berbew | 1ff0ec76983cce59997816a721b606dc098298fc14293931bbd1a2c88c627b83

Analysis

max time kernel
103s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-10_d37b689e71f782ab7a1deec58931ebd5_amadey_elex_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

d37b689e71f782ab7a1deec58931ebd5
SHA1

1d05853602f42e1d54c79ca642b52a85f269e7a8
SHA256

1ff0ec76983cce59997816a721b606dc098298fc14293931bbd1a2c88c627b83
SHA512

0f7063cbc226008710dd6ed613e86d723669793f1ff95b4b77a818f511ec31c09237aaa30f5b296b1d2b0f0532ec516a5ed0f1a0819236069512886102ef79bb
SSDEEP

12288:afWIVp2o8wE39uW8wESByvNv54B9f01Zm:a+0p2o8wDW8wQvr4B9f01Zm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlgepanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aednci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmfgek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncqlkemc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkdaepb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Badanigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckhecmcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdfehh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdhbmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Digehphc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eeelnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeodhjmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aekddhcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpgind32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilqoobdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oogpjbbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgplado.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emanjldl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gblbca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiffqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmepam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmfbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aekddhcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpdegjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eblimcdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flpmagqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidnkkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfglfdkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gidnkkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlgepanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moipoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojajin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adikdfna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igajal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaagkcb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
6056	Odalmibl.exe
5240	Oogpjbbb.exe
3292	Pmlmkn32.exe
5032	Pahilmoc.exe
1632	Pdfehh32.exe
3216	Pkpmdbfd.exe
2496	Pmoiqneg.exe
3104	Pajeam32.exe
3720	Pdhbmh32.exe
372	Pdkoch32.exe
4684	Plbfdekd.exe
4656	Popbpqjh.exe
4844	Paoollik.exe
4824	Pdmkhgho.exe
4536	Phigif32.exe
1260	Pkgcea32.exe
3272	Qmepam32.exe
4972	Qaalblgi.exe
5064	Qdphngfl.exe
5116	Qlgpod32.exe
4108	Qoelkp32.exe
4100	Qmhlgmmm.exe
1596	Qeodhjmo.exe
1876	Qdbdcg32.exe
2388	Qlimed32.exe
3712	Aogiap32.exe
2632	Aafemk32.exe
464	Aeaanjkl.exe
5436	Ahpmjejp.exe
452	Aknifq32.exe
2396	Anmfbl32.exe
4280	Aednci32.exe
4244	Ahbjoe32.exe
4236	Akqfkp32.exe
2796	Anobgl32.exe
2608	Adikdfna.exe
908	Akccap32.exe
2884	Anaomkdb.exe
3732	Aehgnied.exe
1948	Ahgcjddh.exe
2472	Akepfpcl.exe
1440	Anclbkbp.exe
696	Aekddhcb.exe
3080	Ahippdbe.exe
1052	Akglloai.exe
404	Bochmn32.exe
5144	Baadiiif.exe
5288	Bdpaeehj.exe
1324	Blgifbil.exe
2804	Boeebnhp.exe
228	Badanigc.exe
4628	Bepmoh32.exe
992	Blielbfi.exe
912	Bohbhmfm.exe
1724	Bafndi32.exe
512	Bddjpd32.exe
2592	Bllbaa32.exe
4576	Bojomm32.exe
5628	Bahkih32.exe
2436	Bedgjgkg.exe
1452	Blnoga32.exe
1480	Bomkcm32.exe
4384	Bakgoh32.exe
5124	Bdickcpo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Eppjfgcp.exe	Emanjldl.exe
File opened for modification	C:\Windows\SysWOW64\Fpimlfke.exe	Fmkqpkla.exe
File created	C:\Windows\SysWOW64\Mlkpophj.dll	Hmdlmg32.exe
File created	C:\Windows\SysWOW64\Cfidbo32.dll	Ipjoja32.exe
File created	C:\Windows\SysWOW64\Effkpc32.dll	Cfkmkf32.exe
File opened for modification	C:\Windows\SysWOW64\Gblbca32.exe	Gnqfcbnj.exe
File created	C:\Windows\SysWOW64\Locfbi32.dll	Jcfggkac.exe
File created	C:\Windows\SysWOW64\Cjijid32.dll	Nmfcok32.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Baannc32.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Bknlbhhe.exe	Bhpofl32.exe
File opened for modification	C:\Windows\SysWOW64\Qeodhjmo.exe	Qmhlgmmm.exe
File created	C:\Windows\SysWOW64\Nklinjmj.dll	Dfiildio.exe
File created	C:\Windows\SysWOW64\Ocoaob32.dll	Gnqfcbnj.exe
File created	C:\Windows\SysWOW64\Anclbkbp.exe	Akepfpcl.exe
File created	C:\Windows\SysWOW64\Egjgdg32.dll	Akepfpcl.exe
File created	C:\Windows\SysWOW64\Efblbbqd.exe	Enkdaepb.exe
File created	C:\Windows\SysWOW64\Ckbemgcp.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Gejopl32.exe	Gblbca32.exe
File created	C:\Windows\SysWOW64\Fhjnfdhk.dll	Hipmfjee.exe
File opened for modification	C:\Windows\SysWOW64\Hmmfmhll.exe	Hefnkkkj.exe
File created	C:\Windows\SysWOW64\Eieijp32.dll	Jcoaglhk.exe
File created	C:\Windows\SysWOW64\Lfeljd32.exe	Lokdnjkg.exe
File created	C:\Windows\SysWOW64\Lcimdh32.exe	Lqkqhm32.exe
File created	C:\Windows\SysWOW64\Ahmjjoig.exe	Qpeahb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Npdpachh.dll	Dfnbgc32.exe
File opened for modification	C:\Windows\SysWOW64\Ffceip32.exe	Fpimlfke.exe
File opened for modification	C:\Windows\SysWOW64\Imgicgca.exe	Ibaeen32.exe
File opened for modification	C:\Windows\SysWOW64\Qhhpop32.exe	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Jbofpe32.dll	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Neiqnh32.dll	Bafndi32.exe
File created	C:\Windows\SysWOW64\Gppcmeem.exe	Gmafajfi.exe
File created	C:\Windows\SysWOW64\Kpjgaoqm.exe	Jnlkedai.exe
File created	C:\Windows\SysWOW64\Oanokhdb.exe	Onocomdo.exe
File created	C:\Windows\SysWOW64\Pneall32.dll	Pdjgha32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dgeenfog.exe
File created	C:\Windows\SysWOW64\Kbopqlen.dll	Phigif32.exe
File created	C:\Windows\SysWOW64\Ghcjeh32.dll	Efblbbqd.exe
File opened for modification	C:\Windows\SysWOW64\Iohejo32.exe	Imgicgca.exe
File created	C:\Windows\SysWOW64\Imnbiq32.dll	Mqdcnl32.exe
File created	C:\Windows\SysWOW64\Akepfpcl.exe	Ahgcjddh.exe
File created	C:\Windows\SysWOW64\Dngjff32.exe	Dkhnjk32.exe
File created	C:\Windows\SysWOW64\Hdbplg32.dll	Gidnkkpc.exe
File created	C:\Windows\SysWOW64\Nnojho32.exe	Mfhbga32.exe
File opened for modification	C:\Windows\SysWOW64\Njfkmphe.exe	Nggnadib.exe
File created	C:\Windows\SysWOW64\Ngndaccj.exe	Npgmpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dnbakghm.exe	Dkceokii.exe
File opened for modification	C:\Windows\SysWOW64\Hbohpn32.exe	Hoclopne.exe
File created	C:\Windows\SysWOW64\Pahilmoc.exe	Pmlmkn32.exe
File opened for modification	C:\Windows\SysWOW64\Jcdjbk32.exe	Jljbeali.exe
File created	C:\Windows\SysWOW64\Dfglfdkb.exe	Dnpdegjp.exe
File created	C:\Windows\SysWOW64\Mmpmnl32.exe	Mnmmboed.exe
File opened for modification	C:\Windows\SysWOW64\Agimkk32.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Qdphngfl.exe	Qaalblgi.exe
File created	C:\Windows\SysWOW64\Aafemk32.exe	Aogiap32.exe
File created	C:\Windows\SysWOW64\Aeaanjkl.exe	Aafemk32.exe
File created	C:\Windows\SysWOW64\Hlbcnd32.exe	Hidgai32.exe
File created	C:\Windows\SysWOW64\Dmokdgeg.dll	Loighj32.exe
File created	C:\Windows\SysWOW64\Nbgqin32.dll	Nnafno32.exe
File created	C:\Windows\SysWOW64\Nagiji32.exe	Nnhmnn32.exe
File opened for modification	C:\Windows\SysWOW64\Pdhkcb32.exe	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Gejain32.dll	Oplfkeob.exe
File opened for modification	C:\Windows\SysWOW64\Boeebnhp.exe	Blgifbil.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10736	10648	WerFault.exe	494

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdpaeehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmimai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hehkajig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoeieolb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jniood32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbdcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akqfkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmlkhofd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dokgdkeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feoodn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgdpni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lncjlq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqafhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaagkcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aknifq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bllbaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hemdlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnoqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgphpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npepkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onocomdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlimed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eppjfgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joahqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgnbdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loighj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnhdgpii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgcjddh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akepfpcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enigke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hipmfjee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcnfohmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpmnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhbmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdphngfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbpchb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lokdnjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiffqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqagcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgifbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbbnpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emanjldl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnplfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahippdbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bafndi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emoadlfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnnjmbpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nflkbanj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfpinmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbfab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flpmagqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipjoja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qoelkp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaae32.dll"	Cdlqqcnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iebngial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onmfimga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chiigadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Digehphc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjfee32.dll"	Eokqkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmcjpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjpda32.dll"	Lpfgmnfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadggj32.dll"	Anmfbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bddjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Camddhoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dokgdkeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciibdmj.dll"	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Blqllqqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkceokii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcedencn.dll"	Qdbdcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npefkf32.dll"	Coohhlpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hehkajig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hifcgion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iidphgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfkmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijmiq32.dll"	Kodnmkap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklinjmj.dll"	Dfiildio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdmpmdpj.dll"	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll"	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nncccnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddalgo32.dll"	Pdfehh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bochmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hoclopne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcdjbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bakgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeaanjkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fngcmcfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmplqd32.dll"	Lfeljd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eeelnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpaekqhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clchbqoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll"	Qlgpod32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 6056	3496	2025-04-10_d37b689e71f782ab7a1deec58931ebd5_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 3496 wrote to memory of 6056	3496	2025-04-10_d37b689e71f782ab7a1deec58931ebd5_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 3496 wrote to memory of 6056	3496	2025-04-10_d37b689e71f782ab7a1deec58931ebd5_amadey_elex_rhadamanthys_smoke-loader.exe	86
PID 6056 wrote to memory of 5240	6056	Odalmibl.exe	87
PID 6056 wrote to memory of 5240	6056	Odalmibl.exe	87
PID 6056 wrote to memory of 5240	6056	Odalmibl.exe	87
PID 5240 wrote to memory of 3292	5240	Oogpjbbb.exe	88
PID 5240 wrote to memory of 3292	5240	Oogpjbbb.exe	88
PID 5240 wrote to memory of 3292	5240	Oogpjbbb.exe	88
PID 3292 wrote to memory of 5032	3292	Pmlmkn32.exe	90
PID 3292 wrote to memory of 5032	3292	Pmlmkn32.exe	90
PID 3292 wrote to memory of 5032	3292	Pmlmkn32.exe	90
PID 5032 wrote to memory of 1632	5032	Pahilmoc.exe	92
PID 5032 wrote to memory of 1632	5032	Pahilmoc.exe	92
PID 5032 wrote to memory of 1632	5032	Pahilmoc.exe	92
PID 1632 wrote to memory of 3216	1632	Pdfehh32.exe	93
PID 1632 wrote to memory of 3216	1632	Pdfehh32.exe	93
PID 1632 wrote to memory of 3216	1632	Pdfehh32.exe	93
PID 3216 wrote to memory of 2496	3216	Pkpmdbfd.exe	94
PID 3216 wrote to memory of 2496	3216	Pkpmdbfd.exe	94
PID 3216 wrote to memory of 2496	3216	Pkpmdbfd.exe	94
PID 2496 wrote to memory of 3104	2496	Pmoiqneg.exe	95
PID 2496 wrote to memory of 3104	2496	Pmoiqneg.exe	95
PID 2496 wrote to memory of 3104	2496	Pmoiqneg.exe	95
PID 3104 wrote to memory of 3720	3104	Pajeam32.exe	96
PID 3104 wrote to memory of 3720	3104	Pajeam32.exe	96
PID 3104 wrote to memory of 3720	3104	Pajeam32.exe	96
PID 3720 wrote to memory of 372	3720	Pdhbmh32.exe	97
PID 3720 wrote to memory of 372	3720	Pdhbmh32.exe	97
PID 3720 wrote to memory of 372	3720	Pdhbmh32.exe	97
PID 372 wrote to memory of 4684	372	Pdkoch32.exe	98
PID 372 wrote to memory of 4684	372	Pdkoch32.exe	98
PID 372 wrote to memory of 4684	372	Pdkoch32.exe	98
PID 4684 wrote to memory of 4656	4684	Plbfdekd.exe	99
PID 4684 wrote to memory of 4656	4684	Plbfdekd.exe	99
PID 4684 wrote to memory of 4656	4684	Plbfdekd.exe	99
PID 4656 wrote to memory of 4844	4656	Popbpqjh.exe	100
PID 4656 wrote to memory of 4844	4656	Popbpqjh.exe	100
PID 4656 wrote to memory of 4844	4656	Popbpqjh.exe	100
PID 4844 wrote to memory of 4824	4844	Paoollik.exe	101
PID 4844 wrote to memory of 4824	4844	Paoollik.exe	101
PID 4844 wrote to memory of 4824	4844	Paoollik.exe	101
PID 4824 wrote to memory of 4536	4824	Pdmkhgho.exe	102
PID 4824 wrote to memory of 4536	4824	Pdmkhgho.exe	102
PID 4824 wrote to memory of 4536	4824	Pdmkhgho.exe	102
PID 4536 wrote to memory of 1260	4536	Phigif32.exe	103
PID 4536 wrote to memory of 1260	4536	Phigif32.exe	103
PID 4536 wrote to memory of 1260	4536	Phigif32.exe	103
PID 1260 wrote to memory of 3272	1260	Pkgcea32.exe	104
PID 1260 wrote to memory of 3272	1260	Pkgcea32.exe	104
PID 1260 wrote to memory of 3272	1260	Pkgcea32.exe	104
PID 3272 wrote to memory of 4972	3272	Qmepam32.exe	105
PID 3272 wrote to memory of 4972	3272	Qmepam32.exe	105
PID 3272 wrote to memory of 4972	3272	Qmepam32.exe	105
PID 4972 wrote to memory of 5064	4972	Qaalblgi.exe	106
PID 4972 wrote to memory of 5064	4972	Qaalblgi.exe	106
PID 4972 wrote to memory of 5064	4972	Qaalblgi.exe	106
PID 5064 wrote to memory of 5116	5064	Qdphngfl.exe	107
PID 5064 wrote to memory of 5116	5064	Qdphngfl.exe	107
PID 5064 wrote to memory of 5116	5064	Qdphngfl.exe	107
PID 5116 wrote to memory of 4108	5116	Qlgpod32.exe	108
PID 5116 wrote to memory of 4108	5116	Qlgpod32.exe	108
PID 5116 wrote to memory of 4108	5116	Qlgpod32.exe	108
PID 4108 wrote to memory of 4100	4108	Qoelkp32.exe	109

C:\Users\Admin\AppData\Local\Temp\2025-04-10_d37b689e71f782ab7a1deec58931ebd5_amadey_elex_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-10_d37b689e71f782ab7a1deec58931ebd5_amadey_elex_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\Odalmibl.exe
  C:\Windows\system32\Odalmibl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:6056
- - C:\Windows\SysWOW64\Oogpjbbb.exe
    C:\Windows\system32\Oogpjbbb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5240
  - - C:\Windows\SysWOW64\Pmlmkn32.exe
      C:\Windows\system32\Pmlmkn32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Windows\SysWOW64\Pahilmoc.exe
        
        C:\Windows\system32\Pahilmoc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5032
      - C:\Windows\SysWOW64\Pdfehh32.exe
        
        C:\Windows\system32\Pdfehh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Pajeam32.exe
        
        C:\Windows\system32\Pajeam32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Pdhbmh32.exe
        
        C:\Windows\system32\Pdhbmh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Popbpqjh.exe
        
        C:\Windows\system32\Popbpqjh.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Pdmkhgho.exe
        
        C:\Windows\system32\Pdmkhgho.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Phigif32.exe
        
        C:\Windows\system32\Phigif32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Pkgcea32.exe
        
        C:\Windows\system32\Pkgcea32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Qmepam32.exe
        
        C:\Windows\system32\Qmepam32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Qaalblgi.exe
        
        C:\Windows\system32\Qaalblgi.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Qdphngfl.exe
        
        C:\Windows\system32\Qdphngfl.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Qmhlgmmm.exe
        
        C:\Windows\system32\Qmhlgmmm.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Qdbdcg32.exe
        
        C:\Windows\system32\Qdbdcg32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Aogiap32.exe
        
        C:\Windows\system32\Aogiap32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        30⤵
        Executes dropped EXE
        
        PID:5436
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Aednci32.exe
        
        C:\Windows\system32\Aednci32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        34⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        36⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Akccap32.exe
        
        C:\Windows\system32\Akccap32.exe
        38⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        39⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Aehgnied.exe
        
        C:\Windows\system32\Aehgnied.exe
        40⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\Ahgcjddh.exe
        
        C:\Windows\system32\Ahgcjddh.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        43⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        46⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        48⤵
        Executes dropped EXE
        
        PID:5144
        
        C:\Windows\SysWOW64\Bdpaeehj.exe
        
        C:\Windows\system32\Bdpaeehj.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Boeebnhp.exe
        
        C:\Windows\system32\Boeebnhp.exe
        51⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        53⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Blielbfi.exe
        
        C:\Windows\system32\Blielbfi.exe
        54⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        55⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        59⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        60⤵
        Executes dropped EXE
        
        PID:5628
        
        C:\Windows\SysWOW64\Bedgjgkg.exe
        
        C:\Windows\system32\Bedgjgkg.exe
        61⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        62⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        63⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        65⤵
        Executes dropped EXE
        
        PID:5124
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        66⤵
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        67⤵
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        68⤵
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        69⤵
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        70⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        71⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        72⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        74⤵
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5020
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        77⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        78⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        79⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        80⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        82⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        83⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        84⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        85⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Dmlkhofd.exe
        
        C:\Windows\system32\Dmlkhofd.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        88⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        90⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1336
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1536
        
        C:\Windows\SysWOW64\Dkceokii.exe
        
        C:\Windows\system32\Dkceokii.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        95⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        98⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        99⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        100⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        101⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        102⤵
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        103⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        104⤵
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        105⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        106⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        108⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        109⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        110⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        112⤵
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        114⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        115⤵
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        116⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        118⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1704
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        120⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        123⤵
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        124⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4380
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        128⤵
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        129⤵
        
        PID:724
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        130⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        131⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        132⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        133⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        134⤵
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        135⤵
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        136⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4704
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        140⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        142⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        143⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        145⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        146⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        147⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        150⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        152⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        153⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        154⤵
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        155⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        156⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        157⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        159⤵
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        160⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        161⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        162⤵
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        163⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        165⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        167⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        168⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        169⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        170⤵
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        171⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        172⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        173⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        174⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        176⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6600
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        178⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6640
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        179⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        181⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        182⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        183⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:6956
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        185⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        186⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        187⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        188⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6184
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        190⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        192⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        193⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        194⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        195⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        196⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        197⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:6884
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        199⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        200⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        201⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        202⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        203⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:6496
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        205⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        206⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        207⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        208⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        209⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6276
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        211⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        212⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        213⤵
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        214⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        215⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        216⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        217⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:6880
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        219⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        220⤵
        Modifies registry class
        
        PID:7192
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        221⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7228
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7272
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7308
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        224⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        225⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7380
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        226⤵
        Modifies registry class
        
        PID:7424
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        227⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        228⤵
        Drops file in System32 directory
        
        PID:7504
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        229⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        230⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        231⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        232⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        233⤵
        Modifies registry class
        
        PID:7728
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7792
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        235⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:7876
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:7920
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:7964
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        239⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        240⤵
        System Location Discovery: System Language Discovery
        
        PID:8040
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        241⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        242⤵
        Drops file in System32 directory
        
        PID:8128
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        243⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        244⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:7328
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        246⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7536
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:7608
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        249⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        250⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7868
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7992
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        253⤵
        Modifies registry class
        
        PID:8068
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        254⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:7268
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        256⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        257⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        258⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        259⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        260⤵
        Modifies registry class
        
        PID:7856
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        261⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        262⤵
        Drops file in System32 directory
        
        PID:7208
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        263⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        264⤵
        Drops file in System32 directory
        
        PID:7656
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        265⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        266⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        267⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:7200
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        269⤵
        Modifies registry class
        
        PID:8012
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        270⤵
        Drops file in System32 directory
        
        PID:7864
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:8212
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8252
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        273⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8328
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        275⤵
        Drops file in System32 directory
        
        PID:8364
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        276⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        277⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        278⤵
        Drops file in System32 directory
        
        PID:8488
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        279⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8576
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8616
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8656
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        283⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        284⤵
        Modifies registry class
        
        PID:8736
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8776
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        286⤵
        Modifies registry class
        
        PID:8812
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        287⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8888
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        289⤵
        Modifies registry class
        
        PID:8924
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        290⤵
        Modifies registry class
        
        PID:8960
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        291⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        292⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        293⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        294⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9112
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9152
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        296⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        297⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        298⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        299⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        300⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        301⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        302⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        303⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        304⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        305⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        306⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        307⤵
        System Location Discovery: System Language Discovery
        
        PID:8912
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        308⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        309⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        310⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        311⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9176
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        312⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        313⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        314⤵
        Modifies registry class
        
        PID:8432
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        315⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8704
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        317⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        318⤵
        Modifies registry class
        
        PID:8948
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        319⤵
        Modifies registry class
        
        PID:9084
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        320⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        321⤵
        Drops file in System32 directory
        
        PID:8280
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        322⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        323⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        324⤵
        Drops file in System32 directory
        
        PID:9008
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        325⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        326⤵
        Drops file in System32 directory
        
        PID:9148
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        327⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        328⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9236
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        329⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9272
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        330⤵
        System Location Discovery: System Language Discovery
        
        PID:9304
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        331⤵
        Modifies registry class
        
        PID:9408
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        332⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        333⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        334⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        335⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        336⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9616
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        337⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        338⤵
        Modifies registry class
        
        PID:9688
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        339⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        340⤵
        System Location Discovery: System Language Discovery
        
        PID:9760
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        341⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        342⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:9872
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        344⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        345⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        346⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        347⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        348⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        349⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        350⤵
        Drops file in System32 directory
        
        PID:10136
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        351⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10180
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        352⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        353⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        354⤵
        Modifies registry class
        
        PID:9332
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        355⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        356⤵
        Drops file in System32 directory
        
        PID:9428
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        357⤵
        Modifies registry class
        
        PID:9492
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        358⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        359⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        360⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        361⤵
        Modifies registry class
        
        PID:9752
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        362⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        363⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        364⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10028
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        365⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        366⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        367⤵
        Drops file in System32 directory
        
        PID:10232
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        368⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        369⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        370⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9528
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        371⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        372⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9744
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        373⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        374⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9932
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        375⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10056
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        376⤵
        Drops file in System32 directory
        
        PID:10172
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        377⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        378⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        379⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        380⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        381⤵
        System Location Discovery: System Language Discovery
        
        PID:10092
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        382⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        383⤵
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        384⤵
        Modifies registry class
        
        PID:10004
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        385⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9604
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        386⤵
        Modifies registry class
        
        PID:10016
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        387⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        388⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        389⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10284
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        390⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10320
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        391⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        392⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        393⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        394⤵
        System Location Discovery: System Language Discovery
        
        PID:10464
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        395⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        396⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        397⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        398⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10612
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        399⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10648 -s 412
        400⤵
        Program crash
        
        PID:10736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 10648 -ip 10648
1⤵
PID:10708

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aafemk32.exe

Filesize
400KB

MD5
62eabdafa021df69cd8044be9b122cd7

SHA1
06bace412f52aa2df404cae9b5f9e41f1ddded81

SHA256
b9213890836a49f9b1b6b56c03257ef3703eefbabb3824612fb78936e9f57db9

SHA512
0949f27f7169b309a3f0c9b705e6849d6d9e54607102ae345d7a4dbde13e40665c895b5d5c5a15d41cb3ba9da780861d139c26e6ac24234e41197f41c69ec82c

Download Submit
C:\Windows\SysWOW64\Aaldccip.exe

Filesize
400KB

MD5
974e7e3dc05f6489860afe6de40ca63d

SHA1
2e7a14e91573d39495c0f37327ecf122e4822a8e

SHA256
bda5f1f5f8a849a1c7d90d39f7ed80c9ccde5ffcb5d16caa63f0ab29de205404

SHA512
dbc814edea9c96c3f290e027278865225919b12dbdb1bdccbf0fda8fe582b7e16f776cf899c8fedf530b3f838bf8929f8def67564fe8b6453e9e523ee89bec5d

Download Submit
C:\Windows\SysWOW64\Aeaanjkl.exe

Filesize
400KB

MD5
f1025d79cda0b632f2b64192bcc2e88f

SHA1
7b3ec3dbb42097958ca26a3cde029b8d7b9c4607

SHA256
54bc449731ce2309d8faab51e9d62e5e769b9c3cf9d3f36ce28f3dbc2bbd261c

SHA512
deb858f97284c7e8243caaf9597e12948b82d9354ab191f200af5720ac4234461ae0a591eaf3de85714be79dd31712ba7da233f8554b8200750ad7f360ce7999

Download Submit
C:\Windows\SysWOW64\Aednci32.exe

Filesize
400KB

MD5
d7bd87177594c32a64ec3d23e13e1afb

SHA1
5a86f9032a779bcd633e18d1621b0de50fba71e1

SHA256
64184272dfa4098f45a0ac0a9e303e10a185b0d71c034e53385be402d5b18d6c

SHA512
3fad9189d193930bdd22faccfd3ea7926a0c139679d179344ae610ee8c176100d03be0e91b88aa72804066cdc34993bfdaad9d6b039aded5660a6430aee04845

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
400KB

MD5
bbe966b52161e8bedf1b4aa85e6af7ed

SHA1
1fcb6bf05e00208b6d2998cdcdbcb06453c99593

SHA256
81485355d94fea7aec59888b581c653719b37a404a0c813e8b346786dca06adb

SHA512
d995206951aae01f54dc5d963c996ee3b1a54a4eee1a531d2df040623e2eb9389a9a9a66cfed4743650643192bcf84fc7410f0b0ac57d8da8350f88626c125c4

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
400KB

MD5
b576cd23cbb89646cf5d7ed9180f8149

SHA1
05c47676bfe3db5eccab9a2cc1020b295524e09c

SHA256
37ad2ad122d7254c6772ce384a9ac53bc3f63ca4f91209782eb959efe138f648

SHA512
97ab96bcaa6249307eb80998721c40c8ffe20fe72aba9e3f1146f684bc444f42eda3b25cdaa12bf4fac4217ecd49aca9d647dc62a08c09144e3b0dd2648bab5a

Download Submit
C:\Windows\SysWOW64\Ahpmjejp.exe

Filesize
400KB

MD5
a94373f8db47e61f0b7b6f10a1904940

SHA1
9c51a6794cb9b29e1a09d870d48bfc6832ea85cb

SHA256
847b85dea5b1a8171dbb16d1ebd26ab0f61858a18deb46e218f0e6e044bc6f14

SHA512
6210c8a34a639c89cc63ff82b88fbc339b526c11526b15a041aa6d5ff418a32e44e7ca3f72cf76e3083cefab71cd9977779a907c4d1dc5507f96da87c1c5dcf5

Download Submit
C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
400KB

MD5
2634fe7ba016cd9aead47d98867b1675

SHA1
fdfd8639c75f6bb0768ff1671fe5eb9699caf6c5

SHA256
46d5e2981401e3fce60cbb95e5e78074d836f9bfa8dbcb9f4cdbb31beb779816

SHA512
9738a097485a09a08532d43dcde09bf598fe2ae457b2f5bbb3c9b3fb71266fee1452960b65ee7684081932648024bc276ecafe141cd2ba6aec37b7faff26ff30

Download Submit
C:\Windows\SysWOW64\Aknifq32.exe

Filesize
400KB

MD5
1ff8e2e5675d2ccb6a69ae5e189907da

SHA1
3633776936cf08341f959769837a5db15c59e344

SHA256
386307abb106fec1c3c3ec379a9e8706abf8efa823e516b03f528e21fff16ae5

SHA512
4e2977fe020638492996ccbce27445a6661e1641d892164ddc92e0af2f609102f591d5ec8fec2b367d32dae59a9abd4f754bab5501ded2e660609d843036c153

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
400KB

MD5
b9b4dd447943e3d9c24fea2cd3dc9820

SHA1
6f07255fc27bc65423b95d9540f333da37280ae2

SHA256
1e9f59557314f130c21c67b08b83532a624f6e28a201d9f7303024335e7b8e7d

SHA512
68241843f563f52a198b26d7961d7af8306edab2885e1ca63c83127f790711ea6884f806408d6b0e51c4d12b7e6d645e2c8a4e1b93f41ca9d882bb6f5d13dd0d

Download Submit
C:\Windows\SysWOW64\Anmfbl32.exe

Filesize
400KB

MD5
49ef805b6b7d549c5275d7a2183c9896

SHA1
a5a0c96bac3f9b9c8dbff198cfee0643d34f96eb

SHA256
3740d2ae9df212ac3839f0f2d2e143701146c82802d54146a40ec3c5207f85e2

SHA512
e95ea889f96896a07b541c3fe497292b1028c84c9e5ff0bc247a31f7773d4bf2ebd87db2be658af153b9f39db55ab360d96e83f9394a9287546825671fc419ce

Download Submit
C:\Windows\SysWOW64\Aogiap32.exe

Filesize
400KB

MD5
589a770331fb0fa4caa46609634ec8b8

SHA1
297652ea2a8e87e790fd9892266194b2da67f194

SHA256
113f626bd86bc2a5a35ca854b587dc16275bd2190bbc5b2b29987c70b8e005ea

SHA512
a6d9148155481729c1da3c30b17bd8caba981d4187647e7b13384a87a299b01c88b9db545b6617b5755cce1b769489439aa039d19c99e69abc31b2746f3a08e6

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
400KB

MD5
34959347dea5a403dfa35b80f18313bb

SHA1
bf0ddd06de903b2639398fa8f3988c40afe92f68

SHA256
c6d8677c1768fc0e97fd641fcc84e0ea1232762b6df276d7517dd3caef977073

SHA512
477b06efdc5c20e6b2ca07483b90b166057227e8de16308d1eedc1aa2a7859ced618c15018509e3c84e1d327a28ec7829ee018a831f6ad0b4cc5986cecdd1ef0

Download Submit
C:\Windows\SysWOW64\Bhhiemoj.exe

Filesize
400KB

MD5
5c4dc2a8cc466a92641d15281b22bfa3

SHA1
6923d7b56bd15019bbe8778df286340a4e1ddadf

SHA256
3b06d33566dd89d492f743d1cb4ebcc331dd7b3215f3c1e46769beab719f3f53

SHA512
e50cf0bb279c872b5f29aa6c1f002c7070099ead55ba212e48016c798d81527f2a7bd17754a29fd75b498b4c61b2d75ec53bb9b0411be095d6779e5ca595b9e0

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
400KB

MD5
d60309cd946e2eed5bcd39f2fe852ad2

SHA1
21ee1ed4adf1961c20b8938198730f754afbe07f

SHA256
cd10fe50652d68709f67d1185684792dc23fe48415e66ff47f692c3047da7f4d

SHA512
fdb003b3d0c49be55bd797ecaaa25703ad0225f3587953505f04323c898d9a403fb7a8b7519bfc8138a3a4e7a922a22d588749e48f0933d8cd96e639618aa047

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
400KB

MD5
eb10bf47f16df345f4231d09d9e87c4e

SHA1
20a50bf77cf6a989f23c69cf44cebba37f1adccd

SHA256
40607b93e13bc3ee92e24d9919e9d4277f8dd347a90d8a9d57ed0c721066ee5e

SHA512
5a86d753f9f22a94e336b4ea5b50067527fcae791734c3a3df48f072ce1655a621f65e6ac8f20bd795e22a127f7bdcf09e948340740fb7befe304447cc6c7603

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
400KB

MD5
ebaae5101c6ea76de0c01cfb382545b4

SHA1
2c43ade04efcd2355e6c35bba16a48054b119243

SHA256
55b4941d134b46cf9cacfafec041128929b4c1bee2b805f4c1edf95d7c33232a

SHA512
0449feb9ee3acb9cd8e612b3efa8d0ac343e648e392a0ad034b800157b1adca76abf535c2279366f9441f45485788dc3379e2a5dd015ec2d51bbc0b36cc01082

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
400KB

MD5
2bf834d85602e32c1820af83f028ca7a

SHA1
95e112b0e51646cd514b015519e57128e6103ada

SHA256
ebb59098f5a14135c7981bd8622eeb9f00a8da0c17950ff4de292637a572551c

SHA512
8426b8c7af09e1b999a48e2f7e6971c3387fd66576c0b9382e26a3491a262bb3b86cba9bdf90fa0b29c3bb9ba2ce02fb771b9ec4d28d819b6755a6b01c82f522

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
400KB

MD5
9dd1fb11e69865e6ced194a42c21c4ad

SHA1
59db9ee74b842b1ccca890794e37304790da0d70

SHA256
a6154c70ce63574e8f91ffe44d12b1e7ed1fa05f296e6deac2c4dc31bef26290

SHA512
0b9be2280ccc2cb0095733651a3bda863371f2bce43284ea47d23e5e9d994e1d4ee03712fc7789a7553b616ae875c1e159795ee24f1842731bdc4d803a3ca290

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
400KB

MD5
bd3edb4ac4848884e26313cc7aac3571

SHA1
0bc988cb7b25f7b6dd62e42de43a9886faa21f5d

SHA256
d0b572a036e402ac3e5a25b474cb0d3ccaf52f6ce05f7fbf4b57e0ba1fb7562d

SHA512
d3c5e30a23121f7a21644cef343add395e2f632489c012b2549a2f48b04d5808a974652ad0a8a8e52b7b991be355cba6a13c06a601d0a825789bfd2a2b7571fa

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
400KB

MD5
b019475d192919e9c6eba9b380578314

SHA1
87941471fff64cb00a3f8bc3e18f87249eaefd5e

SHA256
a45c34df81d5f94551af7d1fba885baf39cf4bd2071280da75ada15a3b9ce9ea

SHA512
d6de472c2556d8dd715278e7a92deef350bce22715efc37d48d2806d7b23cfe3d3aa41e507178018548a097402458f8fb59b266a4da2cba2fb4788ef37ac97a2

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
400KB

MD5
a6b2d3a479c5191d828ab099c20c45f0

SHA1
16728cb63279941d761643227be85a4f8dfde41d

SHA256
8ca2a910706aa1a82a666561115465720b5c6291277a880f5134acd167b9f923

SHA512
e25ef1c8e253cf7273e9d061d3f5248575f771ab2ed7b3c8b6e4b47b8b1429f2d66782464b93c7f619a19a047444fdda7e8c95c246e56467b32622e2234faa81

Download Submit
C:\Windows\SysWOW64\Gmnala32.dll

Filesize
7KB

MD5
ca23215a2e068b6fada68e807ce42736

SHA1
fa7ccb7f5e827a49dc85e0fe7e2459ba08559d2e

SHA256
255d69848d76a2670c595cad4dbfe8504490a1ebb603c026c7998cb4fdf1b2fa

SHA512
319ebef0760a311b3de4cda5547cf25df71040fa16cfaa2525cc9edf3df6ffaff3c7ac3fcd9d138e9f7ce9af31243e9887fce79f3ee1c9f281612027471b6d75

Download Submit
C:\Windows\SysWOW64\Hlbcnd32.exe

Filesize
400KB

MD5
82eb26d3560fbc732989f97132fa189c

SHA1
4b79f66c0a35924184d3de9d49e94d2ecec39496

SHA256
6d9b32a6cc63fc1228840c629923bac2288bf73657e5f5eaee3c7602545b6fad

SHA512
445ec23e5fe48ab42f810333ac17f16d5910d90b66aa4f437c35c3f3d99428a392619ddfba49a231fb0525fd2c4e78f5f7308364f43364c66fe8b31c0895ae73

Download Submit
C:\Windows\SysWOW64\Hmmfmhll.exe

Filesize
400KB

MD5
ecfaa7a048a51c11e5ea26d4c112adbe

SHA1
c8949b667cb36788d015fca4377c912bf0b555d2

SHA256
f7288665a35bb199cb550ee0ee588660e08e59f7a2eaeb5fba0fcfe64d2ea28f

SHA512
1cda2d5a9dbe29b55504473847c7938484ebe503455870bde53f8618cf165bdc1caa99d78d1af4dadec611e78f8f43a64acb20b434e53fd55cbe632889cf1708

Download Submit
C:\Windows\SysWOW64\Ibaeen32.exe

Filesize
400KB

MD5
fe4e08642e0c808d4e7be60fadd3b7ec

SHA1
3665634e23371d174dae6eb0e4e1689bee89aacf

SHA256
feeee088810c1f507477351c68f01181a95cd30e7afea884fac6de7a0696855e

SHA512
10a25be0b34130fe8df53e478618c1a80dbbdd2fb4e1151b1fb0f7fc80a3d40861f13d2dc2b5926b24a0dec8062f4ac05546196241f026f14ca15cf8cffe8c77

Download Submit
C:\Windows\SysWOW64\Igdgglfl.exe

Filesize
400KB

MD5
aaf263eff288f452e645813a411bf802

SHA1
f223ef8cec9904b647b19753bc72733b1503fcc4

SHA256
37758df2391464283f24666238c94176c4059baa94b3c08120a2ee7ccd2a3df1

SHA512
eddb737131815f3d8b39970f75b04a1b486d80c20e290d45a1931b30e6fdf8eafef585cd4658a207de6b736fa75c8aa695f275b32274407e0bd265483961f98e

Download Submit
C:\Windows\SysWOW64\Iohejo32.exe

Filesize
400KB

MD5
0caf95a6328df70bc0de4809acd3beb1

SHA1
0b41f302ec2086688010961a0e27cdb6a4cfc300

SHA256
9bc998347f2d3f46e2dd83330ae017a50536cc80e36568ba72ecc143f387fd72

SHA512
92fe148d2a6e1ffb92b6d1db7bd8625434bae59698f47c0675a1a854bb2afea92b4927974cc6a567dfc4bc8aadc47f6367c209745352da119b81ad12853c4135

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
400KB

MD5
d13be63c08a0ff54188135cd16fc9fba

SHA1
90ab4155912293275e965cb9d9e1cf9d1cc4ece3

SHA256
da8e9244e88e7fde30e9d0df4b08e26d6ec45dbed5e36772b856e841800a9a01

SHA512
574ecb796ffe8b3c39abff155c9b55057dee05f3e7e3467bfd92cf118fa1f4895cbb75d7466a3da87c667eacd274c26310360a38163c920909c30f5cc3ae5a5a

Download Submit
C:\Windows\SysWOW64\Ipgbdbqb.exe

Filesize
400KB

MD5
7d2165e5cd9edc84486b1798bd4a242a

SHA1
b821d21d64c609bbe0a50e0872d2cbb30416dac6

SHA256
a0e7c94d8e42206563747a80793169ed3ac4bf0e790552815651d11ae38d9d9b

SHA512
07e62a6483911cecafe2d90f37893c610d0d78e670d49a89fb55f16d4b7b3cb360b14b9f00531c636f032ddc660dd1c3094b658ca968aa3bcf56d321e733142c

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
400KB

MD5
07225eca23dbe7ca3e0de17472c9275d

SHA1
3b67929d12e2936361124bf597a463d7c868b96d

SHA256
5024fc13c822690f20d9d9531a7eab23f97b37b2871728d263f9552e58a1e159

SHA512
5cbb26b4bc65305f5b46689745d5805329f9f92572d2d8e44174510d69b46d7d06e65cb4415219b3876620ee3c0ae8cea9debdd3430d24f33d20809859b4c07a

Download Submit
C:\Windows\SysWOW64\Jnlkedai.exe

Filesize
400KB

MD5
544743d7b978dddd604b858c38afc37a

SHA1
4e9848ad373d24db981b8705f3df3cedc374758c

SHA256
fe7ac39656fd4fb90856fa4075163fe9354eeac2f16cf938e95cdf468dd96adf

SHA512
7593fbd0df8f138cea045cbd7370f70059e483abab28b052a1e4f477716bc75f7ea6e286eeedafba7e12ab6fbe9e6b66864c0817293092ac673727109e5e9322

Download Submit
C:\Windows\SysWOW64\Kflide32.exe

Filesize
400KB

MD5
b7939765ad0502c877ed0c58aaeb2cc2

SHA1
ba85c7dca369b0d2a5951d2937e38248b1849845

SHA256
12e7bf8e7a8e7b5df9f2cb751b146012b3827acfc4587504dd101f019f58a47e

SHA512
3cd06c32daea7f874489865b8bc97e80a1668664d466334f741da80322a59c9a5a2fe5e3792b2bd4297bce866de94e09751d47fbfca8c001e6c2813ffe47497d

Download Submit
C:\Windows\SysWOW64\Lcimdh32.exe

Filesize
400KB

MD5
d66a25fe6dd936b40d667351550572e8

SHA1
41b4269fd063f4d1b37dcfefb22114b215aa4106

SHA256
aae691a0b0ea4b9a92b9b10994195c99979c2385946165f8dedb968d480180c1

SHA512
f8a72982219af7932868bf7f3f77fdc8a5672c622aec53be4cca2a4c07664aef747b061c57c6e6eac66d210806ddb1babd20e7ccefb8a7d7b4796db0504c45fb

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
400KB

MD5
b082bf9c4f3004a27964aaa6f10e8c81

SHA1
be2bd1db049106f56039ec2eea5a28ed6ab86ed0

SHA256
66ce456e3654af622cf0a1ea7251869674418a9edd1b1d9bfdfdd5721ee57512

SHA512
eae7578e3f21ddc220cafc38fddbeba2b9fad7bd98329c1e10c5b221c2562466e9a9d523331492c84d171866d363aa152b9e39bac82f8234b98efd3cd651b400

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
400KB

MD5
4a897b8486f51d571bb4c90e924341bd

SHA1
b7230b0d556fea8094ed9f1b73321d160a40ad33

SHA256
c4cd33cde009d9c5a947dee89b8ded775a0af082677efed8c80ce4d52f5fb0c6

SHA512
558f6429e7a8a91ac143a559199e89734a5d0b888c4342f9d4b4a5aecabe2729a6e5023156372d76d7c9c1034370d19084e1e9abedf3ab7c0abc0b3dd6dad04f

Download Submit
C:\Windows\SysWOW64\Lmaamn32.exe

Filesize
400KB

MD5
90fe3c8ef7d60351accead790b2ce863

SHA1
115130dc6656a7e5a47b12b21343159db70aff4c

SHA256
2b00760077ab070c26e0148a76b21f9ba37530c6cbbcf56279f766924528b15a

SHA512
a144b6efb4f650447f5d48f14b083d866b0d8076cb1361e211a61e486e07fc9e57bb11355a3d9f73bd3c1bb91ac7f5f2a09a05c66ae7b148a5e4bf76131588b2

Download Submit
C:\Windows\SysWOW64\Lmdnbn32.exe

Filesize
400KB

MD5
9f5251dd0e4ce9574abec8e6e6ad59f3

SHA1
61054dc9481bfd2afdab6ad877bffb7a67c6d536

SHA256
2f3a5de3b2560c710092f20bb089ed999097b965b47cd1a9e82f8d71e103f73a

SHA512
1a4bba613a556200d9cd8fe9b0384241e1db7491d334b5731017e416971e290ccf382fee559693d5a77f03f06d903c602b637fc1c6153bac6eb935847e4943cc

Download Submit
C:\Windows\SysWOW64\Lokdnjkg.exe

Filesize
400KB

MD5
5708c31f8050edc38edd714b5786c9de

SHA1
b1a1c469ef06055055e0cd2c8bd319eaab157377

SHA256
a33bf16a892557251ee9531c1459ad2c56c261f108ff2c168b358246982da1eb

SHA512
81ca7463c2fdc884e5916563b37097baa3fa5c5569fffd123aa009a5a932856cc10d0e2d26c052eabfc3b63c0e949d135384d3ff68f794132367a2651d53f40e

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
400KB

MD5
db1b02b3fd5e4f0296c90e9bb25603f0

SHA1
5b6d7fb1b1a1e811d4c98e7d328d9335a4c4b6dc

SHA256
d4c6481fee1c626dda0aeeebd9faeea379a8f89bc514b0d8310776c1136b97ea

SHA512
5f9b466e4a15ed0de2d9b3d90f4ef984f23054a0811ecf1df8304877e8b8d9e5791fd279c72d67e6d5566bdc1d10a42c7998ea4ceb715bf26e5ac91d16debc99

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
400KB

MD5
809fa8b36869c253337d39b868aa5039

SHA1
a5b2858f7575e3d3c1789892877b9e2900ba0aed

SHA256
da319ddf2e0eac77f76f9caddf3eef24588b43b02156c2f447696b803da14218

SHA512
54b4d64e8e0064827dee63224b726289f3733d8bb838305560cebed061ca10cc2214e7cbb38ebe5e10f7dba70a010023a9b6aa8a32a5ee852635baf689cbc1cf

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
400KB

MD5
1595ad992b88428d4c6742ec076ffcc4

SHA1
c3d03fbc1b99901fd89f0089d7a911ddca9420d3

SHA256
a310465a473dd0e5aedcd3dfa611d123b2f076a285384bd0ef42611ce121ff97

SHA512
3fe983b6d8e5f33606fb6e94d047d9d2c58866a592568f03ee2342af9cea30eb2a0efba246040d382cc68e4cfaaeaaaa6e6c15a65f624d0f0a2ab9e0eb104b3c

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
400KB

MD5
77fb687de7ff90b8eee3300db6c4a3af

SHA1
1f329b0751507d302f15bd6563498ec2c127083e

SHA256
b09f35ede2f6cbdaa0b98cba59d95cea0b8e06c2885568caeee974c456cb1915

SHA512
2d12b77f1b8665c1e823f1ce3595420f28365843187c82a7bce01e4125b5fceb5f5a53575280f543f9531992d9595a421e0d596d285e0ab53fa214882ad7d938

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
400KB

MD5
eed6d0cc0cc4acd376fe963e884dc6d4

SHA1
622e75cdb99163cab0fc45ae65f6135e68e80b3b

SHA256
a76074ebab77d197585308d26a54880abecfd872b8900f3ca33ea1b6c8462569

SHA512
c581187793f828f8d60d68b31e9b27df437e2a90d8017661c53c42ea295577e76964b169eb5a3ab1d0787ffcfefc022241d28437b71e6d57e4384e6e936f3164

Download Submit
C:\Windows\SysWOW64\Odalmibl.exe

Filesize
400KB

MD5
4826936fe20653de262ed47fad874d46

SHA1
d295586d7a3b7dc86b2d9e4b1fe6fd58230f2afd

SHA256
2918bada4ae53bd14807459791978add24d4141ffc77c28cd2d20aa502104a07

SHA512
e6e52ef709593494b6d30cbe0816db9908d1c61faa4389ebb68a73e0aebecda003aec0dd59c7795863ab4bc453231ba7251eab050bea2b1d85ff350521d275aa

Download Submit
C:\Windows\SysWOW64\Onmfimga.exe

Filesize
400KB

MD5
43feeb90a86944696ce1484cabed1bdd

SHA1
52c9405a177fa9e27e53186742f70bc7bef42471

SHA256
776f8ab20e0151d886b8417517ab12a7c77c9a2750726200f1ff4dd70fef233f

SHA512
9dcdbe7e4de2a301f16b1b8a998ae2d5c24033867186cbf5289b9d05bfe17c0ca4c3e81215a3f6841909d5676cc8b81c011dea16d9f390c666fe9229d23ae3e1

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
400KB

MD5
ed7727a4a077241d140dad1452754d5f

SHA1
35c26221c8e3099af0bbdd02e5897e66fb16dae6

SHA256
67fddbab0124b4def84bb077518c2d77d90e495fe64a2561b80732a181d159d0

SHA512
0a88ecc820b0c3fc441d210510d11aa2e03b9f370d4cafa251bbd5639ed69b6d096f23db1b84945c66ed90a5fb517eff829aeea7d9985343fe68b73a0a044fd7

Download Submit
C:\Windows\SysWOW64\Oogpjbbb.exe

Filesize
400KB

MD5
96fcbda36d327b2898331aedb39248f9

SHA1
3fad82f4b6d0e0aca01bbda3830ac9f3c91a1fd3

SHA256
d5b26ad18feada0957183353979c963f323c4a81ff0984b0415ea449f8f234df

SHA512
efcdacd2cd23b24f0e50357a207768ab75966f861fd7eb93b32ed840bd88b4b1b2b4fa1658f8537197d9c746f489ea33848de35f23fd6294848d5375d23c4ab3

Download Submit
C:\Windows\SysWOW64\Pahilmoc.exe

Filesize
400KB

MD5
58983a11ac03b2d158668141fda3c747

SHA1
9e9e53842e77929d875e7cb0809f76f8044746f7

SHA256
e7d73a4900fe91d8b6e7f8ef8b16ced397df25686b0e6c0e4576f7b90c865c35

SHA512
1668ddb2ac7b22b8c30111841c25ddf6db2894b079d5421dfc35be585a9a2ae354faabf099545f9d3259a34bf687271a193869fc26d4f6c7fc8bd349ceca0b5d

Download Submit
C:\Windows\SysWOW64\Pajeam32.exe

Filesize
400KB

MD5
61afc166aca3d42e89d0cc6919245692

SHA1
6dc196cebd9cbee22c29c0d26655ee4e16ef81db

SHA256
f3dfef094a1f325cc187fdfd2a04b200d39ff3d8f647b2afbfe89d7b75971488

SHA512
c6130063bd0d1a671783aafa34289f973064ecdf5aedc8bcb6d7eed7ae8ffe990a33ad1dbfe26607259d9d1f55355fdc1b16fd505ea4a32611d78c7539a59b96

Download Submit
C:\Windows\SysWOW64\Paoollik.exe

Filesize
400KB

MD5
5729a718b6456d2d8e58a4232aa0582f

SHA1
d8e5dbdfe674477222b4f18e5ce9aa8e21286645

SHA256
531b3fa47b381febb5ce06853a570ca4021a49b344854f429f11933310ac954e

SHA512
79d9572204cd9f3b2db2a6f1f4ccc3ef947c2e8d4b6c27ff06cfbdcd54e7b4ca700866ba85afc695808a398b728df22e5f343eddcd591e0c38bd4bd3c8d42f05

Download Submit
C:\Windows\SysWOW64\Pdfehh32.exe

Filesize
400KB

MD5
94d358bd494e9689a460b1b14eb430e0

SHA1
c57df28054b336c1ef429b974040a512e949c26d

SHA256
069363a3325fb0778864a3c2ffda6ba3da3ca6790af86c9bb8b89d452e39441f

SHA512
cca323437af155f10a7367256e7a09255695207544f8c3c87e6e6546ba32a92a7bef98d2de819a649f5a142cd52dde1311169567f9409fae722044a8b9a62840

Download Submit
C:\Windows\SysWOW64\Pdhbmh32.exe

Filesize
400KB

MD5
20cc2e279a1c940ab147ec340bb4cf80

SHA1
52f20b35302936bfaae9bc75aaf81839fd4227ff

SHA256
097a9d230fec8f57611464293cbacdb8540641744db8eda669be9d132f83e0d6

SHA512
3f8d735afb4e13c57491cd4c338a3e0b6b6c82bff7431419ddfd7ad5ba9a94e8259f50cb7b5dfa62330f54b4163ffe67aa30e1c25ee055bef6c8981db02798c0

Download Submit
C:\Windows\SysWOW64\Pdkoch32.exe

Filesize
400KB

MD5
2b473e8000965a00179219b19a7d2529

SHA1
09bb3bd971fa729f2e6800bc73bc0443a424da68

SHA256
0a023576b12de12e7d6dd7e01df771e95b3a3d85d56a8e204476e1d4e223589a

SHA512
1b165d80c0845e695ea2916332ca3617cf2584345324804afb284d89f922030bb8764f39a130c7f56cf64d693bc9e6728367ff947126fd0b274794478b9be783

Download Submit
C:\Windows\SysWOW64\Pdmkhgho.exe

Filesize
400KB

MD5
416a8e7a2c759eaf1bfe575ed42ac9e7

SHA1
02f1fb52951ee5cea5bec64eb562be185014a250

SHA256
15d91c54755a7987c357b9068618cb66b64bbb13c8b04a254699121ab447a7ae

SHA512
0fa97dcb119cc5526623973c4361549d9cc5f96af15a9f057b1b6c6d5361dc16113b0b5fafddb7bf6111da2940831179d7d2d1eb73b24a894ea5aafa8b1db0ec

Download Submit
C:\Windows\SysWOW64\Phigif32.exe

Filesize
400KB

MD5
abab112ff48f9f39b4bb6a26aeb784f8

SHA1
a6a4df404d8d0ab66df30602b90390fa4a63e143

SHA256
5eac8544cc29f95d1244ce8e4334ed3621ca7d096fd40f6040aea39a468ab5fe

SHA512
c8aa44bbf26bfd437a5e527f20450598f66c055c7ee6ab150187174ef6ca4a4639a216fec4d309b2c9e1f9e2899132a4444643850da300e651b76fa2bf99af33

Download Submit
C:\Windows\SysWOW64\Pkgcea32.exe

Filesize
400KB

MD5
12fa457844a27d6f1b4d2b2c8bafc2f2

SHA1
f1a63f03ca00ff89014cc060ac1942ad68cde2b5

SHA256
c8a09b27fe569c76403630aeabd8e84da63bda0f53e828f35a5588f642a61efa

SHA512
8aa7e99b22dbc4908a2d489de90cd198e072fba76fd5796d8787a1d0a336b329903e5d7834fb832d29776469d2c6e3acfadb63846d2ff6fb4602eec020a2f624

Download Submit
C:\Windows\SysWOW64\Pkpmdbfd.exe

Filesize
400KB

MD5
c237763929433b749df2c96a621c7d46

SHA1
17c400f9275e8e82ece2c6742c01bf6b08dbca57

SHA256
3ce0cc2c6191047bf277131d69e52e1c834b5c7a08e4f139a1ede8eda894f8e0

SHA512
0463e74fe9d4779f428297e8567e1e2ed2db86f31f8cc24ea318b52c3e7512370974001d59751a787132de68460764c08ca4451d2ce3ccda51da47a1c7e6dd33

Download Submit
C:\Windows\SysWOW64\Plbfdekd.exe

Filesize
400KB

MD5
d609319c2ee749e49cfe4decd2c09f1d

SHA1
a21c39b7e0b404dd3688fe4263484fa815373df2

SHA256
efef59af984c8466588311249d5274a00cbe83cda05a256b7a0a139b7a73f5eb

SHA512
f41cc6a1c70693f0586b49faa81fbc66dde5479970938a05b7f32df1ab96aa1b0a5addefa97612f04fb460bf4346ad7edea12cbc3c08c076c32342392022cc6d

Download Submit
C:\Windows\SysWOW64\Pmlmkn32.exe

Filesize
400KB

MD5
d5d8251619460e577766002a9dacc37f

SHA1
e3e7f31011beb465fd3e6cb783612a9320944ab3

SHA256
acedd912c587f9e1ec0026170d336e99a33c98035da012876274899f19b8983f

SHA512
600fc2b57ef64a0318dfa0b2cf2c85bb56a7b93ee159538d7cc2c06283b6fbb7847e777ac63d8f1d9ac0be44e53e12478f48026ece8c230d4b93f7ebf0efbe8c

Download Submit
C:\Windows\SysWOW64\Pmoiqneg.exe

Filesize
400KB

MD5
2761c0be7789a5579257e864f17e5e2a

SHA1
07a6b67e5c9c77576e6ebed5d947115ed04c6e4e

SHA256
8e4cce7278a1284d72d5cfbd6962279758f642900c4353111ca8e2bcc8c5648a

SHA512
6246ab3d08ea0d491df74ce611c49201a3373e56a39acb68a097949161dd86e7df2935f9f79fed7c60006e98dcbc6451504526dba353744cf6872624395d3953

Download Submit
C:\Windows\SysWOW64\Popbpqjh.exe

Filesize
400KB

MD5
e5712e794bcbb1be648619f9fc331b0e

SHA1
caf265ee24e505990e528cb3e5364a2f0ba49080

SHA256
107705660b9255624f3569633dde5e55d260df9d5d44fc8b0eabb34903aac6b2

SHA512
02ae54fd415dc83d0d4eb724a2988618620f04350636b8a541389e63f3e230500fd7ad05f676f5709dc95a45543fdc0b1e9e4d7357df561fa2990e0ef19625a2

Download Submit
C:\Windows\SysWOW64\Qaalblgi.exe

Filesize
400KB

MD5
f49b15b1b7480f192196ba6aed01ff69

SHA1
8ff5f8ee9deca59e345416f7f234f2333023ae78

SHA256
4cd8c884fb4cdafbb7545d6f393069dc2b7b03b201133b3a08209e331416f501

SHA512
c912f91f5b148f3023efb8e550fc4998a0d65fe2c765cfadaa5b669085592961f054ddb1a3f90db4d042ad574bda6c34744425a8ba9b95d9f1e0cd0928121337

Download Submit
C:\Windows\SysWOW64\Qdbdcg32.exe

Filesize
400KB

MD5
ec091b81c88a6afba7bffb302f94cb83

SHA1
50dc445069ea3008752e7c13a57189ffa453a784

SHA256
d0b25f9526bb0f36ff8b51ff648b2035e9cf376f6bc236e3e0aeeddcb7842a1b

SHA512
f3d6ec4c9da5601d878b26f2ba4b1bd0bce40bb4bf922ea5355fba0501f17c6feedc504e30aee6bfa3c6296848eaadac6ab93e86ee0a76515c2a16a15c2d50d8

Download Submit
C:\Windows\SysWOW64\Qdphngfl.exe

Filesize
400KB

MD5
7e0541f67e75c88ed2ffeae3c410ffd3

SHA1
a0ccbf39bd5a604ea166fc864a7a60c2e05d0cb2

SHA256
0631cb33f22c6f20e8b5635e5bb67757b327a4633ab55acd23f50645446e9c97

SHA512
14babd4879a743acb2dcc09aa8b7d980c57b4ee9446716a2ed63fa97a4ec403fbd72f686a39bbc0f34226e6468ca06edf7aee24efdb593e97705ce6ed7c0edcf

Download Submit
C:\Windows\SysWOW64\Qeodhjmo.exe

Filesize
400KB

MD5
0771528b6adbb398ee5cd3890bf771e3

SHA1
2b0b98b2f410523b3c76723734b344c71e9ba8e0

SHA256
3f125ea70962434b1c5239cb98c2bc581153e440cb4653b43f40aaf32e4e8de6

SHA512
787ed0e3364ec6c0ea164932f4eba6ced370cd2273ac896eb57204c543515e2dd4a6bca16365794a5ecc777afc392b69285567c43f6625a83846d795259eb809

Download Submit
C:\Windows\SysWOW64\Qlgpod32.exe

Filesize
400KB

MD5
dbdaab0b6f29d68ad4d62432810f1c3a

SHA1
31b3d06764c4edae6eacff2b972f64043ceb3512

SHA256
5d2b89649bc10970e10c1cc74a09c5da5d6efa4a425cd78105d543821cac382b

SHA512
f56eba23e3f5df6272c0f5f218d93e0c00466ccd691d1a47cef71eefc5db0208be21aceddd765ebabc1c25a97596609b86e900a4b1390c544fcbec64600d6e19

Download Submit
C:\Windows\SysWOW64\Qlimed32.exe

Filesize
400KB

MD5
73b437f1e08e167b6bbb667867f45588

SHA1
a409c737a876dabdbb935b0fee03819f4cf154ff

SHA256
b581673bbc6f7b1a9005ff4803ac22a206743d32f07b0fd5a2c83383b93744eb

SHA512
cd0d39926ba4acc9ba836d3ee89a7cee15b062f2445840faddf0d52079453f198bffaf9dd03975cfb8fff873a375a9f2d6c053cb23220c90e690cb44839cbfde

Download Submit
C:\Windows\SysWOW64\Qmepam32.exe

Filesize
400KB

MD5
fcdc9c6777aa9a6fd42c821eca21f438

SHA1
99aa4abc572aac6f84728ea67760111fb0de1b90

SHA256
95c7ba4c4b33a0db05bc4dbbe124095f399a5c924fd4a517e75b671c065b53d2

SHA512
19bc68406bd98bfa86c620e6143642b35fd644b1b1103a0dd0badb411c0a2a2229a90719963a8357755ce75cfc8a6edf3ac8e2a459d0408cb83d111b9b1a5225

Download Submit
C:\Windows\SysWOW64\Qmhlgmmm.exe

Filesize
400KB

MD5
5d3146cd948ee8a79f668408779b9b36

SHA1
1acb930f9afc6b3094ab99e4f2068da79adf18ac

SHA256
381e651872a2b365eaae8686a1064af79a7d4ca54b8e6f69d2b0413884ff7deb

SHA512
1c4275060b2a7068df3af81a91bde9b25601f91eaee23ed8d83db85dd87e57a392dc16c9b42d5e6dc734029ef4e75e7a30cce0b40352c60e60b43a66f07ed2ab

Download Submit
C:\Windows\SysWOW64\Qoelkp32.exe

Filesize
400KB

MD5
09aa1b0b96df0bb209891acfb9290321

SHA1
bdd7bb3ef508a12e4944475ce89763a864f5387e

SHA256
2dccaacb5d0b71e43125d572912aaed0d5b551f32373d89842bb7e65fcb4b895

SHA512
ddbeb245fa1fdb3a63b77ba087af8d5db56731c2dd102b11165702e548d9ad58a26bfa575e8c926ebe24938fa79e4a60f78fc025f05ff5e8a6536b79e5a632eb

Download Submit
memory/228-365-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/372-85-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/372-593-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/404-336-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/452-714-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/464-225-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/464-700-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/696-319-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/800-452-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/880-526-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/912-383-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/992-377-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1052-330-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1260-132-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1260-629-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1440-313-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1480-428-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1504-458-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1596-186-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1632-42-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1632-563-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1724-389-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1876-194-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1876-676-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1948-302-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2256-695-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2372-492-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2388-202-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2388-681-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2396-248-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2496-574-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2496-61-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2592-400-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2608-279-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2632-693-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2804-359-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2884-290-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2944-670-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2992-708-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3104-68-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3104-581-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3216-48-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3216-569-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3232-475-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3272-140-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3272-634-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3292-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3292-551-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3496-532-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3496-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3712-688-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3712-210-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3720-77-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3720-586-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3732-296-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3828-2753-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4100-178-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4108-659-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4236-272-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4244-262-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4280-256-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4284-481-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4336-2701-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4384-434-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4436-539-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4536-623-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4536-124-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4576-411-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4628-371-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4656-600-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4656-101-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4684-599-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4684-93-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4704-2747-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4800-446-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4824-116-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4824-616-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4840-2873-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4840-493-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4844-611-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4972-641-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4972-148-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4988-504-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5032-557-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5032-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5064-155-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5064-646-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5116-653-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5124-440-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5144-342-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5176-469-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5240-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5240-545-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5288-348-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5436-707-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5436-233-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5628-412-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5800-520-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6056-7-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6056-537-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6600-2665-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6976-2605-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7040-2621-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/7992-2518-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/8548-2455-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/9152-2475-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/9236-2442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/9824-2396-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/10020-2423-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/10232-2402-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/10504-2374-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads