4c9f514d9fba8327ad2b8c01a94ee654f426796289f182a09e240b5fdcfe8d82

Analysis

max time kernel
95s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f53935a14b5a4301a4090a40b4a8600N.exe
Size

336KB
MD5

8f53935a14b5a4301a4090a40b4a8600
SHA1

146b8a659f41e511be4febc983cdeef74bdee0b3
SHA256

4c9f514d9fba8327ad2b8c01a94ee654f426796289f182a09e240b5fdcfe8d82
SHA512

e6002c67980e6f10ff4a51bdeb064710323ca2c11998505c4b51c8a3a101f5a5832a9a87d2f6f2d29e374aaa6ebfc364561112e3c25c79a0c461b3b22afb65a1
SSDEEP

6144:h58IZq5A7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOE:r8du7aOlxzr3cOK3Taj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifefimom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jimekgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdgdgnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcimkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkopnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe

Executes dropped EXE 64 IoCs

pid	Process
2124	Eadopc32.exe
744	Edbklofb.exe
4856	Ehnglm32.exe
1824	Fkmchi32.exe
4372	Fcckif32.exe
3264	Febgea32.exe
2760	Fhqcam32.exe
2900	Fkopnh32.exe
4692	Faihkbci.exe
4704	Fdgdgnbm.exe
4848	Flnlhk32.exe
4972	Fakdpb32.exe
1328	Fdialn32.exe
1388	Flqimk32.exe
4448	Fooeif32.exe
1444	Ffimfqgm.exe
2964	Fhgjblfq.exe
4720	Fkffog32.exe
4936	Fcmnpe32.exe
2460	Glebhjlg.exe
3496	Gbbkaako.exe
4516	Glhonj32.exe
1244	Gbdgfa32.exe
536	Gfpcgpae.exe
1496	Ghopckpi.exe
3312	Gkmlofol.exe
4360	Gbgdlq32.exe
1520	Gdeqhl32.exe
3756	Gmlhii32.exe
2068	Gkoiefmj.exe
1248	Gbiaapdf.exe
4384	Gfembo32.exe
4492	Gicinj32.exe
4912	Gmoeoidl.exe
4132	Gkaejf32.exe
4088	Gcimkc32.exe
3548	Gblngpbd.exe
4020	Gfgjgo32.exe
3552	Gdjjckag.exe
4688	Hkdbpe32.exe
640	Helfik32.exe
2196	Hmcojh32.exe
2192	Hcmgfbhd.exe
4840	Hflcbngh.exe
1596	Heocnk32.exe
3492	Hmfkoh32.exe
3324	Hcpclbfa.exe
2640	Himldi32.exe
932	Hofdacke.exe
3968	Hcbpab32.exe
5012	Hfqlnm32.exe
1944	Hmjdjgjo.exe
3128	Hoiafcic.exe
1884	Hbgmcnhf.exe
1832	Iefioj32.exe
1568	Iiaephpc.exe
2220	Ikpaldog.exe
5040	Icgjmapi.exe
676	Ifefimom.exe
3432	Iehfdi32.exe
1564	Imoneg32.exe
1404	Ipnjab32.exe
5108	Iblfnn32.exe
1480	Iejcji32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Gcmdhh32.dll	Febgea32.exe
File created	C:\Windows\SysWOW64\Fmijnn32.dll	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Leihbeib.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Lbjlfi32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Fhgjblfq.exe	Ffimfqgm.exe
File created	C:\Windows\SysWOW64\Hcpclbfa.exe	Hmfkoh32.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Ikpaldog.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Gkoiefmj.exe	Gmlhii32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jcllonma.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jgbcdnbb.dll	Gfembo32.exe
File created	C:\Windows\SysWOW64\Hnmacdaj.dll	Icgjmapi.exe
File opened for modification	C:\Windows\SysWOW64\Kbceejpf.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Gbiaapdf.exe	Gokdeeec.exe
File created	C:\Windows\SysWOW64\Iifokh32.exe	Iejcji32.exe
File created	C:\Windows\SysWOW64\Flakmgga.dll	Icplcpgo.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nekfmb32.dll	Heocnk32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbdbd32.exe	Jeklag32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ohjgdmkj.dll	Fkffog32.exe
File created	C:\Windows\SysWOW64\Jioaqfcc.exe	Jedeph32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
11108	11028	WerFault.exe	511

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkmlofol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfeopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilghlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmfkoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fooeif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmjdjgjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkffog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdialn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefioj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glhonj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmlhii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnccmbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Himldi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehfdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gblngpbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfgjgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpgldhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcbihpel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmqkjel.dll"	Fcckif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdjjckag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieolehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jimekgff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jedeph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll"	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkooklb.dll"	Gbbkaako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefkme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfqlnm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 2124	3900	8f53935a14b5a4301a4090a40b4a8600N.exe	83
PID 3900 wrote to memory of 2124	3900	8f53935a14b5a4301a4090a40b4a8600N.exe	83
PID 3900 wrote to memory of 2124	3900	8f53935a14b5a4301a4090a40b4a8600N.exe	83
PID 2124 wrote to memory of 744	2124	Eadopc32.exe	84
PID 2124 wrote to memory of 744	2124	Eadopc32.exe	84
PID 2124 wrote to memory of 744	2124	Eadopc32.exe	84
PID 744 wrote to memory of 4856	744	Edbklofb.exe	85
PID 744 wrote to memory of 4856	744	Edbklofb.exe	85
PID 744 wrote to memory of 4856	744	Edbklofb.exe	85
PID 4856 wrote to memory of 1824	4856	Ehnglm32.exe	86
PID 4856 wrote to memory of 1824	4856	Ehnglm32.exe	86
PID 4856 wrote to memory of 1824	4856	Ehnglm32.exe	86
PID 1824 wrote to memory of 4372	1824	Fkmchi32.exe	88
PID 1824 wrote to memory of 4372	1824	Fkmchi32.exe	88
PID 1824 wrote to memory of 4372	1824	Fkmchi32.exe	88
PID 4372 wrote to memory of 3264	4372	Fcckif32.exe	89
PID 4372 wrote to memory of 3264	4372	Fcckif32.exe	89
PID 4372 wrote to memory of 3264	4372	Fcckif32.exe	89
PID 3264 wrote to memory of 2760	3264	Febgea32.exe	90
PID 3264 wrote to memory of 2760	3264	Febgea32.exe	90
PID 3264 wrote to memory of 2760	3264	Febgea32.exe	90
PID 2760 wrote to memory of 2900	2760	Fhqcam32.exe	92
PID 2760 wrote to memory of 2900	2760	Fhqcam32.exe	92
PID 2760 wrote to memory of 2900	2760	Fhqcam32.exe	92
PID 2900 wrote to memory of 4692	2900	Fkopnh32.exe	94
PID 2900 wrote to memory of 4692	2900	Fkopnh32.exe	94
PID 2900 wrote to memory of 4692	2900	Fkopnh32.exe	94
PID 4692 wrote to memory of 4704	4692	Faihkbci.exe	95
PID 4692 wrote to memory of 4704	4692	Faihkbci.exe	95
PID 4692 wrote to memory of 4704	4692	Faihkbci.exe	95
PID 4704 wrote to memory of 4848	4704	Fdgdgnbm.exe	96
PID 4704 wrote to memory of 4848	4704	Fdgdgnbm.exe	96
PID 4704 wrote to memory of 4848	4704	Fdgdgnbm.exe	96
PID 4848 wrote to memory of 4972	4848	Flnlhk32.exe	97
PID 4848 wrote to memory of 4972	4848	Flnlhk32.exe	97
PID 4848 wrote to memory of 4972	4848	Flnlhk32.exe	97
PID 4972 wrote to memory of 1328	4972	Fakdpb32.exe	98
PID 4972 wrote to memory of 1328	4972	Fakdpb32.exe	98
PID 4972 wrote to memory of 1328	4972	Fakdpb32.exe	98
PID 1328 wrote to memory of 1388	1328	Fdialn32.exe	99
PID 1328 wrote to memory of 1388	1328	Fdialn32.exe	99
PID 1328 wrote to memory of 1388	1328	Fdialn32.exe	99
PID 1388 wrote to memory of 4448	1388	Flqimk32.exe	100
PID 1388 wrote to memory of 4448	1388	Flqimk32.exe	100
PID 1388 wrote to memory of 4448	1388	Flqimk32.exe	100
PID 4448 wrote to memory of 1444	4448	Fooeif32.exe	101
PID 4448 wrote to memory of 1444	4448	Fooeif32.exe	101
PID 4448 wrote to memory of 1444	4448	Fooeif32.exe	101
PID 1444 wrote to memory of 2964	1444	Ffimfqgm.exe	102
PID 1444 wrote to memory of 2964	1444	Ffimfqgm.exe	102
PID 1444 wrote to memory of 2964	1444	Ffimfqgm.exe	102
PID 2964 wrote to memory of 4720	2964	Fhgjblfq.exe	103
PID 2964 wrote to memory of 4720	2964	Fhgjblfq.exe	103
PID 2964 wrote to memory of 4720	2964	Fhgjblfq.exe	103
PID 4720 wrote to memory of 4936	4720	Fkffog32.exe	104
PID 4720 wrote to memory of 4936	4720	Fkffog32.exe	104
PID 4720 wrote to memory of 4936	4720	Fkffog32.exe	104
PID 4936 wrote to memory of 2460	4936	Fcmnpe32.exe	105
PID 4936 wrote to memory of 2460	4936	Fcmnpe32.exe	105
PID 4936 wrote to memory of 2460	4936	Fcmnpe32.exe	105
PID 2460 wrote to memory of 3496	2460	Glebhjlg.exe	106
PID 2460 wrote to memory of 3496	2460	Glebhjlg.exe	106
PID 2460 wrote to memory of 3496	2460	Glebhjlg.exe	106
PID 3496 wrote to memory of 4516	3496	Gbbkaako.exe	107

C:\Users\Admin\AppData\Local\Temp\8f53935a14b5a4301a4090a40b4a8600N.exe
"C:\Users\Admin\AppData\Local\Temp\8f53935a14b5a4301a4090a40b4a8600N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\SysWOW64\Eadopc32.exe
  C:\Windows\system32\Eadopc32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\Edbklofb.exe
    C:\Windows\system32\Edbklofb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\SysWOW64\Ehnglm32.exe
      C:\Windows\system32\Ehnglm32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        24⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        25⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        28⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        29⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        31⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        32⤵
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        33⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        35⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        36⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        37⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        42⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        43⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        44⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        45⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        46⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        49⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        51⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        52⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        55⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        56⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        58⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        63⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        64⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        67⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        68⤵
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        69⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        71⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        72⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4836
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        75⤵
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        76⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        77⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        78⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        80⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        81⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        83⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        85⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        86⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        87⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        89⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        90⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        95⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        96⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        97⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        99⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        100⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        101⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        102⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        103⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        104⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        106⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        107⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        108⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        109⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        111⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1836
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        116⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        117⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        118⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        119⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        122⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        123⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        124⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        125⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        126⤵
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        127⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        128⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        130⤵
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        133⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        134⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        135⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4328
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        137⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        138⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        140⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        142⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        143⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        144⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        145⤵
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        146⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        147⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        148⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        149⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        151⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        152⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        153⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        155⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        156⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        157⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        159⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        160⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        161⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        163⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        164⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        165⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        167⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6752
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        169⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        170⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        171⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        172⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:7024
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7068
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        175⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        176⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        177⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        178⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        179⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        180⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        182⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        183⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        184⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        185⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        186⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        187⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        189⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        190⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        191⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        192⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        193⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        194⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6908
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7148
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        198⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        199⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        200⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        202⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        203⤵
        
        PID:864
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        204⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        205⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        206⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        207⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        208⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        209⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4024
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        211⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        212⤵
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        213⤵
        Modifies registry class
        
        PID:7260
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        214⤵
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        215⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        216⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        217⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        218⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        219⤵
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        220⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        221⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        222⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7700
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        224⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        225⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        226⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:7876
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        228⤵
        Drops file in System32 directory
        
        PID:7920
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        229⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:8008
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        231⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        232⤵
        Modifies registry class
        
        PID:8100
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        233⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        234⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        235⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7300
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        237⤵
        Drops file in System32 directory
        
        PID:7376
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        238⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        239⤵
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        240⤵
        Modifies registry class
        
        PID:7588
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        241⤵
        Drops file in System32 directory
        
        PID:7652
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        242⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        243⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        244⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:7928
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        246⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        247⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        248⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7180
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        250⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        251⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        252⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        253⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        254⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7828
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        256⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7940
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        257⤵
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        258⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        259⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        260⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        261⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        262⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        263⤵
        Modifies registry class
        
        PID:7992
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        264⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        265⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        266⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7908
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        268⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8176
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        269⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        270⤵
        Drops file in System32 directory
        
        PID:7552
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        271⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        272⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        273⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7224
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        275⤵
        Drops file in System32 directory
        
        PID:7844
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        276⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        277⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        278⤵
        System Location Discovery: System Language Discovery
        
        PID:8320
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        279⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8408
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        281⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        282⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        283⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        284⤵
        Modifies registry class
        
        PID:8584
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        285⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        286⤵
        System Location Discovery: System Language Discovery
        
        PID:8676
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        287⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8764
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        289⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8808
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8852
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        291⤵
        Modifies registry class
        
        PID:8896
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        292⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        293⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8984
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        294⤵
        Modifies registry class
        
        PID:9028
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        295⤵
        Modifies registry class
        
        PID:9076
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        296⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        297⤵
        Drops file in System32 directory
        
        PID:9164
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9208
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        299⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        300⤵
        Drops file in System32 directory
        
        PID:8316
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        301⤵
        Drops file in System32 directory
        
        PID:8384
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        302⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        303⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        304⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8664
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        306⤵
        Drops file in System32 directory
        
        PID:8732
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        307⤵
        System Location Discovery: System Language Discovery
        
        PID:8800
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        308⤵
        System Location Discovery: System Language Discovery
        
        PID:8876
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        309⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        310⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        311⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        312⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9156
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        313⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8220
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        314⤵
        Drops file in System32 directory
        
        PID:8312
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        315⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8440
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8572
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        317⤵
        Drops file in System32 directory
        
        PID:8728
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        318⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        319⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        320⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        321⤵
        System Location Discovery: System Language Discovery
        
        PID:9196
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        322⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        323⤵
        System Location Discovery: System Language Discovery
        
        PID:8532
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        324⤵
        System Location Discovery: System Language Discovery
        
        PID:8752
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        325⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        326⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        327⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8296
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        328⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        329⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        330⤵
        System Location Discovery: System Language Discovery
        
        PID:9152
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        331⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        332⤵
        System Location Discovery: System Language Discovery
        
        PID:9040
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        333⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8272
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        335⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        336⤵
        Drops file in System32 directory
        
        PID:8040
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        337⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        338⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        339⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9340
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        340⤵
        Modifies registry class
        
        PID:9384
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        341⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9428
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        342⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        343⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9516
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9560
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        345⤵
        Drops file in System32 directory
        
        PID:9604
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        346⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        347⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        348⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9736
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        349⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        350⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        351⤵
        System Location Discovery: System Language Discovery
        
        PID:9868
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        352⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        353⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        354⤵
        System Location Discovery: System Language Discovery
        
        PID:10000
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        355⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        356⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        357⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10132
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        358⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        359⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        360⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9264
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        361⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        362⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        363⤵
        Modifies registry class
        
        PID:9468
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        364⤵
        System Location Discovery: System Language Discovery
        
        PID:9540
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        365⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9600
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        366⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        367⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9744
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        368⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9812
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        369⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9880
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        370⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9948
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        371⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        372⤵
        Drops file in System32 directory
        
        PID:10084
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        373⤵
        Drops file in System32 directory
        
        PID:10160
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        374⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10228
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        375⤵
        Modifies registry class
        
        PID:9292
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        376⤵
        Drops file in System32 directory
        
        PID:9440
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        377⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        378⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        379⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        380⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        381⤵
        System Location Discovery: System Language Discovery
        
        PID:9964
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        382⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        383⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        384⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        385⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        386⤵
        Modifies registry class
        
        PID:9616
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        387⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9764
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        388⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        389⤵
        Drops file in System32 directory
        
        PID:10056
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        390⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10188
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        391⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9368
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        392⤵
        Drops file in System32 directory
        
        PID:9588
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        393⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        394⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        395⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        396⤵
        Drops file in System32 directory
        
        PID:9724
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        397⤵
        Drops file in System32 directory
        
        PID:10216
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        398⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        399⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        400⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        401⤵
        Drops file in System32 directory
        
        PID:10272
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        402⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:10308
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        403⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        404⤵
        System Location Discovery: System Language Discovery
        
        PID:10380
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        405⤵
        Drops file in System32 directory
        
        PID:10416
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        406⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        407⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        408⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10524
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        409⤵
        Modifies registry class
        
        PID:10560
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        410⤵
        Modifies registry class
        
        PID:10596
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        411⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        412⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        413⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10704
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        414⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        415⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10776
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        416⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        417⤵
        Modifies registry class
        
        PID:10848
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        418⤵
        System Location Discovery: System Language Discovery
        
        PID:10884
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        419⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        420⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10956
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        421⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10992
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        422⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11028 -s 244
        423⤵
        Program crash
        
        PID:11108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 11028 -ip 11028
1⤵
PID:11080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajanck32.exe

Filesize
336KB

MD5
675ec66cda995aab8d3ef24541bac008

SHA1
e181136e311e69bc4d622a3b8de035bd4f29aea3

SHA256
3fc99a67b5c27b18d6d252ae5fe6735fd0c15c0d7daa0b79ae8075660aacf09d

SHA512
a428ec5b9429400183bf7b2d006093eb873eaea515049ec7686bf5a9d7efba6020580b91e2a0756b97b4cbfce51837bb445920aba1d5f9a31933c10aefb4c989

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
336KB

MD5
d21376b7ba3f7751232303ce3de00226

SHA1
d4c86af63cedb4eddd0fc3f4cf2f5429c12096fc

SHA256
cf03f570e52d654e3c921e12c814281430801025d74f34f546bd64561b66c7f5

SHA512
e2df32837de81d253c9801ed4af734537671858ad662ab1558401e57d2551a7bf638c05b796044cbccf88d3076ba43151b23f56c6a8bb1dc3090f319852a583e

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
336KB

MD5
48d01d934e494e39b6b7f15d52612bcc

SHA1
6a3444eae1f52b6ac1aba9a55f569709fba86243

SHA256
ade44cdfa5d007f2b5eb50d7f4f75ecb4224e658d16f6a7fabd5669627f77f65

SHA512
7795c80436733c913e4922962b39602fc1427505f8553d0a476de4a7d34acbb7fd792c8e1b34a1ec0d573b2425546f048089337719637e67793669b0fb80945e

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
336KB

MD5
ec41161808912ef70a0fafdcab644a4b

SHA1
dc6005d46fed0c3351098a6b0b102ae763271b4a

SHA256
018c177f9af4a722d9727909cbf698f7b821c2abcdca944e846323d285efbdc0

SHA512
d4c9b9af00936e0308819dcbcc5b058b2dd853eef031ae9f6cadd6af442db5122848a17933e7e01a7a165f11bc0cf5f750c3f87e637532a44d063ad308f945d0

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
336KB

MD5
04599a4a05f5425a43ef122e7774e127

SHA1
31eeeaa015247f2f5687d87e0c59233f30e86f75

SHA256
9fcf650c9be280dc05b99cefe1612020240172f6d6ed3b901461ec003a4e170f

SHA512
b7e72b216f93cb887ea3287c44378b665f4461a0bdcf8562b6fa42478da9cd2ca0efb31c53413c5af5850df18bcadfb67c70b25f17d294146461ace2c1d5a016

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
336KB

MD5
d4a19eb5eaa8ff95aa667e4c5dda9eb1

SHA1
9951b0e1b78b047c67b7720e0022cd1b8c0d229d

SHA256
25f651e30633a180219ca1a201cc247576c5d28781bdc7d1a0f64c57a4b472b0

SHA512
688d4dbd4f3da95433f9caf5c94ae36be732896146eac2ea1af1dfbf8ab94f148b5964f118e6469b1479464b2cf2717b811339afa99e268e3c313d88f18a868c

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
336KB

MD5
a8750cf83c96a9662424bf77f016b703

SHA1
284b772b12ece3d27a9e32faa52db22d3176f297

SHA256
eab34c1116abc72da4987b57e12f6346c0bd1f0522282dfd49cd632b3adf6adc

SHA512
8f58d6368b55c229c63a8393e6f7d79715d6c2cda5a0e63b1529a7d271f7bbab3de66714e6e5568c2654e07242199690a0993c21eb742a75a7bf63181477add1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
336KB

MD5
78d03f2052478227a603f4282093bbe2

SHA1
3d5f1dfe6c313f5d814a21a3d6803dc7ebca0969

SHA256
0869b2e20eb3f3f7a5ab0c86dcebfef1dd1443e6943fd7f5eb1684567d180246

SHA512
b939357d3868189b80b9216005f73ecd1199c74138c864bd4e4ea9808584ed83c0802ae7d7396a1cca7d02424f0ad1cddb48b408855216eee51b7abe17343ee9

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
336KB

MD5
26b0c69306d68eb7242a30eca49812a4

SHA1
08b6128454a68ce2c574e2cff23a29bf9281b83c

SHA256
e3f293e70c59e38070af90a39f125ce2b70cc91bd025f7c88d8bfc8079f6df2c

SHA512
cfb74fd9bdda53ed8a8595d6ced373508a698c1cfb8a13e2544d219ebb0cfa8db726d0f41d4dec3077fecdd9bc9a9bd720aad88219ac1f4479bb3bd585f5fbf9

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
336KB

MD5
d8d58f24655b8808e73c2852c9e41fe5

SHA1
d1979dd2e71e997f42225af5a4bca8f95baeab7a

SHA256
a6654291f54d55ff9b4d2cb8dcd79ff59aaece32c57df2425f603f266282edbd

SHA512
fcca4acb4a01921e31a3faee8b2a4a3f353d765a2de20a29ca0e5ba4575b9a988e7cc48af8e94967484c8f643d186aa7d0dacc897950ab3146278e99987e79c3

Download Submit
C:\Windows\SysWOW64\Eadopc32.exe

Filesize
336KB

MD5
c43da0d7c11c52726d1747b57e80e868

SHA1
bd9be82555de993ad52fd65a442781fbfb0bb40f

SHA256
1d05b3cfc77e3091b5624b5487cf1a907cddd6c31f38fdd3e1320671fc861213

SHA512
af225f23cd6d0199740fb0aa174b1c257d311dad06dac15ff3de8a57b3cc89cee98233ec4a4e7bd02f709b7b4e98603f620875de4c6b107e972b2df3cb261d0b

Download Submit
C:\Windows\SysWOW64\Edbklofb.exe

Filesize
336KB

MD5
23ee4628ca6a26771200e411f47ebc43

SHA1
f9d6dd6ab5904c714abbbe7b75e63d7fe7c65b02

SHA256
eee5a3e24711572c36eeeb1d0cfff49564918a471d42c8dfe43bbc6db59b3c3f

SHA512
0dd20c02cd3e66df2b449cd4618ed8e7e35c4bd760d2409a3531dcb4fc18c48552c3a5de48d936ad3a6e10efc62462c1a2adde4cf9557eb3186d01d012dcd388

Download Submit
C:\Windows\SysWOW64\Ehnglm32.exe

Filesize
336KB

MD5
e1125735905048eee7708713ce2310ab

SHA1
e3aa2eebcc6033f2a8cdfc322d8f295d13ad3ed7

SHA256
3c7d2f6e0934da9f6e75251ecfdbe3335cc8a0671e7fd9eba51ab68c2e1c7aaf

SHA512
39b0137b988f311af4ce8c0da53ebe7f1c820719fc213630c357241fc24aee6e649f855511189674d4e1ed8dbef4ee3125c2bd0fed3e5c9b9d15a1ca82a2dde9

Download Submit
C:\Windows\SysWOW64\Faihkbci.exe

Filesize
336KB

MD5
b0fab84cfb96854435766272a43e9c7c

SHA1
abcc3a8f92a3a5ee449f06f6f77b926119334a80

SHA256
577e3101cc178f2b360db45e53c173308d0c5198860c538f0f2f04d3259d1f29

SHA512
be0167ecf6043c77d5b856bfdb07c29a1f814852eb2d2bc9fc6fefa6528cff46cbf547e410a477dfae556ebaeeedee8aba00f19e2f4602a525d9bf51437a3b78

Download Submit
C:\Windows\SysWOW64\Fakdpb32.exe

Filesize
336KB

MD5
86f0c7784f51059a7741ffe7e77134bd

SHA1
30a83a9d99777f8bec8fed19a2d9d0e74d1c6518

SHA256
7a0b1b9a086739b9cb855cd2af23bea380733e4fcfa3e5cad558270ce8ca6a24

SHA512
7245fa331e83ad637236099d38cd33165dc727625146b0a490742c47fc5cc7a94ed085479eafc4f6a62b88e2098ad9e675d00d0d364cb66a92e31affa8321426

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
336KB

MD5
2e8bd202d434a698e0a8a35539f49f59

SHA1
675eb4fc059527bc26715052e8cf3916bd805269

SHA256
ad5abc5afc2edb63901afc3f753d791dc96f709ba223157b73422dadc8a80f9c

SHA512
fb36d0deb50811baf19fb9a12e59c27e019675680acc35e68a7d4d293436fa0e27fba22349d44256df317b2d351a88944f8a24fd674f8ce86d09b93b4b1fd7c0

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
336KB

MD5
bb3ddbc2b5513cf74e3a4c2f9ae0adb2

SHA1
19b3dc9d6805ebe4b20be1e2e4316cb95ced709c

SHA256
94eed1149baebeb4d5907ce3eecd184fafee46a9e6a2aab874fc3c326905743f

SHA512
8a0834b7e1865cfa0443d47fa31e0b6ea2e20560b9161ec9d0ead074f1dabbd021c5d0837c82fc367bca57a4cb9f64cb5b2a64a0bbc339d9024d4a14d8c27446

Download Submit
C:\Windows\SysWOW64\Fdgdgnbm.exe

Filesize
336KB

MD5
bb38e756cea75541e1a88815ec20cc47

SHA1
ea31078db34c2c19a8eb8c7d3f126f598b0e980b

SHA256
500667fa5301a62a7e983b752dd707bb549a319c45b9c69fcf77487c6ca836b9

SHA512
9a64e42cfa5318b53255857472d60f6f9e50a4b1915abe41eada271bbc2c3e34a73761ec9be37b37d5da996f2252e20087acb259888a60e4f10e7b09bea2cc00

Download Submit
C:\Windows\SysWOW64\Fdialn32.exe

Filesize
336KB

MD5
42de11e7086f5101de5c97c7f1ee5ae8

SHA1
151d51e16e2c9008cf6ee471a4fbb55550821e3d

SHA256
7652ccca3ec4a40a0ff95c795f1706a11716698529f2e3e55b516b1bfde5ca0c

SHA512
3c5313bd232d726d209c80050cb92fd0a5f903e149b676cdc2567ef8782018152ad2b61d290628d9760d3bc642f8486e7614ecd23179430a3dcc450f5812328e

Download Submit
C:\Windows\SysWOW64\Febgea32.exe

Filesize
336KB

MD5
f9c5c144207eba7d126877e52e00e488

SHA1
6587a8a8d3d677b5536dd8c1a0bd2b6d56b11b84

SHA256
97f9e9ed16e6591661da6ac26137e868119c886f5dcd10791f551a57f5f8b44a

SHA512
c43c7b167c317006e53aa1f918b167d12ee676004db8bc3f0f9f5515e7f6318c08b137818fb04d4d099a425496fb8f63afe6477866bae6fa0c9665b819229652

Download Submit
C:\Windows\SysWOW64\Febgea32.exe

Filesize
336KB

MD5
ccc1ffd26f7bce839beed17c7b80544c

SHA1
02f5f8a8a8dd8fb4aa13f185486fe217667a3207

SHA256
54dee8eeadf75d6d75dc1da55a9f57bfaabf31bfa4b0394e6e6084c713a0e179

SHA512
1c369c816352b94d17566eacb0c527243916d8a1292902496edf3467086038f4067129bc0c5dbcd8736a17dd36689151c20dfb0be70d6196c4a8e1e08fbbd404

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
336KB

MD5
82d3f381a53f1f6b826891a8aa4cd32d

SHA1
1d248a4fd8749f6294e277d8a9dfceb6323ee91f

SHA256
53675df21df837fe84312ec62eb0908843236e9f8238ee1cf39a6ae44f38c23f

SHA512
70bc735fc6f190edfcc7f3a3876c2113b326ef067c7a8d6685b7b5df7beacc8b327a93b40159d35eef17a78e61f022ba43906e550faaac477d84ee5855b6d4e5

Download Submit
C:\Windows\SysWOW64\Fhgjblfq.exe

Filesize
336KB

MD5
62ea0dc2344048c964782282724e8f77

SHA1
5a5e06c94c4a6bf6ef699e2e14c29bbed18d6967

SHA256
e842564f1576f3b2f3d140ce89606c102d6bffbc27796474e8752ea46416aad4

SHA512
cf97a2e487ac1bf21e98f3de2a338f0f8e923d2a091e5ba01efa37a84ec851245231ab91cda825eb2d3589b6739462f5c165c9a96cc5ec1d710e8086589962df

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
336KB

MD5
f55eef8e6e3bf7bfb54ee8356388ba64

SHA1
9b08c740e216ca469798b5f8c9503ae7879ce1d6

SHA256
841b6cadecdd6a5d076a56bf600a4bfa65e47bfed9d482e1977125ec7e65300c

SHA512
1f6eea02da40fea3fed8bb7e607408e865ed055caf754db0fc6dd033aef1f31def8768af8b4bf9a6d5df748ff4b9c020cad859b2a90669fbd8e28fa5cbf23f4e

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
336KB

MD5
f339ef4157b6f94ec720da77d0618561

SHA1
8cfbe0bf7da2c7f6ebfef7a52062eb965c97d3cb

SHA256
31be697e5e0b5907ca035aa99847a1c928fffa6a529cceb20be9fa9a2649a026

SHA512
9eb99fd2c9394028e6a0f6804e24769310d5017e907585f544ba28d83bcf2154d87e81fe85279e5db588ca5fccf8259dd4141de5ecc932af99b237817e61f64b

Download Submit
C:\Windows\SysWOW64\Fkmchi32.exe

Filesize
336KB

MD5
cb06dd61448e7f4bd74a0d4a3bd4a9a6

SHA1
1c7158a2e19f25d52c9c4fbe732075233b5cef68

SHA256
af21eee12265a70e2233600a38383ffe925d777c1a7e7724515c3126cc3b11c7

SHA512
5d1486e75bb5143412b988b97f032d63b07d07e233c72632b57b6fc5b4634f4bee3270bf0a689f223385bf1cc7114d4a3b8149fbe4b59513a900d10b4464a936

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
336KB

MD5
09273144b1a14599d4e9544a398ad2ff

SHA1
a74d500d09069d50061ef76ec18cbcb5498569de

SHA256
2a83cf6e4842a9f7619f2f2c96e405b061ca4cc1f71ebe1570d2b6a3a66ca9fc

SHA512
32749d43def343a9d204ddeeeb54621f9b45257ed8bb60a7758117212b4a8a44135f30f3d8a9f6b682d0f1d915c5cac8188ae89a207a78b9274f2ad66bb30023

Download Submit
C:\Windows\SysWOW64\Flnlhk32.exe

Filesize
336KB

MD5
18595ce78ee8281e61fc72b1876f4fae

SHA1
dfe240709f1e9d85d30d68370b47d909b13e446f

SHA256
cf9ad092730dc4dbbb22dc01f78920ec825116825281c9f1072ced69702e92de

SHA512
c7b2e056919cce92b6bdef91c02a525836eb801a3ee88f371ebe642694111662d049caed50091192ca77209cedb4b2fc68aa4d452a794b36b6fcfcb99e21c95f

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
336KB

MD5
420dbbb7ee297a58f377405bd9917c04

SHA1
94f8d24aa8f390c8979bd5de1d17e787479ad153

SHA256
643f79c968a03a124d4d762ff75430f30afe0e807a58121ed0a1c48bd4bbda5e

SHA512
a04a1f23fd993045d20be75fba08acf7178e61aceef5272ba96bc83f9ae356083bfabbecd55ef76c92c43eefe5f42abbc2ff463cc2684a400ef57595af63f15a

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
336KB

MD5
5a0ba68b7db98874082ef263ad31bd6c

SHA1
7b41a0fa73f8d9e98530482c872bc47a1738c02b

SHA256
6fe19a6c63b0b4d0155543da10f838229ead861234f1e1412fd88a3b7edf20ef

SHA512
bea185fab1c3bc809f548d3666682ed5ce3be3f0495154bacc62e032dff9161cf2501d6af978f30237892f773b05e6ee13dffc5973650af52b5272d831e8b33e

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
336KB

MD5
d6a5a083d39aaf3c11f5027dc2cb4444

SHA1
c304013358b018a055c9cf6b9462ca1b01f527a3

SHA256
ace83fd0edc29d7e298b79862e5715dd63a0131974da0f16b4329f3aba8aea77

SHA512
498ffa8449bb02354655672c7427229249ef692c545d99e060b854b84a5fe6676b93d5692da86ec15144ae89520031ccee4c7319928bbc9558c6d1bed9fefe30

Download Submit
C:\Windows\SysWOW64\Gbbkaako.exe

Filesize
336KB

MD5
cf0a2e5e4b558d86e64b4096952bf7ff

SHA1
ac0a70e31fb18e1d4145245186a39b8b22b6d31a

SHA256
453877c228931d8f756d883ad5e195274d2d034610e00c6b6e163df908eae4b3

SHA512
b4ac149b4a9a157d0e7b24674b0e24ec8342d3f74d0db8e37b2f69b029d2166a6b632a82f09a06f663d10795c5a304a34321185520d5a3c8c06788a6274a41e5

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
336KB

MD5
271bad9468066f5a7296626055006f04

SHA1
a3ee7245e4eeb20569e9aee5584a2292f991b6d5

SHA256
8cd5b5a0f27a71e8ea2f1be2868301ed4bc545d850491eb821389e5aadd680af

SHA512
87bd8a24801d638ee1681241f7f539aa37c275885f9f0280b0b27295246ae61fdba7c75b9de3145b605061741205d1890444c8ded6ac4a64ceb17cd558ae1d55

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
336KB

MD5
1a98425812c9e81fbd5d065591b16419

SHA1
b07d936bbf52690e5bc206b95eaa0424d40fdd6a

SHA256
ff3d4306358375de6099a0787b61e52c01fb0cfc8df68373880c1572ae140dfc

SHA512
69423c15cb488640b9fadf0050d5bfaf4526dd68ad46db1fb54acdd33ff38aaa614d50cb29e99af58e4e3009ff6076f18516312ea5b81a4cc186d32a6b555e03

Download Submit
C:\Windows\SysWOW64\Gbiaapdf.exe

Filesize
336KB

MD5
c5d5ba28ea446b53ad94b673ecd7eddb

SHA1
b723d4d5ae21669d1dcd818ec2d93871905f8a8b

SHA256
7da1efe752e57152b4b4cbf93567f5c156b63a08a82a1fe72dc031f12572b8c7

SHA512
2fd05c1ad164d5a3d79e10d9919f5bca7624aa8bfdf127b591a9ce9f400c66a4734d62ea0a4bc336c3f62582c5809cbb6c2570ff9d09cfdf343594a1cb3489ac

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
336KB

MD5
3a8ae05ec928355bb72319d358f7a376

SHA1
bde81336c02fa35dc201a2773f92d0febfdf89f1

SHA256
b827451f0a9f5b7b9f11aa3bbb46d9d7335ad9301e6b98899052236a8fdd6e7f

SHA512
a5554e09244e038b46c7bb88012133e792a2179d01700bc4c9eb7e6aa9a4bd677589e109826f5366383679944f6ff8ddb7ac615590e8e427731ca4ee10e4f56f

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
336KB

MD5
d274d0ba2fe65e25bf7fe87ed381aa42

SHA1
140458cc1a0cd019bc9317e9429e5b22240df3a5

SHA256
cbb5e81d4fe63576a943da0e0a2ec429812a8d71149791c1e30fc84870fb8ab9

SHA512
eb3509ed336b0ea34c1fda3c73d80ee77f52a4ccec9c601cca2291923dfb96e5717097909699414732dba2f48585c46c85aaf5c4e938bf4f871c122a0399c2c8

Download Submit
C:\Windows\SysWOW64\Gfpcgpae.exe

Filesize
336KB

MD5
07cf96f5a4190a4c710b3a0b6f9ba6d0

SHA1
d3c09d209bde3435ca6c7ea17c0a95725bbb97b8

SHA256
625bf7f8f80441b09db4e87fd33b51a30cb2e804f46d45276f687ab918da6fce

SHA512
f41d7f5c2306bec9abb4157b916836be77448d60dbffd2b1a9692bdcbd45ac2bef5ac9239825b1b91a9fc7f685e90f6703cae97e043b0de22afba3a8318a70fb

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
336KB

MD5
c3d16c4e564fac9f5f8ab06c3e6cd713

SHA1
edb4c6dd1d0877af7bc6cffe37aeb84ec39e2e08

SHA256
b55a1feaff5930d30403a3a134f882367cf0b31ce2ce53baf2bb9d4c5f93e02d

SHA512
655b84d62be7b491640bbeed3e6157dac6873255e46cea39598692052292b4c5d2d7142ac90418c2b5a63dc3ddefd264c1ac4d3dedd4e67105d4412a48c1f63e

Download Submit
C:\Windows\SysWOW64\Gicinj32.exe

Filesize
336KB

MD5
69558c8fa0592ac8d5ec195c64851dcb

SHA1
993c6e3c96e1c0c6ede803029eca29a4f1cecc2c

SHA256
f613fc78f7bb70d14572a48070f6ebc8940dc92734416be7bebeb39b59d2bec2

SHA512
abd9b4ba9bef5d1aed352c65422fdd24098432a05d8aadd5c6c9e3157cadba014d2bd5ec7a35451a06bdca0bb046ed15fe8f9b31254ebb844d994ead6308f3ed

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
336KB

MD5
37109d38c2e5c484c68bf3e34970da12

SHA1
d8fcc8607056c2acd65a55085d4e09748122be37

SHA256
35ca4b48c7a784d0f41984d744977afd8d25b6d4d9d5bddda7234fedd135e2b7

SHA512
a0bbfcd2af09ce37797ce1e3bdec975cbc35d501773e87065907c18e453ed117f7c411ea4c986ff62318468ed7fe03b658677d79776b8c241c421e0a0c0a4b3c

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
336KB

MD5
8ad1bf0ccd36c54c5caa2c21feb6bf5b

SHA1
2156677c01ad4355a215c9ab9406212f6abc7dde

SHA256
92f2e28595b94d93a489e17a920da3d7bfffe2e2fb339ad2326ac565317191c7

SHA512
73ae9ddf1b503e82816c8895e175cc2e683e06928341818e345ad2a0b427a2a7579feb0dcb8fe2f8a03585a060e8059f492c81144afd35fcd85c798b8c583bf1

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
336KB

MD5
d0bf6c2ddbd3f0882f79d45f1bf17571

SHA1
e999712da9a8ab5f10febccf0431dc53b392c24a

SHA256
7af951b0f5e5d0f273ab9fe6df464ea69d6cc6a75e90566b1ee34e1cec9e2479

SHA512
2da647003e4fa1494b2a392724fc2eda54219f583da26f7898c391249329f06491d665784edf5b3230b3c2ac1a9261aa18e5503f2088ff651d842c159a8bcbcd

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
336KB

MD5
d64728fd2d5e1abc6fe554bbd1b68621

SHA1
e2642e76528a91c54e98957a9cfbc76023a5234d

SHA256
75a4c96d218607f8e6f4eefe42ea78cccde990a1e843a2b64e297d3453e960d8

SHA512
5a610cb9ad3a026a13407dab1f2e3225137cfc7b3985cfb660661707d3a0317c442a63beea8a2677fd73a748813c1860763390904f3cd660beb5a4eb893e5dbd

Download Submit
C:\Windows\SysWOW64\Gmlhii32.exe

Filesize
336KB

MD5
4569e389101ca78d854f5f8014ddda9a

SHA1
53afb96ec54432b9f541d0570d188d2aa68b32c7

SHA256
1004c1a0116155bcdb7f378d7bb9b5edfa7fc7947b7528a7fb9c5833a57e5647

SHA512
88ce82631ca6799d4ff946ae0df8bcf2a00e850f00667ae6eb25f04cacee7e80fa78d603c2cf98dc0eaac4ee07c5cf086248114a67c717457c6dffab89f8d903

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
336KB

MD5
d12fe5230b321b190fff145bf8d6b425

SHA1
52c9e8a6c78b76c8a2f40f234c8e205c67a0df63

SHA256
4281fa99c92c4da404a885e0413298472cac2b25a9ce1bef8e87457a5dfdd070

SHA512
9edbba086070a037ad2932d7046567da0e5a00c27313bb37624752eed784bd2a019c444fea6448168206718dbb665fc44b460fb2150e63c360d84a10891c35d0

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
336KB

MD5
78a8378bf846d7fa7ca1ce7316bc169b

SHA1
d27fe493c2150b5ea75420893d6bf1027aa466a3

SHA256
95755a4c1300526be06c9ae0f973fbda0e62b7badc10f492d30328e4f4a18371

SHA512
2f02aaf74847f704f16d55567174ca9e35d10c771155d86d2b9012a32b7d7f973272db3946c14b3292fb9720db8929138295b6a91e46a2c39ef0dc04fdafb1b6

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
336KB

MD5
a357e2e4881adad8a92f370d93eb4b05

SHA1
a3ef79e04fcbdda3b3220dc1c8210948617d1496

SHA256
48f2a8fb1cb4e9abf931649ee47ab69fea8c83ddc5acdef660a0340a4ae20ec3

SHA512
8650fdded9e9e4f89b36bf95c52cdd4bb14159b1184e4b9afaabbd7b5ec18ad849bc2eff8fffa65927636333ac93fa4bdba208203ba81b867b74c23563f668bd

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
336KB

MD5
38a2298f8553cd8674dde2913366445f

SHA1
b71902e8582df0af62a49440afe97f671ad8ba0a

SHA256
fd8f7d0c826ef042bb618d96bc0af3dd7d0de4d95917fdf320ce52b8c8bc3d39

SHA512
66d573b962d215cbfcf04ea2ad5eabdf8e3e02a6fec0bfff55c3e3617fca325bd9ea16ca63532691db0309895202c14f0241bc2881424aca2e4a9f24be3f9750

Download Submit
C:\Windows\SysWOW64\Ijmanlfp.dll

Filesize
7KB

MD5
c57e0ce12ee710c1e7a13228d9f79ec3

SHA1
856d8f93d90e8b87e0605561868136407cebc6a6

SHA256
a7f156a0474e788032e578eef7726f27807acdc34a029b4450e9524c2e6f428d

SHA512
ee165229f3dea6df6b200dd14686c0265a4c307c59b6c26e8efe61793b0d33f8f786d88f93c39c5919ff6eaa63199de78a66622906510bfe103d47b0baf3a448

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
336KB

MD5
fc1fac97876f124ef0563047aa75dbe1

SHA1
14b060ee57a9559e25381ef8720b8a92eeeaf0bf

SHA256
a79c7db3b4e412a96132da0dff58497fa98347b89b6b51daea13d4f2ace02c9a

SHA512
402ac8e01fe49d7e4f3dcb6975c7be2851ea1659bb7e5ae88960d5c626004af003d95880dee572b79766a1b54acf2b679008152aaec492849597a6a0283b2b95

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
336KB

MD5
7f18270730e029f2b48c25f64ed6a922

SHA1
6556085224848df37ff00b54eb7586f6374838bb

SHA256
39cace9e12a21087eccb86f178c69d547e0eb828cf7a5abd1ddb7ec96b2157b3

SHA512
7bde3be0e3920a488d6385d8627f3512a41f4b0fd3b5ef761cdabe29a4686036cc6b67af2344cb226f755d4f0850021f1f109f4db95bda6be479f392eb960119

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
336KB

MD5
4ded83eddd60cf6c2391795360331ef8

SHA1
8b74cf8a9959177b98e455537982f5885a487eec

SHA256
235406352fd329dd7d1dd74600aea02cc9523699f2f95008e71f0f91350d3394

SHA512
c90cbd86e22e8cd025c299149ac6328575f8122c2f7e96da5fe265d02ef3c1add5b203775227ecd81da6cffb765e22d915e7fa61b869372b0f4ba08e092ca361

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
336KB

MD5
65dcf059b72d8296bcebf66bd9e36614

SHA1
16ea582a37eaf7f7bd55b41e690a8df961ab9333

SHA256
cd8e61b1f5fa0dd411d3e1f667701c70a7f548d353ef7e29f9ab25df369e3a57

SHA512
55cf681d2b8a3d2df14ee505f42357c3e7760ba4907e33d63d874888e9c1a79827ce2959a51aff5c8c87cd35d828a8edc3b75689221abd65b76a21e1cf30a1a8

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
336KB

MD5
b0cc074a16f4fb18705d4566ba01a1f2

SHA1
a666416bf9c946a2e684be24b21192c36a4ebf7c

SHA256
003b27eaa206b13290e1e479a26c63fb0cde22c0575102bd60d3be8eac64806b

SHA512
9283eda34e836c0de197cdb322d7f0f31084a2041d0ed4db5de0463b289173f6a72a940bdc226316737f3226c03c1ee4ac887770de01969334c916cd6f842bd3

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
336KB

MD5
a2acff2beed137de5479c4d61925ebe9

SHA1
31d71e11f41f1b7d515ffdbc5c2c4fe668b7330a

SHA256
8f6b3292c6e359a6423bf06de034364dd0c55c79aacb2fa03e1562b0e4409a34

SHA512
d60c85b4de742d237c90cf2c31713259137cf4436ecb2657c31cea8a74a53a8a473da253b9bec34e41db849086d92f45e93580e8308291b8b1271da589aaa088

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
336KB

MD5
7148c75bb10983dcc50ba60cb565ff51

SHA1
ea67fadf50026770e7c0b93f5c6aa51c2b043b7b

SHA256
a3dcb3e977685f09815995995558810bd3f4f4cdd8ab9c00493b210c1497f73c

SHA512
d1441d3c1cbf7b41d66d92eb1ccfeb4e3fda1d7c1d8e589a70ce4f70aa5dfd08c12816d8c84209fd784e8af714ba34037843854defddaa8dae6f2364e7896d88

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
336KB

MD5
474efef576874d3d70dc2aea606504b7

SHA1
842b28f61d7622aab614fbd2674aebbed1139737

SHA256
6173b284f10ae6a29b82e4bcf6eb21a34c4dc779a4fd67bd15fd909f5523cad4

SHA512
ac17f8c611c2eb5ee9741ca9d0351384df58c42d2550ccd47025d8687960869e0809600bb62a8ced08d8c792b68f3cfa93d1a204f7a124db9039123a0f09e51a

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
336KB

MD5
59bd06871afd4a46d81dd0aa97fd49d2

SHA1
bb9051d1004acfc82c689c4970ecb73e27996b16

SHA256
73352a88ce976b9f0d9e3f78d750557e647cfd5068519ee8a70da649a93d26ed

SHA512
3ece2002fb459797425bd206aa60f8ce5329365120b6398dfd89715358048b49b4d7feb804199af7737aa150ddb2ff8cb84b3445b7c0965db182d57e12bf185f

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
336KB

MD5
88a5df9b863e46421656521b6b6963e4

SHA1
a6bf060094c90e69447680150a205b0e252994f3

SHA256
cc898ff7c0393c9ef7fdb0d4d3fdc600c871fcb681316e838c78952ec4675e11

SHA512
8b52770384bb69280306687053bb3a3bfcd1d2dfcd8efd31d975989ed57bbe783b9f01ece5b70a9157a8f5c0706fd32972fa45518e832d9682cbf8a879fdcd5f

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
336KB

MD5
cf37e3d2d458308bc7cec93b45643177

SHA1
bbb4b4aaa6bacd414bfdbf6953586d6de0757ae2

SHA256
4216f806450f5ea84ad839312d91a4b2e126c3ba2aa7005075df5a76f686802c

SHA512
b6997d4223bb2de36b36a2f8454dba3d339c44b5b9c16a61b08da1f48003ec69709ab8d75b70a63fad100cd594dc62a67cf021832b8f6668efb5264af8fc4f3b

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
336KB

MD5
3e032cac3d16837a9bb9ee98a886c3c4

SHA1
5e781b8c62c35e4a9f84eb684885e464ada125fc

SHA256
1826a004efc186b7190c4351e37e001743ffe72168fc60ab4fdf1d6f6bd1d63c

SHA512
52b6bc7c4f679876ff0e6614cd493f17e25c828e2ec1d52384416e4bcf4465c6022a17818b3c59ae158d713ae8115179ea9dc74f34274f82d8edafd61ba4f1ee

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
336KB

MD5
780d8e398d732e8ffebfebf21ebce6ad

SHA1
db1f87ac3248658d515223771a86411974dbc390

SHA256
a3f73e3e9b4b3d5bdbf219d772ff5e27f0c1d55afc7d3fe8bc08cf00f0553353

SHA512
fe5e97ae2df631492ccf78f4a0ebcd0012d0634d4348b8da2c1beb3d49016e72101bdfe3a81c2b554338b57213aaf1e6d89b3f203ee43c5563cf3aa3bb8bf63a

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
336KB

MD5
7494003d62ba70b54dcdcea90ce38957

SHA1
e4b0574249cb04aa6d80408db73d19d55529f5c4

SHA256
b69c3dd9e5b3f2cb290384e9ab32e36cb414ba1febe903aa9f04a448aa0276c2

SHA512
2b6ed7097e3932fe1bf8662e2f9d317480367f88adf2a25ec99ff647190a07f974bfeb3def54c19561ec025fda7468fdc969e445945c7222c9a5c4c47ae30b1e

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
336KB

MD5
5e28dba2716810ed98cefc4b88aa997c

SHA1
5ef5b2d97d8ee946cd1d596bb348322c77010116

SHA256
e2dc6a43e72bfab1e946aa032472fd427ea0a425ed5a74a649cb530813822c54

SHA512
39d85bfc492728b3e9c40a831db5cc80863e0e616f634b076fb3a94a8b28293114b948d0dab2962b7dd3de54b184e805a2232040972483bde0b9dd57291ccf75

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
336KB

MD5
29edf6014c198b4659a028696e505a95

SHA1
4fd9442c2ae3157ed6e2c26fd4cf89bb2446f8ef

SHA256
d80df61d48d818fd2d0c3b74480375be125a9d58bbd234996f23bad4b65656c3

SHA512
8d7f6bbde4450b750349b36081235f06c4f255869ba710b1a8fcd4693a31ca7491d03f5920630b448f69f1ed2a0adeee349c102a880580afd8bf192cbbead697

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
336KB

MD5
0c1118fa27f471e7b6453e98408191f6

SHA1
54f27956ff5464100568316e274fa7c707efa70d

SHA256
94907079c73ea27425263103c883b923b4c368466e5564c4922550cf4a34581c

SHA512
140a4737caf6952b73b1e2dc8967464f84b5306d40a2240cecd281cba2208f99874b39dac6cbd7342eaa85f2906369b112b19c96012f8a8824ce905a5566d97a

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
336KB

MD5
38fbd9204dfe09600796c4e69844da9c

SHA1
9b329ea1d40900ef812e023f74323b9d88856aea

SHA256
20026e600defe387a6ca95a229139a398ce9b965c27417b5b00ff47e08b7d0a1

SHA512
af4ebd60763e303af66b4ab105f6102a61619102b82a43084e23af2d07ac83d61822f6a646990382e88b8c202598cf8451fb4de1286ca6e1693b03d813492c14

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
336KB

MD5
753c3a2827f2a9e2d26c34b537aff254

SHA1
a2d9d24eb0d5a0e31a774a83047146c7954190aa

SHA256
7cd1a1197cf24b0ce5301ab5af7c72c993b23156db4f85fc7f27d856842ff558

SHA512
82755480cd961bdb82804416ba6797cb4ea4e34475026fc119df7ef265ab79122fc45c919d5d626bccdd44f85b49da336792569a68217c9000b1d67e7d9deb89

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
336KB

MD5
dc9869b66c845061b78b60dc6e2f1f1f

SHA1
f2b0dac16d8e98c7437e83fb3bcf97cd4581cc82

SHA256
0d8fddb0e40b56774408e930b9895b907a8667cf7f972bcc781f2117302eea4c

SHA512
79a5d9469f071a652b4cd1421eb3f771efd476c80b6b38a8b09507234898d293c8b9e34baf668af2d4247482cb928bf2f77839342e3843bd20a69566c27a4c9d

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
336KB

MD5
a09fe7f68fbb1dad9b8c608bb56143fd

SHA1
4e9dfab7003a616c7decee278d40e328784d88d1

SHA256
7f6b634db18a552d5b6fe6de64476ec543fab09cd6e2b7452fcd394b59966f4a

SHA512
6fded8506282a3dad6fd97238fc3224d14c2b77ed1ee7e1293511b802c3b743fe49b3c29395298eabf1db23f3eaeceb6d59fa972883c39efc1ef40c828d2772b

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
336KB

MD5
119520a3e73ebe00117fbe5bd77c3c98

SHA1
0c489e52b8ec0b5b0f7a59a435756d94889e4367

SHA256
fcb88b6e83312ab6001f5328c4cccbc755c8c6526b08f3de980ba065f41a6996

SHA512
77bbfe6f3dc077434e3c507101aff08b2effe6f56f2e55f5edc2c47b5f03e66767edd7545b962002f94b8c110a407f3ea286b917bd128042163ea3c73c766755

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
336KB

MD5
698cf1f6a621e869cc83e0b3bf54d21c

SHA1
18a7c424ba7748a2cf5986fd7a2727e351dc8ee0

SHA256
0c4f2868fa7a545e7b9b053669ae46a4310aff2cd337b6db966a620bd6d768cf

SHA512
cef5a7d35aa895e832fe1b09a3f43c56f82bfa9fbd936e99899db820dd26d8dfda1cc3aa49b3e79c292c88e69afa51dfa77f18bf8990becebb8ce579492590d5

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
336KB

MD5
04a34d1dd63e22a6f09ef0e2e62f6c48

SHA1
f98926897d3f00ffe654a848f341577a5a0488b9

SHA256
c545536e0cc5d37dbf7ec7e5af0163d901613abc0c50f43352c4d4827844800c

SHA512
deee147ed8f8f51a2ef6be28630eec8bf485eb4f9edf6ad9842983598153fc3f6ccb4ebf27a4636d785521e0a98057abae0a99607c06b57dbc9834a0be514b8c

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
336KB

MD5
214d624b785a7028167312d19aa5c58c

SHA1
1ff4fd3bd4ac39493c8df7175382c8965cb625c0

SHA256
a1d48694419d4291bd0d1a517579619bc173401172f30061becb5eef93d95470

SHA512
fc885120f706f926274ce08d66a8bdde833eb06efd48a826cb564fef441e6674ec38665b27b9e34cae2e1f2f8b4f2c1ae1dc42f6b559a556372d1fe7905adeb3

Download Submit
memory/536-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/640-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/676-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-589-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/932-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1244-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1248-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1328-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1388-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1480-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1496-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1520-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1592-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1824-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1824-603-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2068-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-521-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2120-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-582-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2196-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2220-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2760-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2900-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3128-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3248-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3264-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3288-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3312-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3384-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3400-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3432-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3492-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3496-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3548-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3552-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3632-557-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3756-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-575-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3980-539-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4020-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4132-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4340-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4372-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4492-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4516-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4560-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4592-515-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4688-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4696-533-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4848-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-596-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5000-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5140-569-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5180-576-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5224-583-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5272-590-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5316-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5360-604-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads