\Eoekde32.exe
        
        C:\Windows\system32\Eoekde32.exe
        473⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\Eohhie32.exe
        
        C:\Windows\system32\Eohhie32.exe
        474⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\Eeaqfo32.exe
        
        C:\Windows\system32\Eeaqfo32.exe
        475⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Ehpmbj32.exe
        
        C:\Windows\system32\Ehpmbj32.exe
        476⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Ebeapc32.exe
        
        C:\Windows\system32\Ebeapc32.exe
        477⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\Eedmlo32.exe
        
        C:\Windows\system32\Eedmlo32.exe
        478⤵
        System Location Discovery: System Language Discovery
        
        PID:10860
        
        C:\Windows\SysWOW64\Ehbihj32.exe
        
        C:\Windows\system32\Ehbihj32.exe
        479⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\Fbhnec32.exe
        
        C:\Windows\system32\Fbhnec32.exe
        480⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\Fefjanml.exe
        
        C:\Windows\system32\Fefjanml.exe
        481⤵
        System Location Discovery: System Language Discovery
        
        PID:11368
        
        C:\Windows\SysWOW64\Flpbnh32.exe
        
        C:\Windows\system32\Flpbnh32.exe
        482⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\Fgffka32.exe
        
        C:\Windows\system32\Fgffka32.exe
        483⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11440
        
        C:\Windows\SysWOW64\Fidbgm32.exe
        
        C:\Windows\system32\Fidbgm32.exe
        484⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\Fpnkdfko.exe
        
        C:\Windows\system32\Fpnkdfko.exe
        485⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\Fcmgpbjc.exe
        
        C:\Windows\system32\Fcmgpbjc.exe
        486⤵
        
        PID:11548
        
        C:\Windows\SysWOW64\Fekclnif.exe
        
        C:\Windows\system32\Fekclnif.exe
        487⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\Fpqgjf32.exe
        
        C:\Windows\system32\Fpqgjf32.exe
        488⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\Fempbm32.exe
        
        C:\Windows\system32\Fempbm32.exe
        489⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\Flghognq.exe
        
        C:\Windows\system32\Flghognq.exe
        490⤵
        System Location Discovery: System Language Discovery
        
        PID:11676
        
        C:\Windows\SysWOW64\Fgmllpng.exe
        
        C:\Windows\system32\Fgmllpng.exe
        491⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\Fikihlmj.exe
        
        C:\Windows\system32\Fikihlmj.exe
        492⤵
        Modifies registry class
        
        PID:11732
        
        C:\Windows\SysWOW64\Fpeaeedg.exe
        
        C:\Windows\system32\Fpeaeedg.exe
        493⤵
        
        PID:11760
        
        C:\Windows\SysWOW64\Ggoiap32.exe
        
        C:\Windows\system32\Ggoiap32.exe
        494⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\Ghqeihbb.exe
        
        C:\Windows\system32\Ghqeihbb.exe
        495⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\Gojnfb32.exe
        
        C:\Windows\system32\Gojnfb32.exe
        496⤵
        
        PID:11848
        
        C:\Windows\SysWOW64\Gipbck32.exe
        
        C:\Windows\system32\Gipbck32.exe
        497⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\Gpjjpe32.exe
        
        C:\Windows\system32\Gpjjpe32.exe
        498⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\Ggdbmoho.exe
        
        C:\Windows\system32\Ggdbmoho.exe
        499⤵
        
        PID:11932
        
        C:\Windows\SysWOW64\Glqkefff.exe
        
        C:\Windows\system32\Glqkefff.exe
        500⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\Gckcap32.exe
        
        C:\Windows\system32\Gckcap32.exe
        501⤵
        System Location Discovery: System Language Discovery
        
        PID:11996
        
        C:\Windows\SysWOW64\Ghgljg32.exe
        
        C:\Windows\system32\Ghgljg32.exe
        502⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\Goadfa32.exe
        
        C:\Windows\system32\Goadfa32.exe
        503⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12052
        
        C:\Windows\SysWOW64\Ggilgn32.exe
        
        C:\Windows\system32\Ggilgn32.exe
        504⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\Ghjhofjg.exe
        
        C:\Windows\system32\Ghjhofjg.exe
        505⤵
        
        PID:12112
        
        C:\Windows\SysWOW64\Hodqlq32.exe
        
        C:\Windows\system32\Hodqlq32.exe
        506⤵
        
        PID:12140
        
        C:\Windows\SysWOW64\Hgkimn32.exe
        
        C:\Windows\system32\Hgkimn32.exe
        507⤵
        
        PID:12168
        
        C:\Windows\SysWOW64\Hhleefhe.exe
        
        C:\Windows\system32\Hhleefhe.exe
        508⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\Hofmaq32.exe
        
        C:\Windows\system32\Hofmaq32.exe
        509⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\Hfpenj32.exe
        
        C:\Windows\system32\Hfpenj32.exe
        510⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\Hljnkdnk.exe
        
        C:\Windows\system32\Hljnkdnk.exe
        511⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\Hohjgpmo.exe
        
        C:\Windows\system32\Hohjgpmo.exe
        512⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\Hfbbdj32.exe
        
        C:\Windows\system32\Hfbbdj32.exe
        513⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Hllkqdli.exe
        
        C:\Windows\system32\Hllkqdli.exe
        514⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11400
        
        C:\Windows\SysWOW64\Hcfcmnce.exe
        
        C:\Windows\system32\Hcfcmnce.exe
        515⤵
        
        PID:11452
        
        C:\Windows\SysWOW64\Hfeoijbi.exe
        
        C:\Windows\system32\Hfeoijbi.exe
        516⤵
        Drops file in System32 directory
        
        PID:11504
        
        C:\Windows\SysWOW64\Hlogfd32.exe
        
        C:\Windows\system32\Hlogfd32.exe
        517⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\Homcbo32.exe
        
        C:\Windows\system32\Homcbo32.exe
        518⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\Hjbhph32.exe
        
        C:\Windows\system32\Hjbhph32.exe
        519⤵
        
        PID:11668
        
        C:\Windows\SysWOW64\Hladlc32.exe
        
        C:\Windows\system32\Hladlc32.exe
        520⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\Icklhnop.exe
        
        C:\Windows\system32\Icklhnop.exe
        521⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\Ijedehgm.exe
        
        C:\Windows\system32\Ijedehgm.exe
        522⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11872
        
        C:\Windows\SysWOW64\Iqombb32.exe
        
        C:\Windows\system32\Iqombb32.exe
        523⤵
        
        PID:11940
        
        C:\Windows\SysWOW64\Icminm32.exe
        
        C:\Windows\system32\Icminm32.exe
        524⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\Ijgakgej.exe
        
        C:\Windows\system32\Ijgakgej.exe
        525⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\Iqaiga32.exe
        
        C:\Windows\system32\Iqaiga32.exe
        526⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\Igkadlcd.exe
        
        C:\Windows\system32\Igkadlcd.exe
        527⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\Ihmnldib.exe
        
        C:\Windows\system32\Ihmnldib.exe
        528⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12248
        
        C:\Windows\SysWOW64\Iqdfmajd.exe
        
        C:\Windows\system32\Iqdfmajd.exe
        529⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\Ignnjk32.exe
        
        C:\Windows\system32\Ignnjk32.exe
        530⤵
        
        PID:11396
        
        C:\Windows\SysWOW64\Iiokacgp.exe
        
        C:\Windows\system32\Iiokacgp.exe
        531⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11488
        
        C:\Windows\SysWOW64\Ioicnn32.exe
        
        C:\Windows\system32\Ioicnn32.exe
        532⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Ifckkhfi.exe
        
        C:\Windows\system32\Ifckkhfi.exe
        533⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11712
        
        C:\Windows\SysWOW64\Jokpcmmj.exe
        
        C:\Windows\system32\Jokpcmmj.exe
        534⤵
        Modifies registry class
        
        PID:11896
        
        C:\Windows\SysWOW64\Jgbhdkml.exe
        
        C:\Windows\system32\Jgbhdkml.exe
        535⤵
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Jicdlc32.exe
        
        C:\Windows\system32\Jicdlc32.exe
        536⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\Jqklnp32.exe
        
        C:\Windows\system32\Jqklnp32.exe
        537⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Jgedjjki.exe
        
        C:\Windows\system32\Jgedjjki.exe
        538⤵
        
        PID:11800
        
        C:\Windows\SysWOW64\Jjcqffkm.exe
        
        C:\Windows\system32\Jjcqffkm.exe
        539⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\Jopiom32.exe
        
        C:\Windows\system32\Jopiom32.exe
        540⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Jjemle32.exe
        
        C:\Windows\system32\Jjemle32.exe
        541⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\Jqofippg.exe
        
        C:\Windows\system32\Jqofippg.exe
        542⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11384
        
        C:\Windows\SysWOW64\Jflnafno.exe
        
        C:\Windows\system32\Jflnafno.exe
        543⤵
        
        PID:944
        
        C:\Windows\SysWOW64\Jikjmbmb.exe
        
        C:\Windows\system32\Jikjmbmb.exe
        544⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\Jpdbjleo.exe
        
        C:\Windows\system32\Jpdbjleo.exe
        545⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Jglkkiea.exe
        
        C:\Windows\system32\Jglkkiea.exe
        546⤵
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Kimgba32.exe
        
        C:\Windows\system32\Kimgba32.exe
        547⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\Kcbkpj32.exe
        
        C:\Windows\system32\Kcbkpj32.exe
        548⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Kgngqico.exe
        
        C:\Windows\system32\Kgngqico.exe
        549⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\Kiodha32.exe
        
        C:\Windows\system32\Kiodha32.exe
        550⤵
        Modifies registry class
        
        PID:12316
        
        C:\Windows\SysWOW64\Kpilekqj.exe
        
        C:\Windows\system32\Kpilekqj.exe
        551⤵
        
        PID:12344
        
        C:\Windows\SysWOW64\Kfcdaehf.exe
        
        C:\Windows\system32\Kfcdaehf.exe
        552⤵
        System Location Discovery: System Language Discovery
        
        PID:12372
        
        C:\Windows\SysWOW64\Kmmmnp32.exe
        
        C:\Windows\system32\Kmmmnp32.exe
        553⤵
        
        PID:12400
        
        C:\Windows\SysWOW64\Kplijk32.exe
        
        C:\Windows\system32\Kplijk32.exe
        554⤵
        
        PID:12428
        
        C:\Windows\SysWOW64\Kfeagefd.exe
        
        C:\Windows\system32\Kfeagefd.exe
        555⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12460
        
        C:\Windows\SysWOW64\Kidmcqeg.exe
        
        C:\Windows\system32\Kidmcqeg.exe
        556⤵
        System Location Discovery: System Language Discovery
        
        PID:12488
        
        C:\Windows\SysWOW64\Kciaqi32.exe
        
        C:\Windows\system32\Kciaqi32.exe
        557⤵
        
        PID:12516
        
        C:\Windows\SysWOW64\Kfhnme32.exe
        
        C:\Windows\system32\Kfhnme32.exe
        558⤵
        Modifies registry class
        
        PID:12544
        
        C:\Windows\SysWOW64\Kmbfiokn.exe
        
        C:\Windows\system32\Kmbfiokn.exe
        559⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\Kclnfi32.exe
        
        C:\Windows\system32\Kclnfi32.exe
        560⤵
        
        PID:12600
        
        C:\Windows\SysWOW64\Ljffccjh.exe
        
        C:\Windows\system32\Ljffccjh.exe
        561⤵
        
        PID:12628
        
        C:\Windows\SysWOW64\Liifnp32.exe
        
        C:\Windows\system32\Liifnp32.exe
        562⤵
        
        PID:12656
        
        C:\Windows\SysWOW64\Lpbokjho.exe
        
        C:\Windows\system32\Lpbokjho.exe
        563⤵
        System Location Discovery: System Language Discovery
        
        PID:12684
        
        C:\Windows\SysWOW64\Lfmghdpl.exe
        
        C:\Windows\system32\Lfmghdpl.exe
        564⤵
        System Location Discovery: System Language Discovery
        
        PID:12712
        
        C:\Windows\SysWOW64\Lmfodn32.exe
        
        C:\Windows\system32\Lmfodn32.exe
        565⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\Lcqgahoe.exe
        
        C:\Windows\system32\Lcqgahoe.exe
        566⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\Lfodmdni.exe
        
        C:\Windows\system32\Lfodmdni.exe
        567⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\Lmiljn32.exe
        
        C:\Windows\system32\Lmiljn32.exe
        568⤵
        Modifies registry class
        
        PID:12824
        
        C:\Windows\SysWOW64\Lpghfi32.exe
        
        C:\Windows\system32\Lpghfi32.exe
        569⤵
        
        PID:12852
        
        C:\Windows\SysWOW64\Lfaqcclf.exe
        
        C:\Windows\system32\Lfaqcclf.exe
        570⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12880
        
        C:\Windows\SysWOW64\Lmkipncc.exe
        
        C:\Windows\system32\Lmkipncc.exe
        571⤵
        Drops file in System32 directory
        
        PID:12908
        
        C:\Windows\SysWOW64\Lpjelibg.exe
        
        C:\Windows\system32\Lpjelibg.exe
        572⤵
        Modifies registry class
        
        PID:12936
        
        C:\Windows\SysWOW64\Lhammfci.exe
        
        C:\Windows\system32\Lhammfci.exe
        573⤵
        System Location Discovery: System Language Discovery
        
        PID:12964
        
        C:\Windows\SysWOW64\Libido32.exe
        
        C:\Windows\system32\Libido32.exe
        574⤵
        
        PID:12992
        
        C:\Windows\SysWOW64\Laiafl32.exe
        
        C:\Windows\system32\Laiafl32.exe
        575⤵
        
        PID:13020
        
        C:\Windows\SysWOW64\Lhcjbfag.exe
        
        C:\Windows\system32\Lhcjbfag.exe
        576⤵
        
        PID:13048
        
        C:\Windows\SysWOW64\Mjafoapj.exe
        
        C:\Windows\system32\Mjafoapj.exe
        577⤵
        
        PID:13076
        
        C:\Windows\SysWOW64\Malnklgg.exe
        
        C:\Windows\system32\Malnklgg.exe
        578⤵
        
        PID:13104
        
        C:\Windows\SysWOW64\Mdjjgggk.exe
        
        C:\Windows\system32\Mdjjgggk.exe
        579⤵
        
        PID:13132
        
        C:\Windows\SysWOW64\Mfhgcbfo.exe
        
        C:\Windows\system32\Mfhgcbfo.exe
        580⤵
        
        PID:13168
        
        C:\Windows\SysWOW64\Mmbopm32.exe
        
        C:\Windows\system32\Mmbopm32.exe
        581⤵
        
        PID:13196
        
        C:\Windows\SysWOW64\Mdlgmgdh.exe
        
        C:\Windows\system32\Mdlgmgdh.exe
        582⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\Mjfoja32.exe
        
        C:\Windows\system32\Mjfoja32.exe
        583⤵
        
        PID:13252
        
        C:\Windows\SysWOW64\Mapgfk32.exe
        
        C:\Windows\system32\Mapgfk32.exe
        584⤵
        Modifies registry class
        
        PID:13280
        
        C:\Windows\SysWOW64\Mdodbf32.exe
        
        C:\Windows\system32\Mdodbf32.exe
        585⤵
        
        PID:13308
        
        C:\Windows\SysWOW64\Mfmpob32.exe
        
        C:\Windows\system32\Mfmpob32.exe
        586⤵
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\Miklkm32.exe
        
        C:\Windows\system32\Miklkm32.exe
        587⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:12340
        
        C:\Windows\SysWOW64\Mabdlk32.exe
        
        C:\Windows\system32\Mabdlk32.exe
        588⤵
        
        PID:12408
        
        C:\Windows\SysWOW64\Mhmmieil.exe
        
        C:\Windows\system32\Mhmmieil.exe
        589⤵
        
        PID:12452
        
        C:\Windows\SysWOW64\Minipm32.exe
        
        C:\Windows\system32\Minipm32.exe
        590⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3188
        
        C:\Windows\SysWOW64\Mphamg32.exe
        
        C:\Windows\system32\Mphamg32.exe
        591⤵
        
        PID:12564
        
        C:\Windows\SysWOW64\Mhoind32.exe
        
        C:\Windows\system32\Mhoind32.exe
        592⤵
        
        PID:12596
        
        C:\Windows\SysWOW64\Njmejp32.exe
        
        C:\Windows\system32\Njmejp32.exe
        593⤵
        
        PID:12664
        
        C:\Windows\SysWOW64\Nagngjmj.exe
        
        C:\Windows\system32\Nagngjmj.exe
        594⤵
        
        PID:12704
        
        C:\Windows\SysWOW64\Nhafcd32.exe
        
        C:\Windows\system32\Nhafcd32.exe
        595⤵
        
        PID:12764
        
        C:\Windows\SysWOW64\Nibbklke.exe
        
        C:\Windows\system32\Nibbklke.exe
        596⤵
        
        PID:12792
        
        C:\Windows\SysWOW64\Najjmjkg.exe
        
        C:\Windows\system32\Najjmjkg.exe
        597⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Nhcbidcd.exe
        
        C:\Windows\system32\Nhcbidcd.exe
        598⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Nmpkakak.exe
        
        C:\Windows\system32\Nmpkakak.exe
        599⤵
        
        PID:12932
        
        C:\Windows\SysWOW64\Npognfpo.exe
        
        C:\Windows\system32\Npognfpo.exe
        600⤵
        
        PID:13000
        
        C:\Windows\SysWOW64\Ngipjp32.exe
        
        C:\Windows\system32\Ngipjp32.exe
        601⤵
        
        PID:13028
        
        C:\Windows\SysWOW64\Nandhi32.exe
        
        C:\Windows\system32\Nandhi32.exe
        602⤵
        Drops file in System32 directory
        
        PID:13072
        
        C:\Windows\SysWOW64\Nhhldc32.exe
        
        C:\Windows\system32\Nhhldc32.exe
        603⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3236
        
        C:\Windows\SysWOW64\Niihlkdm.exe
        
        C:\Windows\system32\Niihlkdm.exe
        604⤵
        
        PID:13192
        
        C:\Windows\SysWOW64\Npcaie32.exe
        
        C:\Windows\system32\Npcaie32.exe
        605⤵
        Modifies registry class
        
        PID:13232
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        606⤵
        Modifies registry class
        
        PID:13276
        
        C:\Windows\SysWOW64\Okiefn32.exe
        
        C:\Windows\system32\Okiefn32.exe
        607⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Oacmchcl.exe
        
        C:\Windows\system32\Oacmchcl.exe
        608⤵
        
        PID:12392
        
        C:\Windows\SysWOW64\Odaiodbp.exe
        
        C:\Windows\system32\Odaiodbp.exe
        609⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Ogpfko32.exe
        
        C:\Windows\system32\Ogpfko32.exe
        610⤵
        
        PID:12620
        
        C:\Windows\SysWOW64\Omjnhiiq.exe
        
        C:\Windows\system32\Omjnhiiq.exe
        611⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Odcfdc32.exe
        
        C:\Windows\system32\Odcfdc32.exe
        612⤵
        Drops file in System32 directory
        
        PID:12776
        
        C:\Windows\SysWOW64\Ohobebig.exe
        
        C:\Windows\system32\Ohobebig.exe
        613⤵
        
        PID:420
        
        C:\Windows\SysWOW64\Omlkmign.exe
        
        C:\Windows\system32\Omlkmign.exe
        614⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Opjgidfa.exe
        
        C:\Windows\system32\Opjgidfa.exe
        615⤵
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Ogdofo32.exe
        
        C:\Windows\system32\Ogdofo32.exe
        616⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\Oickbjmb.exe
        
        C:\Windows\system32\Oickbjmb.exe
        617⤵
        
        PID:13128
        
        C:\Windows\SysWOW64\Oajccgmd.exe
        
        C:\Windows\system32\Oajccgmd.exe
        618⤵
        
        PID:13272
        
        C:\Windows\SysWOW64\Ohdlpa32.exe
        
        C:\Windows\system32\Ohdlpa32.exe
        619⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\Oiehhjjp.exe
        
        C:\Windows\system32\Oiehhjjp.exe
        620⤵
        System Location Discovery: System Language Discovery
        
        PID:12592
        
        C:\Windows\SysWOW64\Oalpigkb.exe
        
        C:\Windows\system32\Oalpigkb.exe
        621⤵
        Drops file in System32 directory
        
        PID:12760
        
        C:\Windows\SysWOW64\Phfhfa32.exe
        
        C:\Windows\system32\Phfhfa32.exe
        622⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:12844
        
        C:\Windows\SysWOW64\Pjgemi32.exe
        
        C:\Windows\system32\Pjgemi32.exe
        623⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2792
        
        C:\Windows\SysWOW64\Paomog32.exe
        
        C:\Windows\system32\Paomog32.exe
        624⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\Pdmikb32.exe
        
        C:\Windows\system32\Pdmikb32.exe
        625⤵
        Modifies registry class
        
        PID:13300
        
        C:\Windows\SysWOW64\Pjjaci32.exe
        
        C:\Windows\system32\Pjjaci32.exe
        626⤵
        
        PID:12648
        
        C:\Windows\SysWOW64\Ppdjpcng.exe
        
        C:\Windows\system32\Ppdjpcng.exe
        627⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\Pgnblm32.exe
        
        C:\Windows\system32\Pgnblm32.exe
        628⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Pacfjfej.exe
        
        C:\Windows\system32\Pacfjfej.exe
        629⤵
        
        PID:12496
        
        C:\Windows\SysWOW64\Pdbbfadn.exe
        
        C:\Windows\system32\Pdbbfadn.exe
        630⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Pklkbl32.exe
        
        C:\Windows\system32\Pklkbl32.exe
        631⤵
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Pnjgog32.exe
        
        C:\Windows\system32\Pnjgog32.exe
        632⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Pphckb32.exe
        
        C:\Windows\system32\Pphckb32.exe
        633⤵
        
        PID:13324
        
        C:\Windows\SysWOW64\Pgbkgmao.exe
        
        C:\Windows\system32\Pgbkgmao.exe
        634⤵
        
        PID:13352
        
        C:\Windows\SysWOW64\Pnlcdg32.exe
        
        C:\Windows\system32\Pnlcdg32.exe
        635⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\Qdflaa32.exe
        
        C:\Windows\system32\Qdflaa32.exe
        636⤵
        
        PID:13408
        
        C:\Windows\SysWOW64\Qgehml32.exe
        
        C:\Windows\system32\Qgehml32.exe
        637⤵
        
        PID:13436
        
        C:\Windows\SysWOW64\Qnopjfgi.exe
        
        C:\Windows\system32\Qnopjfgi.exe
        638⤵
        
        PID:13464
        
        C:\Windows\SysWOW64\Qdihfq32.exe
        
        C:\Windows\system32\Qdihfq32.exe
        639⤵
        Drops file in System32 directory
        
        PID:13496
        
        C:\Windows\SysWOW64\Qkcackeb.exe
        
        C:\Windows\system32\Qkcackeb.exe
        640⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\Qnamofdf.exe
        
        C:\Windows\system32\Qnamofdf.exe
        641⤵
        
        PID:13552
        
        C:\Windows\SysWOW64\Aqpika32.exe
        
        C:\Windows\system32\Aqpika32.exe
        642⤵
        
        PID:13580
        
        C:\Windows\SysWOW64\Agiahlkf.exe
        
        C:\Windows\system32\Agiahlkf.exe
        643⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\Aaofedkl.exe
        
        C:\Windows\system32\Aaofedkl.exe
        644⤵
        
        PID:13636
        
        C:\Windows\SysWOW64\Ahinbo32.exe
        
        C:\Windows\system32\Ahinbo32.exe
        645⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13664
        
        C:\Windows\SysWOW64\Ajjjjghg.exe
        
        C:\Windows\system32\Ajjjjghg.exe
        646⤵
        
        PID:13692
        
        C:\Windows\SysWOW64\Ababkdij.exe
        
        C:\Windows\system32\Ababkdij.exe
        647⤵
        
        PID:13720
        
        C:\Windows\SysWOW64\Ahkkhnpg.exe
        
        C:\Windows\system32\Ahkkhnpg.exe
        648⤵
        
        PID:13748
        
        C:\Windows\SysWOW64\Ajmgof32.exe
        
        C:\Windows\system32\Ajmgof32.exe
        649⤵
        Drops file in System32 directory
        
        PID:13776
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        650⤵
        
        PID:13804
        
        C:\Windows\SysWOW64\Agqhik32.exe
        
        C:\Windows\system32\Agqhik32.exe
        651⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13832
        
        C:\Windows\SysWOW64\Aklciimh.exe
        
        C:\Windows\system32\Aklciimh.exe
        652⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\Ahpdcn32.exe
        
        C:\Windows\system32\Ahpdcn32.exe
        653⤵
        
        PID:13892
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        654⤵
        
        PID:13920
        
        C:\Windows\SysWOW64\Bbhhlccb.exe
        
        C:\Windows\system32\Bbhhlccb.exe
        655⤵
        
        PID:13948
        
        C:\Windows\SysWOW64\Bhbahm32.exe
        
        C:\Windows\system32\Bhbahm32.exe
        656⤵
        Drops file in System32 directory
        
        PID:13976
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        657⤵
        
        PID:14004
        
        C:\Windows\SysWOW64\Bqnemp32.exe
        
        C:\Windows\system32\Bqnemp32.exe
        658⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:14032
        
        C:\Windows\SysWOW64\Bggnijof.exe
        
        C:\Windows\system32\Bggnijof.exe
        659⤵
        Drops file in System32 directory
        
        PID:14060
        
        C:\Windows\SysWOW64\Bnaffdfc.exe
        
        C:\Windows\system32\Bnaffdfc.exe
        660⤵
        System Location Discovery: System Language Discovery
        
        PID:14088
        
        C:\Windows\SysWOW64\Bdlncn32.exe
        
        C:\Windows\system32\Bdlncn32.exe
        661⤵
        
        PID:14116
        
        C:\Windows\SysWOW64\Bkefphem.exe
        
        C:\Windows\system32\Bkefphem.exe
        662⤵
        
        PID:14144
        
        C:\Windows\SysWOW64\Bbpolb32.exe
        
        C:\Windows\system32\Bbpolb32.exe
        663⤵
        
        PID:14172
        
        C:\Windows\SysWOW64\Bdnkhn32.exe
        
        C:\Windows\system32\Bdnkhn32.exe
        664⤵
        
        PID:14200
        
        C:\Windows\SysWOW64\Bkhceh32.exe
        
        C:\Windows\system32\Bkhceh32.exe
        665⤵
        
        PID:14228
        
        C:\Windows\SysWOW64\Bbbkbbkg.exe
        
        C:\Windows\system32\Bbbkbbkg.exe
        666⤵
        
        PID:14260
        
        C:\Windows\SysWOW64\Bilcol32.exe
        
        C:\Windows\system32\Bilcol32.exe
        667⤵
        
        PID:14288
        
        C:\Windows\SysWOW64\Cnhlgc32.exe
        
        C:\Windows\system32\Cnhlgc32.exe
        668⤵
        
        PID:14320
        
        C:\Windows\SysWOW64\Cebdcmhh.exe
        
        C:\Windows\system32\Cebdcmhh.exe
        669⤵
        
        PID:13348
        
        C:\Windows\SysWOW64\Cgaqphgl.exe
        
        C:\Windows\system32\Cgaqphgl.exe
        670⤵
        
        PID:13372
        
        C:\Windows\SysWOW64\Cjomldfp.exe
        
        C:\Windows\system32\Cjomldfp.exe
        671⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13432
        
        C:\Windows\SysWOW64\Cqiehnml.exe
        
        C:\Windows\system32\Cqiehnml.exe
        672⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Ckoifgmb.exe
        
        C:\Windows\system32\Ckoifgmb.exe
        673⤵
        
        PID:13532
        
        C:\Windows\SysWOW64\Cbiabq32.exe
        
        C:\Windows\system32\Cbiabq32.exe
        674⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Cegnol32.exe
        
        C:\Windows\system32\Cegnol32.exe
        675⤵
        
        PID:13616
        
        C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        676⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Ciefek32.exe
        
        C:\Windows\system32\Ciefek32.exe
        677⤵
        
        PID:13728
        
        C:\Windows\SysWOW64\Cjfclcpg.exe
        
        C:\Windows\system32\Cjfclcpg.exe
        678⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Capkim32.exe
        
        C:\Windows\system32\Capkim32.exe
        679⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\Cgjcfgoa.exe
        
        C:\Windows\system32\Cgjcfgoa.exe
        680⤵
        
        PID:13872
        
        C:\Windows\SysWOW64\Dndlba32.exe
        
        C:\Windows\system32\Dndlba32.exe
        681⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Dendok32.exe
        
        C:\Windows\system32\Dendok32.exe
        682⤵
        
        PID:13928
        
        C:\Windows\SysWOW64\Dlhlleeh.exe
        
        C:\Windows\system32\Dlhlleeh.exe
        683⤵
        Drops file in System32 directory
        
        PID:13972
        
        C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        684⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        685⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Dlkiaece.exe
        
        C:\Windows\system32\Dlkiaece.exe
        686⤵
        
        PID:14112
        
        C:\Windows\SysWOW64\Dagajlal.exe
        
        C:\Windows\system32\Dagajlal.exe
        687⤵
        
        PID:14124
        
        C:\Windows\SysWOW64\Dioiki32.exe
        
        C:\Windows\system32\Dioiki32.exe
        688⤵
        
        PID:14164
        
        C:\Windows\SysWOW64\Djpfbahm.exe
        
        C:\Windows\system32\Djpfbahm.exe
        689⤵
        
        PID:14192
        
        C:\Windows\SysWOW64\Dajnol32.exe
        
        C:\Windows\system32\Dajnol32.exe
        690⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14236
        
        C:\Windows\SysWOW64\Diafqi32.exe
        
        C:\Windows\system32\Diafqi32.exe
        691⤵
        
        PID:14268
        
        C:\Windows\SysWOW64\Djbbhafj.exe
        
        C:\Windows\system32\Djbbhafj.exe
        692⤵
        System Location Discovery: System Language Discovery
        
        PID:14284
        
        C:\Windows\SysWOW64\Dbijinfl.exe
        
        C:\Windows\system32\Dbijinfl.exe
        693⤵
        
        PID:14316
        
        C:\Windows\SysWOW64\Dhfcae32.exe
        
        C:\Windows\system32\Dhfcae32.exe
        694⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Enpknplq.exe
        
        C:\Windows\system32\Enpknplq.exe
        695⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\Eejcki32.exe
        
        C:\Windows\system32\Eejcki32.exe
        696⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Ehhpge32.exe
        
        C:\Windows\system32\Ehhpge32.exe
        697⤵
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Ejiiippb.exe
        
        C:\Windows\system32\Ejiiippb.exe
        698⤵
        
        PID:13576
        
        C:\Windows\SysWOW64\Eacaej32.exe
        
        C:\Windows\system32\Eacaej32.exe
        699⤵
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Eeomfioh.exe
        
        C:\Windows\system32\Eeomfioh.exe
        700⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Eliecc32.exe
        
        C:\Windows\system32\Eliecc32.exe
        701⤵
        
        PID:688
        
        C:\Windows\SysWOW64\Ebbmpmnb.exe
        
        C:\Windows\system32\Ebbmpmnb.exe
        702⤵
        System Location Discovery: System Language Discovery
        
        PID:13744
        
        C:\Windows\SysWOW64\Eeailhme.exe
        
        C:\Windows\system32\Eeailhme.exe
        703⤵
        
        PID:13772
        
        C:\Windows\SysWOW64\Elkbhbeb.exe
        
        C:\Windows\system32\Elkbhbeb.exe
        704⤵
        
        PID:13868
        
        C:\Windows\SysWOW64\Ebejem32.exe
        
        C:\Windows\system32\Ebejem32.exe
        705⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Eiobbgcl.exe
        
        C:\Windows\system32\Eiobbgcl.exe
        706⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Fjpoio32.exe
        
        C:\Windows\system32\Fjpoio32.exe
        707⤵
        
        PID:13968
        
        C:\Windows\SysWOW64\Fajgfiag.exe
        
        C:\Windows\system32\Fajgfiag.exe
        708⤵
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Fhdocc32.exe
        
        C:\Windows\system32\Fhdocc32.exe
        709⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13476
        
        C:\Windows\SysWOW64\Fongpm32.exe
        
        C:\Windows\system32\Fongpm32.exe
        710⤵
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Fehplggn.exe
        
        C:\Windows\system32\Fehplggn.exe
        711⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Flbhia32.exe
        
        C:\Windows\system32\Flbhia32.exe
        712⤵
        Modifies registry class
        
        PID:14180
        
        C:\Windows\SysWOW64\Fblpflfg.exe
        
        C:\Windows\system32\Fblpflfg.exe
        713⤵
        
        PID:236
        
        C:\Windows\SysWOW64\Fhiinbdo.exe
        
        C:\Windows\system32\Fhiinbdo.exe
        714⤵
        
        PID:14220
        
        C:\Windows\SysWOW64\Fkgejncb.exe
        
        C:\Windows\system32\Fkgejncb.exe
        715⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Faamghko.exe
        
        C:\Windows\system32\Faamghko.exe
        716⤵
        
        PID:344
        
        C:\Windows\SysWOW64\Fhkecb32.exe
        
        C:\Windows\system32\Fhkecb32.exe
        717⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Foenplji.exe
        
        C:\Windows\system32\Foenplji.exe
        718⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Facjlhil.exe
        
        C:\Windows\system32\Facjlhil.exe
        719⤵
        
        PID:772
        
        C:\Windows\SysWOW64\Gikbneio.exe
        
        C:\Windows\system32\Gikbneio.exe
        720⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Ghmbib32.exe
        
        C:\Windows\system32\Ghmbib32.exe
        721⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Gbcffk32.exe
        
        C:\Windows\system32\Gbcffk32.exe
        722⤵
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Glkkop32.exe
        
        C:\Windows\system32\Glkkop32.exe
        723⤵
        
        PID:13644
        
        C:\Windows\SysWOW64\Gojgkl32.exe
        
        C:\Windows\system32\Gojgkl32.exe
        724⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Gedohfmp.exe
        
        C:\Windows\system32\Gedohfmp.exe
        725⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Glngep32.exe
        
        C:\Windows\system32\Glngep32.exe
        726⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Gbhpajlj.exe
        
        C:\Windows\system32\Gbhpajlj.exe
        727⤵
        
        PID:13856
        
        C:\Windows\SysWOW64\Ghdhja32.exe
        
        C:\Windows\system32\Ghdhja32.exe
        728⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Gkcdfl32.exe
        
        C:\Windows\system32\Gkcdfl32.exe
        729⤵
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Gehice32.exe
        
        C:\Windows\system32\Gehice32.exe
        730⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Glbapoqh.exe
        
        C:\Windows\system32\Glbapoqh.exe
        731⤵
        
        PID:14028
        
        C:\Windows\SysWOW64\Goamlkpk.exe
        
        C:\Windows\system32\Goamlkpk.exe
        732⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Gekeie32.exe
        
        C:\Windows\system32\Gekeie32.exe
        733⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Hocjaj32.exe
        
        C:\Windows\system32\Hocjaj32.exe
        734⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Hembndee.exe
        
        C:\Windows\system32\Hembndee.exe
        735⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1848
        
        C:\Windows\SysWOW64\Hlgjko32.exe
        
        C:\Windows\system32\Hlgjko32.exe
        736⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Hoefgj32.exe
        
        C:\Windows\system32\Hoefgj32.exe
        737⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1152
        
        C:\Windows\SysWOW64\Hepoddcc.exe
        
        C:\Windows\system32\Hepoddcc.exe
        738⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Hligqnjp.exe
        
        C:\Windows\system32\Hligqnjp.exe
        739⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Hccomh32.exe
        
        C:\Windows\system32\Hccomh32.exe
        740⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\Hebkid32.exe
        
        C:\Windows\system32\Hebkid32.exe
        741⤵
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Hllcfnhm.exe
        
        C:\Windows\system32\Hllcfnhm.exe
        742⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Hkodak32.exe
        
        C:\Windows\system32\Hkodak32.exe
        743⤵
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Hcflch32.exe
        
        C:\Windows\system32\Hcflch32.exe
        744⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Hipdpbgf.exe
        
        C:\Windows\system32\Hipdpbgf.exe
        745⤵
        
        PID:408
        
        C:\Windows\SysWOW64\Hakidd32.exe
        
        C:\Windows\system32\Hakidd32.exe
        746⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Iibaeb32.exe
        
        C:\Windows\system32\Iibaeb32.exe
        747⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Iooimi32.exe
        
        C:\Windows\system32\Iooimi32.exe
        748⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Ieiajckh.exe
        
        C:\Windows\system32\Ieiajckh.exe
        749⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Ioafchai.exe
        
        C:\Windows\system32\Ioafchai.exe
        750⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Iapbodql.exe
        
        C:\Windows\system32\Iapbodql.exe
        751⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3976
        
        C:\Windows\SysWOW64\Ileflmpb.exe
        
        C:\Windows\system32\Ileflmpb.exe
        752⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Iocchhof.exe
        
        C:\Windows\system32\Iocchhof.exe
        753⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Iabodcnj.exe
        
        C:\Windows\system32\Iabodcnj.exe
        754⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1500
        
        C:\Windows\SysWOW64\Ikjcmi32.exe
        
        C:\Windows\system32\Ikjcmi32.exe
        755⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Iadljc32.exe
        
        C:\Windows\system32\Iadljc32.exe
        756⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Ihndgmdd.exe
        
        C:\Windows\system32\Ihndgmdd.exe
        757⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Ikmpcicg.exe
        
        C:\Windows\system32\Ikmpcicg.exe
        758⤵
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Jbghpc32.exe
        
        C:\Windows\system32\Jbghpc32.exe
        759⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Jllmml32.exe
        
        C:\Windows\system32\Jllmml32.exe
        760⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Jbieebha.exe
        
        C:\Windows\system32\Jbieebha.exe
        761⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Jjpmfpid.exe
        
        C:\Windows\system32\Jjpmfpid.exe
        762⤵
        
        PID:13488
        
        C:\Windows\SysWOW64\Jkajnh32.exe
        
        C:\Windows\system32\Jkajnh32.exe
        763⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Jbkbkbfo.exe
        
        C:\Windows\system32\Jbkbkbfo.exe
        764⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Jjbjlpga.exe
        
        C:\Windows\system32\Jjbjlpga.exe
        765⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\Jlafhkfe.exe
        
        C:\Windows\system32\Jlafhkfe.exe
        766⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Jbnopbdl.exe
        
        C:\Windows\system32\Jbnopbdl.exe
        767⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Jjefao32.exe
        
        C:\Windows\system32\Jjefao32.exe
        768⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Joaojf32.exe
        
        C:\Windows\system32\Joaojf32.exe
        769⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Jbpkfa32.exe
        
        C:\Windows\system32\Jbpkfa32.exe
        770⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Jhjcbljf.exe
        
        C:\Windows\system32\Jhjcbljf.exe
        771⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Jkhpogij.exe
        
        C:\Windows\system32\Jkhpogij.exe
        772⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Kcphpdil.exe
        
        C:\Windows\system32\Kcphpdil.exe
        773⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kilphk32.exe
        
        C:\Windows\system32\Kilphk32.exe
        774⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Kkkldg32.exe
        
        C:\Windows\system32\Kkkldg32.exe
        775⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Kfpqap32.exe
        
        C:\Windows\system32\Kfpqap32.exe
        776⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\Kmjinjnj.exe
        
        C:\Windows\system32\Kmjinjnj.exe
        777⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Kbgafqla.exe
        
        C:\Windows\system32\Kbgafqla.exe
        778⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Kjnihnmd.exe
        
        C:\Windows\system32\Kjnihnmd.exe
        779⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Kokbpe32.exe
        
        C:\Windows\system32\Kokbpe32.exe
        780⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Kfejmobh.exe
        
        C:\Windows\system32\Kfejmobh.exe
        781⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Kmobii32.exe
        
        C:\Windows\system32\Kmobii32.exe
        782⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Komoed32.exe
        
        C:\Windows\system32\Komoed32.exe
        783⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Kfggbope.exe
        
        C:\Windows\system32\Kfggbope.exe
        784⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Kmaooihb.exe
        
        C:\Windows\system32\Kmaooihb.exe
        785⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Lckglc32.exe
        
        C:\Windows\system32\Lckglc32.exe
        786⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Ljephmgl.exe
        
        C:\Windows\system32\Ljephmgl.exe
        787⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Lkflpe32.exe
        
        C:\Windows\system32\Lkflpe32.exe
        788⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Lcndab32.exe
        
        C:\Windows\system32\Lcndab32.exe
        789⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lflpmn32.exe
        
        C:\Windows\system32\Lflpmn32.exe
        790⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Lkiiee32.exe
        
        C:\Windows\system32\Lkiiee32.exe
        791⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Lbcabo32.exe
        
        C:\Windows\system32\Lbcabo32.exe
        792⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Lkkekdhe.exe
        
        C:\Windows\system32\Lkkekdhe.exe
        793⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Lbenho32.exe
        
        C:\Windows\system32\Lbenho32.exe
        794⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Liofdigo.exe
        
        C:\Windows\system32\Liofdigo.exe
        795⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lpinac32.exe
        
        C:\Windows\system32\Lpinac32.exe
        796⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Lfcfnm32.exe
        
        C:\Windows\system32\Lfcfnm32.exe
        797⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Llpofd32.exe
        
        C:\Windows\system32\Llpofd32.exe
        798⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Mcggga32.exe
        
        C:\Windows\system32\Mcggga32.exe
        799⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Midoph32.exe
        
        C:\Windows\system32\Midoph32.exe
        800⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Mpnglbkf.exe
        
        C:\Windows\system32\Mpnglbkf.exe
        801⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Mbldhn32.exe
        
        C:\Windows\system32\Mbldhn32.exe
        802⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 436
        803⤵
        Program crash
        
        PID:5396

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTZCQ0ZEMjctQUNBRC00RjU3LTg0RkQtNzRBRTIzNTQxQ0REfSIgdXNlcmlkPSJ7MjM4QkQ5RjItRERFQS00MzQ5LThFOEEtRjRENjg3MkM3OEE3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzI1REZFRTMtQUNDNy00MDE4LUIyOUMtNzI3QzA2M0MyNkM2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NjE1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTE4NzcwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE3OTI2ODY1MSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5408 -ip 5408
1⤵
PID:5876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajjokd32.exe

Filesize
1.1MB

MD5
7eb088629c72634982719923bd637196

SHA1
984b2ee3b9f8c41eceadfa9b819d8955186963bd

SHA256
171c0941db6382f20edafc9a0019fc89929e6f3c9d5be7a5f1063ba5a1429277

SHA512
a241a36987fcf5758c10cfb936ba00845e6af8684c6b6f43a25e430c2d9b16d98dbf083032b919f944f5c4b02e2f149fdd72177ac2e4d7c64e94af1f6a717ce6

Download Submit
C:\Windows\SysWOW64\Hhaggp32.exe

Filesize
1.1MB

MD5
eec3d978288be9eab3fa9030f2671a3e

SHA1
dc12817fd6ea927739b9d4263a38918f66e389f2

SHA256
4db73b18a9216e1c5b11439bd092d699c40b2d88eab8e36910810f142919b590

SHA512
fdc14e239479d14d4a28618115b64010cd0cd53834d0d812819c294edce7b1992154b0f5e9b53cd2f5fa7e0ec512e27923e0856e21677d52459cd78b2d25cd75

Download Submit
C:\Windows\SysWOW64\Hicpgc32.exe

Filesize
1.1MB

MD5
cb06634d42e751e30dd7052d4c9e9816

SHA1
4c6757797f05c383e28b9cb7be0ebf6e6e67934a

SHA256
6580ec2455f1b37478f319932de8229d3d3a31b44a47bc7da0b7a9d993b2320d

SHA512
f4d92a4c45cb0ca7d4a4475257769c3488b302b86c3f05fa1e6e4b87795bb78527e7e1f96037a5628fe61bb4308002478632188326e931541f6c92418689c8c0

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
1.1MB

MD5
6ad9e141e9126cf86bb8ab45560e7eca

SHA1
df265f8a3b847f7fa02b9ab42a40215a5e44fb2b

SHA256
f99f1a2f35b16f5c8f1fe376f0020e759e1a0f747e5e58ece128193ddc39efc2

SHA512
b7de8fb952d12e1bb006ad0fa791398ffcf2fcc76c71e4ddf66609a2a59e4c08d8d25358198d26871d59ad51eb8dcc559cd2b16f4713812ccdf3891d94136175

Download Submit
C:\Windows\SysWOW64\Jeocna32.exe

Filesize
1.1MB

MD5
b9117eeee30e5458a7fb25181ab5ae98

SHA1
232789477446adc76a2c4dfaf7556ecf06599672

SHA256
3b13938867e63c63bbb9dd157535dd381d94e7811a3e902331a470b43c051433

SHA512
03b65d165b4797928c58f3b56d0f3af0dd96659bac27b77ebd2aa44a20949bb9f38ec84d337ed5607be3080c18b5e920539224c76865e38c9cef70b14c1bb917

Download Submit
C:\Windows\SysWOW64\Jhifomdj.exe

Filesize
1.1MB

MD5
8b740c0bf0f0e11a01dd7c984076b1b4

SHA1
44c56d611a0770f37e53525f707668942ab4d2ce

SHA256
3ca21fb8347c6c030441d721b2383aa573130b95ede80b7ce97e0a8d3c7e5274

SHA512
7fe08000a1e99fbb2232c100486a12575a81f3143c052a04b1b64e039b3049e724ff7cc1aef687cb0a1f8c4ec5353137e69b44074ab6d87986cafb362b57c48b

Download Submit
C:\Windows\SysWOW64\Jidinqpb.exe

Filesize
1.1MB

MD5
42946b8512e1baae0237e01ee0e5f2eb

SHA1
8801146dceebf357a1a83ed51a09cea6a4c13ad6

SHA256
befe3a1db2b9ac9b70260b79604e4fe46331708656c6b7170faa09d7b7e61a4b

SHA512
a70c6f95e72d2f20f572fc5d245b4cfd8db5fc8b8877af6180678d3fd09a26157a5141fd6b607d70a4a63511b30ea906cf6b6f0efdf3697e85fc78a99e4af369

Download Submit
C:\Windows\SysWOW64\Jlikkkhn.exe

Filesize
1.1MB

MD5
ccf7865dd0ad9ba119bc02f5817081f1

SHA1
6330bb5c1483945bdf1652b57e0d082175ac0bb4

SHA256
c7282815e21713d6ee78a0ed7a99f62a5c6948444dc4a35c52762219b3db7cad

SHA512
a59eaf403c0276b35a4ad36955095dd116ac6ba1666ebb40e8a876980f80a1a55f57fdc02f3ae75b7920d6a6e47bee5e58bcfbc23277bb2ac9b01e40158634de

Download Submit
C:\Windows\SysWOW64\Joekag32.exe

Filesize
1.1MB

MD5
a90d7ea1e11085b7c358824ef4f31017

SHA1
5ab0cf5ab072ba529297b7b2fca188ebe24df333

SHA256
bfd201b0a5691e5c2c3b498ecd98afafc0a0bc698bb9a425ad4ea737c0aa95c1

SHA512
676929e6871f9542942584fe5382acfd78e49e084fcc907e68146b3ea36265bbd962f3824e9efc811994be2563e8b8c776962c85425102c1dcc53838e16c4ed6

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
1.1MB

MD5
5d921165b90c01329923338c8ab57275

SHA1
85fa6365c517684fe654e052c1be67d0500fbbfd

SHA256
0509873b8409856017b4a22986ed03f2c080eda60e0c5f65cf231acc1ef5cccb

SHA512
2f1640c9495a7b9774c8014cbede561e2c9ccbb75be88c09b1e92c2c65d637cd61b2e1aac4cf7306413f9768713587b1228b770cd279eb5033eab19a4ccc2457

Download Submit
C:\Windows\SysWOW64\Keifdpif.exe

Filesize
1.1MB

MD5
ca6e7ee233bc5d7cb41bd754705c6c0f

SHA1
6dc9835c9420b334e6f90b3fd6252d7eea1770d4

SHA256
1f8bdca8c137ae83c2b519c021763a3256f9faf443631343182eff2f5df1cfc0

SHA512
e3b0b8f9977f6bceff86920525b00f06fe1d37a22f0cbc59780fd33bf301b65641e5646c6609010ebefca33303378aa8e9c607a9299a46074629fd9519b56f48

Download Submit
C:\Windows\SysWOW64\Kekbjo32.exe

Filesize
1.1MB

MD5
9e5dc320391c477d66c6b840d092b83e

SHA1
b92f4423fb4980a7ebe309b1b6e0b816103b2b16

SHA256
a91cb509f15aa2e66763b255df2b8d37fae22d99d07b6a7c59cc7e47cec4d8a7

SHA512
b00fa04111f941be08a75577d9d363ff84a3734145a45e6f03a51bd8e2da54569ad31ec874cfebbe05f4777066b00e33ee5007c4ab3ac4485b1a5733f2c811a0

Download Submit
C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
1.1MB

MD5
40b4b4e3376cd9d16b1ebd1ce01006e2

SHA1
54c9eed970d4adc583e2be3a4f17fb115ec2db86

SHA256
99642179d095be37734e92e5347d6622cb6585a5e90104b97c672effb01a8750

SHA512
8a1da4e9cd30ea69205ec1c695c3e5efaf448e2f6f0efad558f922ef3a7577a69e5b2d72213d9ef8169678fe8907876f7dd8e97061d78e5c965ed14f81a8f542

Download Submit
C:\Windows\SysWOW64\Lhenai32.exe

Filesize
1.1MB

MD5
8973c8bef59a9df70a40156d8caac8c5

SHA1
d723496a967977ba2be9fbefd8f0322b771f315e

SHA256
59164557c47168b74ce0cdbb95a8d0063bbd2086ab3e98ce6989ff7868722e1b

SHA512
31bf8646fb9b4b4a2ea56d8adab86b00911aa7fc450d5d6a05a658b5bac730ed866c007337ed1639093408f9558df258f9b50525fd75d91ff3dd239270e279f0

Download Submit
C:\Windows\SysWOW64\Lhnhajba.exe

Filesize
1.1MB

MD5
66ec18ef67b4159805a7b232fc6c06a9

SHA1
7ccdcbcc4dc1367995aa4f46e284180f45b9ba1f

SHA256
76c97a962c2fcad6e3f5bbedfe04b7ce54b8eebd72e1a5a4f1f1c07845bcf068

SHA512
14374d6ef6f352672b87b879d4d8a8e070581f438339f9592b3bf8b0ad4e1efeb54d5fa07c3d65ee63215cc4fffdb3cc32648a1b502c2ab47fb30b527fe09306

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
1.1MB

MD5
1111c63d0db3208502d8d60634ae9761

SHA1
1458b2eaed7accbc070686114222124f0a31089d

SHA256
ba08e38d36c06c456ab9e4b48ad372a3027bdfa56965bc8a18259c87808291f6

SHA512
4c307de31fa1363025431f4802442878900dfa2d0d827cef52fb1f239fc8b7068ca711167e4d7b6e9e44ddea474fc2d51d2945c6d67ad96e519065f2c27d7d57

Download Submit
C:\Windows\SysWOW64\Llcghg32.exe

Filesize
1.1MB

MD5
63967419f4e25df88116b64fbad9bc72

SHA1
de4cb8edb3576296340b4d6d204858b0395fecc7

SHA256
8fd3f56e7bd30bac5f436b6108385aec8ac31ac2e16ad0241f43c6ccda3d1eb8

SHA512
44494eeeeee7b23789e35d6cc798050b627b2810d54d9687b6da954d2a8cbff0b8ba496bb35a5d337578b89f4193b8d32804bf6bbfac0b2efebc9182bb8cd866

Download Submit
C:\Windows\SysWOW64\Mcdeeq32.exe

Filesize
1.1MB

MD5
02d0d952cee2ba93c583a52dd2048d6a

SHA1
f5af7ddf354986c5cd37dc9d7db11e0129ee1f52

SHA256
cfd262f2f3c14135dc0534a8340d8b9e9ed014ed66a9d0a5767c9f2620a89bc7

SHA512
58b9efe37019efa040fc93326bcfca50ab861f603ff75f99faa603b37c45844e2d7aed3bb8316a2f38885d5be897eace91fd6a331f5fe0b4e4113f7e65b4be32

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
1.1MB

MD5
4bd8da53d0c8434b45bae69e56c3a377

SHA1
e3c0b366cb0a25666aa3ed441a5af65a4629b3db

SHA256
3db236642cd5d31a2c4adc14212493865f78822c50ad0ee1d7461864d31a1740

SHA512
557bfce0280fe54664d5fa937d9a0dc709495aa64e433b556044be24d5ca1143230864104decb59ace04bacdb6cc6ee55c4d2d59d12f922e3c21c7fe40a82855

Download Submit
C:\Windows\SysWOW64\Modpib32.exe

Filesize
1.1MB

MD5
aa612352f0a01f7e4ad4386767b4fc1c

SHA1
6a41e3a4a044535913d7327660cdc29f4c9a1e68

SHA256
a1a6144ad4eff7608acdcbdbfce856a0194ee5146b5b33480981c2565067b01f

SHA512
6ace7db8e1fbd8d63f6ab31844cc644195dec6b297f09613b81f8931a9e89e975c249006a8d8bab646243ff98d3315a476bf7118a40b2189f0431795527ae10c

Download Submit
C:\Windows\SysWOW64\Momcpa32.exe

Filesize
1.1MB

MD5
b8de6181b1e1a4913a17fd0bf5bdcaa2

SHA1
60b6cb67cd3ca1c63c129c2a5476b5ce1226bdc8

SHA256
1e1acd5379c4d078ebaf75c458bd86ceb4b8dc5a9b88abf552da33e7dcaac982

SHA512
c19295217f014b742cb5d2ba2d22dad27e7269668e4e629a365eab175d0cb254d230c5a01708adf427cead8b0eeec4999b85843a5ac14b4bbc87a9735fd78293

Download Submit
C:\Windows\SysWOW64\Nfldgk32.exe

Filesize
1.1MB

MD5
40cdf2717bfef667b73d1ce8f670484e

SHA1
ebf3833ececde668c8a098811c6e9ee3066725b9

SHA256
7ea001777f8d984ec8121532c2bfa741a2406718bf66141b704d81ab0a4a6bdb

SHA512
ec6c5d6a1bf0d188f918c32996bd8ac802654d4661ebcba358f025bfaaff669e8125c9388b327fc865ac6b0cea7c6988667e324ebdcd2571c83c2edb23c9b11f

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
1.1MB

MD5
021f12c15231d2077427a96d47bd4830

SHA1
c074b56100700829e498b57e591537c56185e684

SHA256
241996664947e229aefb3a670d38409b7951771aa457774ce1c68c03d1e54c35

SHA512
446dc7f9b6b12463fd6e54c64fb138d1ff604fa385232e89f6299e901beee7640687f16c76514ebe64697bdbdc86e7e1c6e01b684b701ed01c66059280af38c3

Download Submit
C:\Windows\SysWOW64\Obgohklm.exe

Filesize
1.1MB

MD5
d347ba8737b6515ef0b4e070056ba458

SHA1
a11508222749924e7825c6f1dc783df51946f4d6

SHA256
e5ac2c1d0408904d1f30173d0bc5aafbe779727bc11d78bd7767fa92cf667445

SHA512
636fd7f1a4f194e829e43260bb64bd271d04139beb39d9c9a0d6fd42f1ac171318d3fc305b73c666fff8c356d9c31273b2ee1b579f705ea65527e9af139d8f0b

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
1.1MB

MD5
c6c69e9ece49ee764b35827f164d5955

SHA1
2ce04fe2c812957cfe833560ae54d615c8dff375

SHA256
07e1dcb922bf2cc64a2f5138623e1b414c02673374f856f42e5c2359f528c364

SHA512
edfedf5e392d3538c74c38c1d356c3450f2131a27e53c147bc481b910051f3ab2f7dd1d0a96b1ec83cd53d1200e51779a70ec78cdb90bce3e273339fa25a8469

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
1.1MB

MD5
b1db34a71ff383997c6ff7a405c5dc8d

SHA1
102e7af741c42c4ce3314fffea776f5eab576a78

SHA256
9dd0f23c761236e3975deb5f581af613cb9d30ef83ec051229f603cde15c02d3

SHA512
b2edd5d836019c3ee1b732f7b5aabbeb3139109152b64163a466bf469c26bfc00748b1d598a798dd1f083f99559cfd2d9c27f19a188eb42cb7da6c09927628c9

Download Submit
C:\Windows\SysWOW64\Piapkbeg.exe

Filesize
1.1MB

MD5
b1b0c9927a2a35c77d4443f3088239f1

SHA1
b0343fa4c5574295ee632615d5d49132994602f0

SHA256
8401fcc4ed1003a04cf71e1f3e012a70c6bb3108b4c73202f266c08371bf161f

SHA512
525956b6c86fe0fb531ce3f26465adc141a508baa4138552f2b2fd7f9f16e181c2d21e57e7bf4d0a46875120ae047e26c38864a28975ea0e197e1fbcd4f7dfa1

Download Submit
C:\Windows\SysWOW64\Pidlqb32.exe

Filesize
1.1MB

MD5
f1932100a764855b1561e9034ecbe916

SHA1
2b66e3c73d2137913f61707f2aefdb3a825afaee

SHA256
82ceff29a96c9aebb4808c22a70a24484e2fb9aea00a91fb99f84c04443cc168

SHA512
8f5cacf1bddd39ab8aa9de49aaf73a7ac6198cb797c13aaf075eb4650cce8dbbc314761f89e28c367ee354fae52cd0323d1023d4442c17519445e7b51fada84f

Download Submit
C:\Windows\SysWOW64\Ppgomnai.exe

Filesize
1.1MB

MD5
58ba3c618ef923e0532b67266353965d

SHA1
1d68277c3ba0c3adff09643a0c5a46ae6f0ed650

SHA256
ad01a5d96b26575b29974c666c44a59df683dcd4cae867e50ad6817ad061107d

SHA512
9d0c7a79a474796c201de43db8895ff6f8f1dffe5865974e3059806e3fe81aa575e8c2a70fb1599ef5657e5b04bfebde763de4e069be6cf88e944579f600347a

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe

Filesize
1.1MB

MD5
18b3317ba887f62288144697cf82e1de

SHA1
624e564e99daf8a06637f89232efbb65f9e0a7d3

SHA256
432ffaa40f3b94325bdc18ba281e1bdd9d0af9d30cb767d913a4dfc0c8f873f2

SHA512
534942c14a9346daa4c160fea43a6c5c162aeca62646c81e74a53f78f47ce562c11fe276a5832c6c766211cc2c25a2821de46ae9f25a34e7468611af0eb01749

Download Submit
C:\Windows\SysWOW64\Qamago32.exe

Filesize
1.1MB

MD5
db78e814267925493a4330514b2849ee

SHA1
46d4643bfd08c4918f6ba90bdec01d8fb67ffe1a

SHA256
223b19c995a60de9b8cbf0cb1d3df6fc7f98ca5e34aed31121f5fef3966e3036

SHA512
b2bfb8f17862d2a75b070bf1629e190dc11c0ef82c4efa095e9f199a5149728ae62d758533f2b66e85b14197fcb46a16bc8627e6a41223cce5c9a1ca256f9b94

Download Submit
C:\Windows\SysWOW64\Qapnmopa.exe

Filesize
1.1MB

MD5
9a30afe49f80e553e4f70e69d6842bae

SHA1
5242716819f22123048167ea3a5d3196305fef38

SHA256
91f2c3a9c1ddf7efbaf771369012a1484974fe144be9fd4f1bb4a761e8db65c6

SHA512
4a0ff577ae743433a99f472894fa16fa9bee70cbf7eabe18560210d9a8c75b65eed0cc0a14120c1c0fc228de73c929c5d1371393ce7cd30c48ddab110a7c5d5f

Download Submit
memory/232-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/420-102-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/472-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1012-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1056-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1084-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1140-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1252-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1284-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1284-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1500-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1840-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1848-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-66-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2280-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-30-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2484-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3128-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3156-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3168-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3236-78-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3272-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3388-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3396-379-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-43-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3704-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3728-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3824-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3856-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4044-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4080-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4112-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4120-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4132-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4180-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4316-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4464-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4576-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4664-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4880-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4892-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5060-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads