07f619745e87d8a10b0e688ad2919fdc12eca0a39b9594d63055f5fc996131d2

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07f619745e87d8a10b0e688ad2919fdc12eca0a39b9594d63055f5fc996131d2.exe
Size

96KB
MD5

59075d69773be830d6763808ecb67a6e
SHA1

4ae23f80e6bd3b9008a5054ebea0f5c4d0ba087c
SHA256

07f619745e87d8a10b0e688ad2919fdc12eca0a39b9594d63055f5fc996131d2
SHA512

237a4af7fda46345106ae5382f0d2e14c8c87fa6cfee9d0c3e270b843e85f749887716ce5f3f342a695f2c9c4dbcc69b84956efbb59e425c13741fe289958093
SSDEEP

1536:m3RK5XPjgDycNhX3BubO6ILrmBbTYGVqdN/BOmI6CMy0QiLiizHNQNdq:m3RKVBcbB4ONOZVqj5Om/CMyELiAHONM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaejf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hflcbngh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkikkeeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Immapg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkaejf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jimekgff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe

Executes dropped EXE 64 IoCs

pid	Process
4208	Flnlhk32.exe
3444	Fomhdg32.exe
4948	Fakdpb32.exe
3176	Ffgqqaip.exe
2104	Fdialn32.exe
640	Flqimk32.exe
1612	Fooeif32.exe
4188	Ffimfqgm.exe
696	Fhgjblfq.exe
3948	Fkffog32.exe
1656	Fcmnpe32.exe
4436	Fdnjgmle.exe
4076	Glebhjlg.exe
3972	Gcojed32.exe
4876	Gdqgmmjb.exe
4084	Glhonj32.exe
2744	Gofkje32.exe
3748	Gbdgfa32.exe
3288	Ghopckpi.exe
4944	Gkmlofol.exe
3104	Gcddpdpo.exe
1704	Gdeqhl32.exe
3236	Gcfqfc32.exe
2816	Gdhmnlcj.exe
3936	Gkaejf32.exe
1176	Gcimkc32.exe
5036	Gblngpbd.exe
3724	Hmabdibj.exe
4844	Hopnqdan.exe
3312	Hckjacjg.exe
3048	Hfifmnij.exe
3064	Helfik32.exe
2680	Hihbijhn.exe
4228	Hkfoeega.exe
2784	Hobkfd32.exe
3420	Hbpgbo32.exe
4172	Hflcbngh.exe
2564	Heocnk32.exe
2088	Hijooifk.exe
1780	Hkikkeeo.exe
2940	Hodgkc32.exe
3320	Hcpclbfa.exe
3872	Hfnphn32.exe
1100	Himldi32.exe
4400	Hmhhehlb.exe
4352	Hkkhqd32.exe
672	Hofdacke.exe
3256	Hbeqmoji.exe
3080	Hfqlnm32.exe
3172	Hioiji32.exe
4456	Hkmefd32.exe
1164	Hoiafcic.exe
1536	Hbgmcnhf.exe
4428	Iefioj32.exe
3820	Immapg32.exe
4516	Ipknlb32.exe
3776	Ibjjhn32.exe
4044	Iehfdi32.exe
4692	Ipbdmaah.exe
3732	Icnpmp32.exe
3912	Ifllil32.exe
2120	Imfdff32.exe
4344	Ilidbbgl.exe
1632	Icplcpgo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmdqgd32.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Klngdpdd.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Efhaoapj.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ipknlb32.exe	Immapg32.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Ingapb32.dll	Jlbgha32.exe
File opened for modification	C:\Windows\SysWOW64\Kboljk32.exe	Jcllonma.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kefkme32.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	Kmncnb32.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Kbceejpf.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Ffgqqaip.exe	Fakdpb32.exe
File created	C:\Windows\SysWOW64\Ohjgdmkj.dll	Fkffog32.exe
File created	C:\Windows\SysWOW64\Dgdelcpg.dll	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Nffbangm.dll	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Bjjplc32.dll	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Kefkme32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Jhondp32.dll	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Gcddpdpo.exe	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Npibja32.dll	Ilidbbgl.exe
File created	C:\Windows\SysWOW64\Jplfcpin.exe	Jlpkba32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Fakdpb32.exe	Fomhdg32.exe
File created	C:\Windows\SysWOW64\Gdeqhl32.exe	Gcddpdpo.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Kmdqgd32.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Fcneih32.dll	Gbdgfa32.exe
File opened for modification	C:\Windows\SysWOW64\Kikame32.exe	Kepelfam.exe
File created	C:\Windows\SysWOW64\Kdcbom32.exe	Kpgfooop.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Hhkephlb.dll	07f619745e87d8a10b0e688ad2919fdc12eca0a39b9594d63055f5fc996131d2.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Gcfqfc32.exe	Gdeqhl32.exe
File opened for modification	C:\Windows\SysWOW64\Jimekgff.exe	Jeaikh32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Clkooklb.dll	Gdqgmmjb.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Njefqo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8620	8472	WerFault.exe	390

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hflcbngh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcmnpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfifmnij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeklag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnlhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkfoeega.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fomhdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glebhjlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcfqfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hioiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gblngpbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfqlnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefioj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Immapg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flqimk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdeqhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hobkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijooifk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmabdibj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fooeif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icnpmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipbdmaah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbpgbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heocnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laffdj32.dll"	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnhlp32.dll"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgefhai.dll"	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icplcpgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll"	Hioiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbhll32.dll"	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbnoffm.dll"	Jblpek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcfqfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glebhjlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngndc32.dll"	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejckel32.dll"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikdngcl.dll"	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glebhjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkffog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffimfqgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memcpg32.dll"	Jidklf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 4208	3992	07f619745e87d8a10b0e688ad2919fdc12eca0a39b9594d63055f5fc996131d2.exe	83
PID 3992 wrote to memory of 4208	3992	07f619745e87d8a10b0e688ad2919fdc12eca0a39b9594d63055f5fc996131d2.exe	83
PID 3992 wrote to memory of 4208	3992	07f619745e87d8a10b0e688ad2919fdc12eca0a39b9594d63055f5fc996131d2.exe	83
PID 4208 wrote to memory of 3444	4208	Flnlhk32.exe	84
PID 4208 wrote to memory of 3444	4208	Flnlhk32.exe	84
PID 4208 wrote to memory of 3444	4208	Flnlhk32.exe	84
PID 3444 wrote to memory of 4948	3444	Fomhdg32.exe	86
PID 3444 wrote to memory of 4948	3444	Fomhdg32.exe	86
PID 3444 wrote to memory of 4948	3444	Fomhdg32.exe	86
PID 4948 wrote to memory of 3176	4948	Fakdpb32.exe	87
PID 4948 wrote to memory of 3176	4948	Fakdpb32.exe	87
PID 4948 wrote to memory of 3176	4948	Fakdpb32.exe	87
PID 3176 wrote to memory of 2104	3176	Ffgqqaip.exe	88
PID 3176 wrote to memory of 2104	3176	Ffgqqaip.exe	88
PID 3176 wrote to memory of 2104	3176	Ffgqqaip.exe	88
PID 2104 wrote to memory of 640	2104	Fdialn32.exe	89
PID 2104 wrote to memory of 640	2104	Fdialn32.exe	89
PID 2104 wrote to memory of 640	2104	Fdialn32.exe	89
PID 640 wrote to memory of 1612	640	Flqimk32.exe	91
PID 640 wrote to memory of 1612	640	Flqimk32.exe	91
PID 640 wrote to memory of 1612	640	Flqimk32.exe	91
PID 1612 wrote to memory of 4188	1612	Fooeif32.exe	92
PID 1612 wrote to memory of 4188	1612	Fooeif32.exe	92
PID 1612 wrote to memory of 4188	1612	Fooeif32.exe	92
PID 4188 wrote to memory of 696	4188	Ffimfqgm.exe	93
PID 4188 wrote to memory of 696	4188	Ffimfqgm.exe	93
PID 4188 wrote to memory of 696	4188	Ffimfqgm.exe	93
PID 696 wrote to memory of 3948	696	Fhgjblfq.exe	94
PID 696 wrote to memory of 3948	696	Fhgjblfq.exe	94
PID 696 wrote to memory of 3948	696	Fhgjblfq.exe	94
PID 3948 wrote to memory of 1656	3948	Fkffog32.exe	96
PID 3948 wrote to memory of 1656	3948	Fkffog32.exe	96
PID 3948 wrote to memory of 1656	3948	Fkffog32.exe	96
PID 1656 wrote to memory of 4436	1656	Fcmnpe32.exe	97
PID 1656 wrote to memory of 4436	1656	Fcmnpe32.exe	97
PID 1656 wrote to memory of 4436	1656	Fcmnpe32.exe	97
PID 4436 wrote to memory of 4076	4436	Fdnjgmle.exe	98
PID 4436 wrote to memory of 4076	4436	Fdnjgmle.exe	98
PID 4436 wrote to memory of 4076	4436	Fdnjgmle.exe	98
PID 4076 wrote to memory of 3972	4076	Glebhjlg.exe	99
PID 4076 wrote to memory of 3972	4076	Glebhjlg.exe	99
PID 4076 wrote to memory of 3972	4076	Glebhjlg.exe	99
PID 3972 wrote to memory of 4876	3972	Gcojed32.exe	100
PID 3972 wrote to memory of 4876	3972	Gcojed32.exe	100
PID 3972 wrote to memory of 4876	3972	Gcojed32.exe	100
PID 4876 wrote to memory of 4084	4876	Gdqgmmjb.exe	101
PID 4876 wrote to memory of 4084	4876	Gdqgmmjb.exe	101
PID 4876 wrote to memory of 4084	4876	Gdqgmmjb.exe	101
PID 4084 wrote to memory of 2744	4084	Glhonj32.exe	102
PID 4084 wrote to memory of 2744	4084	Glhonj32.exe	102
PID 4084 wrote to memory of 2744	4084	Glhonj32.exe	102
PID 2744 wrote to memory of 3748	2744	Gofkje32.exe	103
PID 2744 wrote to memory of 3748	2744	Gofkje32.exe	103
PID 2744 wrote to memory of 3748	2744	Gofkje32.exe	103
PID 3748 wrote to memory of 3288	3748	Gbdgfa32.exe	104
PID 3748 wrote to memory of 3288	3748	Gbdgfa32.exe	104
PID 3748 wrote to memory of 3288	3748	Gbdgfa32.exe	104
PID 3288 wrote to memory of 4944	3288	Ghopckpi.exe	105
PID 3288 wrote to memory of 4944	3288	Ghopckpi.exe	105
PID 3288 wrote to memory of 4944	3288	Ghopckpi.exe	105
PID 4944 wrote to memory of 3104	4944	Gkmlofol.exe	106
PID 4944 wrote to memory of 3104	4944	Gkmlofol.exe	106
PID 4944 wrote to memory of 3104	4944	Gkmlofol.exe	106
PID 3104 wrote to memory of 1704	3104	Gcddpdpo.exe	107

C:\Users\Admin\AppData\Local\Temp\07f619745e87d8a10b0e688ad2919fdc12eca0a39b9594d63055f5fc996131d2.exe
"C:\Users\Admin\AppData\Local\Temp\07f619745e87d8a10b0e688ad2919fdc12eca0a39b9594d63055f5fc996131d2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\SysWOW64\Flnlhk32.exe
  C:\Windows\system32\Flnlhk32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\SysWOW64\Fomhdg32.exe
    C:\Windows\system32\Fomhdg32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\SysWOW64\Fakdpb32.exe
      C:\Windows\system32\Fakdpb32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
      - C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        25⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        27⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        30⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        31⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        34⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        43⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        44⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        45⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        48⤵
        Executes dropped EXE
        
        PID:672
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        49⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        52⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        53⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        54⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        57⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        58⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        59⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        62⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        63⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5040
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        68⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        69⤵
        
        PID:624
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        70⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        71⤵
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        72⤵
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        73⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        74⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        76⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        80⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        82⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        86⤵
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        88⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        89⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        93⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1076
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        97⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        98⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        102⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        104⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        106⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        108⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        109⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        110⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        111⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        112⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        113⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        114⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        117⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        119⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        122⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        125⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        127⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        128⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        129⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        133⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        134⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        135⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        136⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        137⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        138⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        139⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        140⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        142⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        144⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        145⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        146⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        147⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        148⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        149⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        151⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        152⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        155⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        156⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        157⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        158⤵
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6224
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:6444
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        165⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        167⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        168⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        169⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        170⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        171⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        172⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        173⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        175⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        177⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        179⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6456
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        182⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        184⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        185⤵
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6896
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        187⤵
        Drops file in System32 directory
        
        PID:7024
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        188⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        192⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        193⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        194⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        195⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        197⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        198⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        199⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        200⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        201⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        202⤵
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        203⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        204⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6740
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        209⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        211⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        213⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        214⤵
        Modifies registry class
        
        PID:7236
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        215⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7284
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        216⤵
        Modifies registry class
        
        PID:7328
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:7372
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        218⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7464
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7508
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        221⤵
        Modifies registry class
        
        PID:7552
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        222⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        223⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        224⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        225⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        226⤵
        Drops file in System32 directory
        
        PID:7772
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        227⤵
        Drops file in System32 directory
        
        PID:7816
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:7860
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        229⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        230⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7992
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        232⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        233⤵
        Modifies registry class
        
        PID:8084
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        234⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        235⤵
        Drops file in System32 directory
        
        PID:8176
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        236⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7280
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        238⤵
        Modifies registry class
        
        PID:7356
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        239⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        240⤵
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        241⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7636
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        243⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:7784
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        245⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        246⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        247⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        248⤵
        Modifies registry class
        
        PID:8044
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        249⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        250⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8188
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        251⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        252⤵
        Drops file in System32 directory
        
        PID:7368
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        253⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7612
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        255⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        256⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:7964
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        258⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        259⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:7300
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:7492
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7632
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        263⤵
        Drops file in System32 directory
        
        PID:7828
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8000
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        265⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7324
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        267⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        268⤵
        Drops file in System32 directory
        
        PID:7896
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        269⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        270⤵
        Modifies registry class
        
        PID:7480
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        271⤵
        Drops file in System32 directory
        
        PID:7932
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        272⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        273⤵
        Modifies registry class
        
        PID:8148
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        274⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8140
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        276⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8284
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8340
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        279⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        280⤵
        Drops file in System32 directory
        
        PID:8444
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:8488
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        282⤵
        Drops file in System32 directory
        
        PID:8532
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8580
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        284⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8668
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        286⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        287⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        288⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        289⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8844
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:8888
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        291⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8932
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        292⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        293⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9068
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        295⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        296⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:9200
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        298⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        299⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        300⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8380
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        301⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8472 -s 432
        302⤵
        Program crash
        
        PID:8620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8472 -ip 8472
1⤵
PID:8568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
27df12c391186b7a28dc0c3afcced571

SHA1
83e654c7d0e092aaa9db74ae89d0f807fdd2ae5d

SHA256
436d0182375708ef6ab1a4e944828eccb61e1a74a8663d81ea49b80cf530fa95

SHA512
1379d35ced6b15ced34b69337761616a5542246b6d2b64642f445e6da3e4018c12114d694c94f9a3e4cc6d4ef7a854d30a39b38cff5c091bfc14683e3b2c4861

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
34ed71f10910dd77d9417e880c87a220

SHA1
dd89f076e9c3b6ad7e2fa6555ad604e669961430

SHA256
84fd120fa751c101c2fe4019d4693a6259440c90783839df351378e408f58225

SHA512
8bbbd092c5617894b590d6edd9c722995bdd4dd5f37fadcd09b40b72aefcea777c1552fd6e43dbeb294a51b054dc5e4af917f44ad8d77a333c5e995aabc4d14e

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
0d028e274858a38029c6a16146789f44

SHA1
34d51eb3fb6d51d64b1edfc80e47524ed6b20cd2

SHA256
7a8188aac5d304f70ebafaa434a5e544562d378855075b03cb49e626b46b2091

SHA512
1d2bc176c6a96100107152da2e21a33710d22bdf1085af8dc6d85a25e2eb1e055a4ff01c05b4dbe508a3d1d4c91ab5533ca467f6221e681ab83a522e0c80e33e

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
c773386bf083fa448928853081f85e32

SHA1
4ffe8b329003178ad98bf100b69748e66198f481

SHA256
920f9ea6ff30ff8f5fd716a28999e11714fb284ebce7bc4f7fa36682c8549029

SHA512
475ee91d98b7eff6218e1beae3e067f761ffca119a5b740ea945fbae149104c4d4ac6ae8e20b55b3f53cbac3999704755d1dc44b59b827fc62d942a9a43111be

Download Submit
C:\Windows\SysWOW64\Fakdpb32.exe

Filesize
96KB

MD5
895c876439b3025233c32f2fc2479445

SHA1
1ec070a818cb4211f30494aaef39a0eb334fcdeb

SHA256
ab8c04f0f9ae08713e3235ee8ed9d4d6dc7bf8400bea80a38bf1ad1d3261912b

SHA512
5d257289e9e4e205f52b4a40e850016abd5c18a0e8945533237ced20aefb1d6dd1ddcf0ab2717773118cb157cfd8abd7f20b9f4a017024f7c6fd1ae9e0bbe636

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
96KB

MD5
63c32232309227e633bc98d74f41ce61

SHA1
c026dca26437d059e4f702e96c459478761e1e23

SHA256
0cf19f0cec86a6f6c60455e9af58dbdb5fbd329033b324a0c3f55d7650d8318c

SHA512
c20f878e604ec7f925949bd7c47341e3f35a0bb8b5c041d831eb91da214c4348c75d3df40eb5aec55aaa8eab2962cbd31acacd266bf664bf898b975b5329de09

Download Submit
C:\Windows\SysWOW64\Fdialn32.exe

Filesize
96KB

MD5
d3d577113e2da39951b19477548b5978

SHA1
f861c9424f3c590f54c0094034d13877675ba788

SHA256
f047c15c7ac8001f6fd166831d72070a3097b5b01a26797ed190f16436e9d608

SHA512
2085238fc867721704ac4ba0eaaa4db100b30f154f59cabd5c961641b64be75d64b0f6dd4f0a4e4a24a81c542f0ea10b99e7613d202754966a20fd21697fea00

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
96KB

MD5
78b40b34aa9e2e0e033eceabdc54b676

SHA1
0f07777bacf5b34afaa7e710f285b1ddb826ee38

SHA256
846ce754a3d0d5ab7f6290e8f8022499ecabb8817ef1353d9704e616ba96c03b

SHA512
c1ed3cc88d79e6e7fdb2b38e9ca883e6cff5b6916c9883bf802b0e007ab25d0c34e0615e96a9f0629ac4d3204a1168c0764096fa10367cbf95dcb7cbba9cc0c7

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
96KB

MD5
0c3a93d515aca74934a66157694f48e0

SHA1
20d6ee708ab5dade9b965091eba38712faf15fc2

SHA256
65f86ef3713ee2d7c3628780961df419bafb484688ea7b6af65486ab1b9458b9

SHA512
499fb8b4c83b0be953c682b2676cc4af08701b4977b6278c38e9744dcf547cfa10b25739e7681808fa10a56a2afe8180a3d3907d86ebb68d4ae884a315a636b6

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
96KB

MD5
631a3c09d055bd532967cdb7c1f8c7e2

SHA1
84e9f13ef55d26ce1ca45e78e787ff94b702e708

SHA256
55b0e350a519bd326929e3af13d70ee9a8df5a961cdde2fa8ecaa4c4d0880d85

SHA512
81e7b9ab193674c584e4daa4a7afbcc068dbee469ee45ca7ab2e459a65f496342de2e2eaa3ea12d05dc837878cf9e9a621c0bf906d2a48b0f604c5f47ea2fe5e

Download Submit
C:\Windows\SysWOW64\Fhgjblfq.exe

Filesize
96KB

MD5
b41c1722b86ded21056f38eea353f84f

SHA1
ed23f49815b12fc5a6d045202359e4a6840bc6dc

SHA256
d46d114c4c11c7ec01f3a1c51275b091f527e73772c46c98e4fc2f1a416a17b6

SHA512
559e96009e1c0c3c566a40421d1cf7e8c3d57343395c0156f9a94a1fe5978d89df0e7ee5cc348c39812a46a77ff77890aa94b79f9ab451768f57bba6ed359fe0

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
96KB

MD5
982ecc6a492b6f32e8d33ffca1f0ef48

SHA1
d350189f319468c6c85fb0a76abb0dbd32e93f8c

SHA256
56da679495614034d27e5217014ed05d80b1d3250d0bb69c115410f4dc3896cd

SHA512
858d9ef6e825d7e518c16cd80d5c0e6fc3edf9eb3dcb908a085673d13c67caca22707f054d501c1c82971758d7852a657be608ddf496bed2b3fe11be4655d41c

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
96KB

MD5
8e01c683825e0eee731c1aa49201b736

SHA1
81e19193c091ebf595dcb45cc1ea313531128aa0

SHA256
5c46dd30323a066ce49f2a952706cb93576107a50f383581834a6c2426e85b8c

SHA512
072fb822dcac5cca57229e5f0d80f53e9361c5cfe52bf466fda2244cf7a77b9d85e07cb98675c92137c728cb6452c6aac2851c96685e354f8a6d99eb446e4797

Download Submit
C:\Windows\SysWOW64\Flnlhk32.exe

Filesize
96KB

MD5
1d6e9e9094440992207bee0f7d69271c

SHA1
1742f311210dac0e1595ad15b1983bee7d5a2e65

SHA256
820628291a4d00bb267ba10371db492984fa9bdfd143b9f4d554d3c35df99d2e

SHA512
f288e23e47663e0d9373b5dfef453a370223a226b92c2216778a219a7a3ff73523c22bc8133a5626bec4d45a5c8fd8340f41beb6dc4afe45b6178a0572543636

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
96KB

MD5
73a74fc303bc47f20653c365f922ff7e

SHA1
8d5a6db9d81b461c2ef3d9704f5da121f3c21812

SHA256
f729ed935c69445186322f98a2d446201aa8f0a645c7ba17934371db8141d3fb

SHA512
4e51f6f0103825077a4833733930c6da48a76c989eb5cb11d7f78da80d59a0b1a4a85064df73808267492b69004f0f773bf13487b16941cba100d93306485227

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
96KB

MD5
3b0f489a2847a4471fc9e356c60828ce

SHA1
369fd7496b06feefb4daa2d7db0cf99a581bdea3

SHA256
fd5dded0ceec50b01aa1610219991bb048692b90f28bd2541e78a650483e641c

SHA512
c42f447a18c5c2bb472c00d24865398e5c76c5a58c719240a152d9b519913a002843df950f19b281da74aa20e095c4715731f927f0acc7331bccaed49a1d5c97

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
96KB

MD5
8271c9f79a2b44228f9a32ca26836a9e

SHA1
529d2ce5b695c00b0afaa7e80cde80d041ae36ae

SHA256
09082fdda560c08e5ae6e54afa1f86d66a9a29a67d756c668f067a1a13537509

SHA512
dfd5d6faf45e1cdd725c1bdb827771746af73ffeceb0923cacb8e40fe7147f44d697e5eaa36997be80f908c061e53b91ba5689d6fb56283e31b2cdd7e641fac1

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
96KB

MD5
6eacfee68912383d949feaa30e96f88a

SHA1
f7d4dfee62d85c40659bb0dd6b5b58c051706721

SHA256
f8d724e2f0b47449ba6820b0532338092094c922e219dfa5555a476e04e28dbc

SHA512
d844d85bbdc0ed8c2ab3f53ad40e2f734157957d224cb7d78aa3751018587a2e398606e63d4f8ea106f65b3ab5fa3f14a7dc015e2ac32aa651b66efa2e3d7057

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
96KB

MD5
5cb77bfcb91d73641f1f757b22d9f15b

SHA1
f766d164f82741be95fae1dfaf7d5ea31be6e35f

SHA256
7b358efd0b5f7635c44b55bcfcb03248530a13a15928e065c443df38bc6c31da

SHA512
d11e606271fa667eee6ffa6499fb0b31d89cb1a5554891eef9620d22a2ba4019d79d577c0e0bd0a40d9e6aabcce1b6b2fe00f055e0383d49181a882fb693acf9

Download Submit
C:\Windows\SysWOW64\Gcddpdpo.exe

Filesize
96KB

MD5
e11ccc96e7d674e9c7667d78873c9be8

SHA1
41c31d9a153287f7bc94f497fd9491dd55fe84ef

SHA256
0c48b889ed453a2c120a9d17cdbb6f19a7f4d88495c3990eb80d1d2556ea10e0

SHA512
15801b40223698a8cf03e025c149242801a7204ad5c73e97ae3bc3bcc049a04fffb6756eb419fe9620db8904ec91f11077f678c7cc01857cf0e3f3e28e397fe5

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
96KB

MD5
5cbba788b09f41c0bb210125ce948ad7

SHA1
f18540199bd742f7ea45e034455220a671998b9e

SHA256
f59a3ee93ea1b3697c051b2d5b0ee5eb503e44cc1f1e76ba0ea966425af19ebf

SHA512
8dbe28b91572f48ae24856d4cd36e52eb3338ff857517fb703be3d2a66a54e19d764e52df909cbfbe61384ff8c367153a9a83fdb1b1d61cc825665b83923020c

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
96KB

MD5
9c17e3d624950078bd8bf519f5a46b30

SHA1
cfabfe76ef489fe72581596dbd1791c91fb75a3d

SHA256
c75543c6839e739d5ea2d280866284552541dc5a227a9568804caaa4566cc2fc

SHA512
914c902a4b812d85c43e36d7e77a3ba4ad4b9257f8d773d62ac65a2dbf22360e6c9ff3a3301b960b12704d2cca446767b28d28afd87e530aa4770245c5d6c0ec

Download Submit
C:\Windows\SysWOW64\Gcojed32.exe

Filesize
96KB

MD5
7d7345c67ab8cb042ef25ca03cba9b66

SHA1
0a911ea2a76e78b8c53c86526f6f577f7b498cbb

SHA256
b727aaeed7e5288c5e5cdd169b041f6e7c246e242bea6f8ccdb9f44804a8716f

SHA512
95790ad3c79392e9e81cbca368829b517e819dfac9b306aa11e324b98a28213a5837a26daa4f2b82c73bcbef402d623b3dc5f113e2b8f4c75e98e076d65d21ce

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
96KB

MD5
41f049d29a5bd5513f24ed1f89553476

SHA1
f0d39710c7cfcd789323600b2a0ee5879bdc8bfc

SHA256
330dc8e6790fa98849e4ef1797af833d2b8bf4b35719475ba85b16ab9652dd27

SHA512
e4133dbc904a478e1b08c317a578ce7b74da07368ba8a53b35072b80ac39f52921f17eab4b4d85c710536e600ef74050be837aa5e406e32042fe37fb64fa86f3

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
96KB

MD5
c9a9ec4c9581a5fb029594d2b526b6a6

SHA1
0e9f72130357e4965ea18cd3b3756d014735500d

SHA256
b648a01160fbf328780381cb0f76381dc3d53f97ec0f09227874b6b96deb37e8

SHA512
903c24a9f0bed6f67540d0c541f6469f895e300d5226fe348cc5d8cb22aeda40074257b965675b7bfe02a6a5d9977ad57514a9131e64a87f97bec0c795841c7d

Download Submit
C:\Windows\SysWOW64\Gdqgmmjb.exe

Filesize
96KB

MD5
bda75b3768f18b4f03dffbb765c2d861

SHA1
85a79d340af5725a0e3bd01d143c66d55394341d

SHA256
0501ea4ef2f11d585feac79fd03c417dcf34a14141f3fc32e0d827b428224722

SHA512
e2060041d17f4e6cfb73fdeb4face1ae3da3c655d5e6f6e2a73907833819cba49a72fc96ec478131761e5d374f184654dc32d5688944d79a293c847eaf3b8eb3

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
96KB

MD5
8ef5e14cef19a339772dd6694272e502

SHA1
51c6aaa988925f6ba90da69f42bf34f8c2928b49

SHA256
62d4f152097e381d60b76fa0c9e95c0aa04aa38eb868fd742edf721cc2949182

SHA512
11d27bf598cc5bbe934f5113285b71406d3de2fd2eb9ca6f7c552dfcf5688552578a3ca6c6daf678cfacac72cdbf9397461d74745c3a9ec9228604d52a8bd438

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
96KB

MD5
18857691aebff284d0c134facdea1a7d

SHA1
1e7546611e1e35024a63ad862cd9c378a2dc4cc2

SHA256
4138d6ae9a6533d8243aa8f2b45aafa69ab5f7de8b8f3d34bba6e7202fdb0d56

SHA512
8bb3daecfade184a8a006b0e35f5f68eba6b2f0a84660adec6590008ed880acbf9259688ee4f3394086de100de7a374e4300684d484ca7cda64a899303189045

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
96KB

MD5
017a09a82b656e6c4b6aa23fdc1c6870

SHA1
2bbc334420975940020b7d11fdd5232cba1c841b

SHA256
b866f0965a871bece592e852c9aa830f30631ac52129411d279003fee23132d6

SHA512
9c314b0001ed726eafab05109ed951d4f6c5169d318b127824dceb8b67c8d6554a64029d3a92c7b4473318fec982a1e443678b9abe3bff8a9126110314b3802c

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
96KB

MD5
ab6d2ef1794db5136140e6578f051bfa

SHA1
bb9137c1919318571fa6c831ef91583787262fb2

SHA256
836c60e0fc350798033e9ee55a42fab1e6488c36d736473bcaf2d33da74607d3

SHA512
ebd2fe716ea57d1bdf3a0ab3ba646a89fe0b35d066773b909635efec440c8e60cdb1acc7d26743b618ebca2914746b7c29dccfb7c36a3e050e1d753d71c53fd2

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
96KB

MD5
1537f0d40df5b21d194663417fdbb87b

SHA1
84335dada4661ac9ed11914c0d04a5bdf9935fa5

SHA256
9f3d4dbe2e88e04ad0af9d68e72d3a532493dcd63b2a3128e335396f44a028f3

SHA512
0ecf7719252349570012518f2a8b51d806157a624ebb0606eafaf4b6002eda723c2d8cff02857fb32dce45814ae450f75057bbfc194fa756d1dd429e0d88541c

Download Submit
C:\Windows\SysWOW64\Gofkje32.exe

Filesize
96KB

MD5
a14b30e3da7acb9de5cd6e8d47f181e8

SHA1
78309b6f7019f83faae1556a1332d3141e77b897

SHA256
0b81ef688d0aad16a0e233e7395d44171317c9c1bc2284927a730324b0afa2c8

SHA512
c1baf6ad944145358597645ecacfda8542d2c9178aef736d020ac5c1c93c536aee1faf001c0b3d779c07418d93cdddcf7f6bd41df65bce4b8803a2d50c608482

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
96KB

MD5
173d00a113b3954f1a0e6a453691d76d

SHA1
fb3b7ed7a8e62782602ad8dc62085459903dec29

SHA256
bde838e6ba883b4dad1029c490cdd94a6c2dd75d33c0b8a2406f5736ac1e23ae

SHA512
f1fbf9e1961625ac123173bb9e8534e9d40fd1ffa7fe31f399cf595899d4b8ae659612fbef91b3428e3ea32190257191f2305efa4926dd52a33fcb17cfbd2ab3

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
96KB

MD5
c2d5f24ce30f8dfe2dde4741c1628a06

SHA1
a4b6707a7d67b9dc207c4fc7383f276892ccd7ab

SHA256
e4b465b91af2f830871ee3f6635cfccbaeb4efaf6dcbb60304fd1f8b3016499f

SHA512
769c11b6b3ce6b84b31dca9889e6ad944c314201e0d3d43277d4764528d99a646c87961c577229e4ea7e854b86f8d31a1e153fd1e21d0d913b6ba42ab411faf1

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
96KB

MD5
115f91a4d341163071e580c4067829f5

SHA1
98b97dbe9a84837dfba95eb0cbaccc18663574b7

SHA256
f6453876d0f80d8272209f32e4eaaac910fe339f76fc74de9fed93ecfb7cdc42

SHA512
b8780ff627268a798c238ef316c0faa320fe7f03d7bf6916c94bd3ac10b67769b4aaf96ba5fa29a6ce1f5b9f58b264aba5575853308e2a2a6bcb88b4a1ceb6b9

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
96KB

MD5
e9358f3969b4ca836302c561adfd48f3

SHA1
b37c027b7f0e0ad4191a0c99b982b9e7fbfe472a

SHA256
a95cc0630b4987d6ebf736be53a4df8d703d88dde296b685f2329a3c2bb9590f

SHA512
7b28d7af20f02b84f6dfc409be70670e1c3a1b7e7a8f586ac05e7afd356fd2e4ddc8361f6f5ea9d28debf9f0dfde727241bdcc941a628bbfae8ee5f28f0e00a0

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
96KB

MD5
55b3b8ae95bcd42a1d07d859bc71c342

SHA1
ee3e67b31fada0e334b9eb3b51f3d17947eb0ad4

SHA256
f348f1dfba05c46b281779cc75c22711d6ded8a49144bd569f98b427bea45190

SHA512
4ef67d02541be0b8762c96a3441b58f7e5160c4a5295036f09b31c85f56a9bdd0747aa5aac6780c0a877eb80f098139eb148f4e60609bf5ea17357065681f3c2

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
96KB

MD5
e6e2f5404b8d9accef2b86a66b3c6496

SHA1
4fb77f240728cf601fd77b41f3645a9f41b9b8d8

SHA256
90d395bedac2efd4b9a3e15c4d7ebcc5c04940f32e917c02a9bc37b388be938e

SHA512
c520e0593c3d12f6c05abdcd3924ec8d49d9580d32707c2131bdaa6e7cc5a51bbed71ff245f8aa0b97ab6b30d023952f05175e6fc120b49e058a4e2f04d54c64

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
96KB

MD5
8d0d3480c65ba95b79426dde25b25420

SHA1
d40ee01ab6f41ea787a184e9d0d634f7e80f613d

SHA256
d91bbd86f47ddd17a601a776f67db2b5017dbc5a8acfeb159cd215bc43bf6426

SHA512
b30789f733da9729c0935c9f2e620c047fd848c66b271a427d0e5bdfdcb69cd1faa2b6c0ba173b7ff607500fb6bf13b7e823043db7741716d44d9c754c253303

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
96KB

MD5
604f032fc1437c9552937c3f4d85979b

SHA1
72a6d65582cc64253af5e4fec3cec9132a7cf295

SHA256
7eb227c56302a731de337e5c1e547f4b540f7b8abb4b7e4ac2548921ffe6b88e

SHA512
b1d17c327abc181b8ee26467538e0f00eeb1d7200137bff4f6a226aba0e40dfe08638dc11a8f93151c13fccf1e80da143e91da95f35e0d94b8be65296f483ca3

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
96KB

MD5
df9cf88bc44e9b83d673abf58e1146ca

SHA1
63a745d8947516fa09aae4ac8b31485f67e81ef2

SHA256
d47916b32064ddcbeff1dd721c6cdcf66ccfb2ba59582036c19b4ceaab83de87

SHA512
05dd7c46278126c9c7d2d1c76d307615b040ce2bb5686b71a1ee2b976e668e8af847a87aa8bbabd399f70a510e2552c70cfc5e36d4b0544e9b4dbbe67352309b

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
96KB

MD5
6fa6f3b7f024cad54c7b5f237ff84eef

SHA1
a1afdab5f1743d6d87756e8b52701a4cc606b29a

SHA256
48a1e6905c9b6aa4a5effb81b246ca483c68c4f1c6591f1e8d7e461e5c4e5b3d

SHA512
56c5fa06aa7ec2b245fa123e82e4c33d75ab27789b3406dd14429b231de225a5f6943581450666797580de8f387ffbd0dc9943e1d929e19ef4f203d953a1778e

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
96KB

MD5
cf8115439c221ad7535c451d3f895636

SHA1
d1d7cabcea618e63feb9e99ab30502ffad8cdbd0

SHA256
34e50bb62c8153ee8de6f9c2c41930330efa2101b0869cb7e1980777869bb349

SHA512
5aaa509361438ae0fc90d38f9c6f27e40c88996ded445d6ca0480cc29add0db8e533e25514a840d353d8a804d172b21cf8464a5027b14384e65d0169a812a972

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
96KB

MD5
1eb71c867051f2c27ca47938f2755afb

SHA1
d14e481c019c226d92234eadba63d39d34866de6

SHA256
8b2a12518d891a0afd1d47de84d6dba4b3049f4e273f33dc08d6d8d67ac56b26

SHA512
91f194e93f1b4d8afceb9e415e9c19e1edcc69539bd580e0b252049492eae75e9919d8ed9198bf3b687d2b54aff3eebdcf36584eac581605abab13291d090a40

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
96KB

MD5
cc8ec2e73521b3474d2b43eae93028b1

SHA1
dae469a1fd0d2b208a73cb8372aa7f84324bff81

SHA256
f8bfcd12cdc70982672d35a7e491e51da419b54def3ee198f185145956e1a0ed

SHA512
92b22b42835228428e7869401038330325e8a72136198e2ccf97ef453c1f73c40843633bc6378287d69ec3d6e1df002272b2d83b2a7d9aa7b1d53176e539273f

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
96KB

MD5
7f2ff59a4735e441d526dbd12a44792d

SHA1
7799b66325bde2c7c5716fecc38fe49e1c897413

SHA256
b6c69a07bb0568c497e0087deae4cb60e4036cca01d5c52412c1056bcfd8941e

SHA512
a448b42a2a05190d57e5bb56cb278d33b1cd86a4e159cff277f0663af6ef0a7e901cf451f8a51a56621dcde26601e51f51020e30d6e2786e5cba904c9604f483

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
96KB

MD5
c6a294f295d29ff16b76ec4e245aefcb

SHA1
53f0e1d105f319de28b3367505548633660355c7

SHA256
a2c7f905ea7021bfdb719b35658680eeaeb15bba32231421f1e12e9599c98e4a

SHA512
79d66a8afe56e520a44a667e904a0397d78f142ce1c5f44ce99f730a02784f63a4c3123dbf6b23ac1f9db571188f03fa2e2f01acdc84315beebecd13bd0afc7d

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
96KB

MD5
ee739fa4e13f6b565d0ff0e270de3d6f

SHA1
477263281f4ecfb39d9fd9c0177030c4f8460711

SHA256
58a464ce5983ed445ff9ee6ecc2d2560540de58b5e82604ce30b6828607829e7

SHA512
499b0465505c1482f32058238f46284958227b4aa09d601397550c36d0c0d9591efa190171fd4ea5412bc2a8c73f88281d72af06309fda809424f7a41fdac371

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
c731e78e56503adaf817a87a2f8c0b89

SHA1
619f564a54000c0c69b85dea1073a3b7969940cb

SHA256
05ffc4221de50d945f6cfe3e9d40089e5120b9c1aa134053c3ce66c731d62ddb

SHA512
51d305fdbc91e097aa6cde5e9ed9ce9d30a0ff4a48f265c4426e840e3d687d7475797b731d540d13a0af89d2fcbd6ad76578a4455c6eff80a868a7f5a111dd3b

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
96KB

MD5
ab42274ebde53a725b5684796000d534

SHA1
31a703329e5e89e3e5c478a810fe2704327dffa6

SHA256
26bd474a32b49c35a6c9fd3c8a7a461b5254077bd2a0a9ebf1932adb4a6601ce

SHA512
dc526697c7c9ed6ca282599bc6d5fbdf3a2b39acac8653b7aa175ca9ab2b54a1b796573e5cb8a40fb320a2f54c9d49e594341a862cfc5462c56f7c6343617005

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
96KB

MD5
e7b5a734d3a15d9b45346417000a5565

SHA1
5dabaa2e5ba4ae3996fdcb2b4ab77df6d0fe97fa

SHA256
10d2491be02971d7fb5645e97a8e6e49077be4fad11633765666275d30cca965

SHA512
663c57ac2070303c6a0bf86cfccc7bdc73ffdc2e4d366b1408083f51c1c3cba4fe500f639b387b937a7cf71217ba89c3d1b683944fb871364ac4756e8a644209

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
96KB

MD5
8a21adfa41f548e2bcabe48e6c576b8a

SHA1
5eb0bff599dbfc31e1def4243519d7842be0a8d6

SHA256
48d8e9f93f08b0b2994cdd1d0dbe588bad165d858155976dd8559f8aa4ab5912

SHA512
c9491a442266a9d042e97ebaa239d810e1018757cd2c71feb29bc47deee5ca19aa2f22b7226d5333d864a9f35488b020813e9a6384ea9c750bc3e35c57dd88ba

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
96KB

MD5
d78f8de23d53ed4a27b28f0244a60aa3

SHA1
082437c79482e9af00e154ae8b935329d705c2be

SHA256
23119a6966b0fd76ed7483f06a92f0fbcab3c376a9b64bda7ccac1293454a921

SHA512
207ceaba567b9944d9855e32e293638157b564c4094da5335f3ad55d634c9c4267dee4006bcfb5c2a90f9f5869756e8c77bb02753eb606e30de219299a06e0bb

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
96KB

MD5
f72a07b042f38a60716321b06714ee38

SHA1
b6b23e56d541a7709f9d9e30eb0358b8114cf7a8

SHA256
3718d534d36eae3c18b439985e44ac818075e74651bab1f8be8edac7d921906c

SHA512
7fee2a290ac7dd3640936e405d6751470d845f075770ae7425e45f62c8de9797bae0afa59a30fb2745055415cc1a0768b45103a73e51a09a812b446fa936a6f2

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
96KB

MD5
6ec610035711cf8bfb92ef2b65483c2e

SHA1
187392d06b910ebb54413efc48e07c63079e36a9

SHA256
a639371bfbe0157e4e586e76bbffc1adb394ffa036305fa9f451fbe91bd5153b

SHA512
936ccd768a9659b739f6a87142db132e58cbcd38483e48b71b1a89b96925d06cc68bfa3db56ef6aafe42129a68b184a25b8964308658a1566837cd7499249102

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
96KB

MD5
3e495e82b941ee2b27c1db41685356ac

SHA1
ad7f40d17e39b86f0fbeffca28ba4d5d39302bbc

SHA256
9fdf7ffc44f3fe46e4e9e6f33462ef060b21a2738b299d2dac382dc1ec83bde9

SHA512
72b68c2027542c29f45f390774474cfdfb26a9adc0b570a59642b81ae7055c1e8e42e31f6271175ee3da2e7ac9649fbc774ec12350b2e083577c877ca00a5895

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
96KB

MD5
cf247c71e3fda41c59b28bae3ab79b63

SHA1
40fea118f818bfdb0a36cb3ec95352cd6ffec018

SHA256
69fc53dd3fa94aa91717137ffc280b214d7d2199fb6962d0451d4b38d4e2d7fb

SHA512
7d3ef8481751e4fc94b95c50be71137352f6966563ca1c3f21c8d19fd7722e00ffab3af179fd8ef10be05019dddde15c4e89f28057e5a7fdebc7c81698e8533c

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
3c0c7a47fc9d56d6eda7c9032d6c14a8

SHA1
df303005d54d86b9400f5059c5847c2fac887a0c

SHA256
87ec21b3d548240d898ac68d95f418d56159f084614eaca6179edba8758f0342

SHA512
2b687d955be19545f29b16aad0771496ccab899c27595421dcc7d7d563cba38dc4f8daca454340bf0b9a3af182c54ee140a550a99fd3bc54abc0d3dec3ca38bd

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
f7c1b036aed9c996e70e3337b414de71

SHA1
6f007bf9557628c6971ee47257c47fc23b1c2f7e

SHA256
95e3f6e26b2f3a7d49e805705d49c1ab7e90840ec9ac17364f5a66408609b697

SHA512
f4987a46a8dcff966bcf634d5d99ce0ff9daff125718462bdfac424eedc2f2950ff6e288b074e78c0267c5cdd415b7b0ef2a56e859bdf05ecca48133dd54c672

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
96KB

MD5
878dd8dfc4450c2b1857a8b0db6ccf82

SHA1
eaa23a081e361496caed2a6dd6ae08e9768810ed

SHA256
177f0d3bcd81c30e6ac7c85bf64e3fcc1aac602c9a3c4a2d7b986ef3c1949282

SHA512
843f34c89fcc0e0fc8926f1e4d36cfd473dba7daedf060c1768a8fed393502cbe4c00f90481226ec67090df1d46a8e607f226606256704ef6e8c91ea33b0ee21

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
a06f2e81d9bfdeb0ff12106c35b4a364

SHA1
46439760a5ecbf7d8e66a71f0b3e9cdcb8fb6388

SHA256
a2ffbf958e69a3b3ffd83191c7105e0cc61425baab539c1fe1e1cb13e8d511d3

SHA512
4c93441b1c3b8c65030586fc2c68055469868e2578750d91ce3eb39fb88cfe497858b1fd2253aab82526b9554bf01e3a21ed240b1c2008ecbb7ac0e49b9e16b1

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
96KB

MD5
03a39b37464a2b744f6473f42eacd0b2

SHA1
9f8cf3c9776d063285c66e0c324e04e48c3b9080

SHA256
8cb2ee2373b20740403dba78a24dd4806b2879846daf1a3858f57d77650b1992

SHA512
c32f666ff3d08a64b90f6646eb624e4c86df3afe8b80b15a143a5315955854ede0ce08ade7d2e43f26624c02f84a439d26cd838633bc5d06a8ea46e08ba9fa7b

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
96KB

MD5
efc45465744088cc89caa5d80e1be27a

SHA1
20ddf6e842feca56abf837163d7d3611bdaeae1b

SHA256
4827c61c1a71e84772cc71ec86475d48d7b580bb88713a5c351a957302d86cb5

SHA512
5b184d37ac0335126824cfe9e9bd98d72fff93df9b213f61bcc503e31eefeed69fbeb50bd53ef18b9c19aaa4b8804673e59b87b75f925e71f62eb7a8b3d38bef

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
96KB

MD5
793fa74170dccca5d687895ee1e888cc

SHA1
65967faa363c07c73f8a2a9507070e2189795396

SHA256
7b1c35bd5c280da4806d9422124579ba3551bba485c5201a8b3a8bf03d03aa07

SHA512
50b8294166350b92f775e4de464c0df3bff12ccca2cdb2c8219792e73906d89358048053c2024623218086c128a85e4a5c1c18b5ea594a27ad4c098678bbc4b7

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
ba7b46dc3ea77612c2bd41001f702512

SHA1
d3df5cc4b042df04e37c94de029bc2bdef8c72b6

SHA256
3eb467cd7cf360eb49cfb67af8aa5190ea189fb7ed5d0126af1f9e12e9b865b8

SHA512
777ae8708f2d96f8550f147c0f250b3091a46ac776c7393e7ca9e65e0ffb134237d611cb8d73ea4eab070f0038f17014d82aa5c9c17b4088ecdd6ab05707b465

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
96KB

MD5
1b3770a5531eeeeec03fa1fefa7c8c4e

SHA1
b3ed4677e619552651eefddb4fb5a352b51bd6c9

SHA256
1dd50c5cd91fa517d207940f7196fa6dc9bd00982eb706ab8671a70b020ec7c4

SHA512
76854869f879c53e071e418f95ea53ddf7cf95b368d7719ff90978ce9bfd682c4cdbc8b8cc83ce139e41957a621445d4506db4f10590a094564630648c7c36c3

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
8664469605b1fb11cd3eed737ebf0aec

SHA1
9ec9f19e1e5205be3c0a982db30b5affcf377f0f

SHA256
c685c00ec15868f93dd0adf1a3b92c87fb863a790626f84c7269a227d555be35

SHA512
0f8044520b2f1bdec1d7a5d29adbe1ef47d22fe67d20037b39923add0a04caf28fd3d579f0438ac039dc64f8a779700df18a56bb6daaef4aa00e58386a07e913

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
96KB

MD5
54fb34e54b527b3e53ecfa8096b0244a

SHA1
266ed0d610d2120b0de74406580e085fe1975a90

SHA256
1078b19b29e4d995a8f844f85b8a99ba1df004141596d3d4d7c1eb9d23c71589

SHA512
a14c27b64912706f23abf302d915534cfb7b50d8fcbce3ed2efff096dbfdfba1c48d7f2e9bf63b3bac860e040dd11533731d9faf49ecfe8d4b8db37dac54751c

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
30a3017c176c5f8166a89d6eaab097e9

SHA1
f25068f94a20e6996dd3b88ae5e887d070749aec

SHA256
8ddf7d01146a4fdcab0fc7f7a30b8f33d358ca0574ff2eb1cfc1c7973bbdad96

SHA512
abdd74a11f7da41a20aca1b0c27151cd9e6d4a259efc9aa50bc6966bc0b56efd560d4f50140b09fb711fc620d823426af11f1e4c9bc3f6837c61161c319a1bfc

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
a15733618e3d87a15961ad03e9ff6c3d

SHA1
2cfdf31c97208108768822c808903cae62a0e316

SHA256
9f5c4f63a7e95c13e60f0c2273ec111598b773cc4a852c5513f981722887da75

SHA512
c4ee094ad4d074ba412cc69140efe3f84bc7df919abb368230908f58e1c91110ea938ac3aeb909efffb9854d3df8ed507444c092aafc52b0b2e4563836e82636

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
96KB

MD5
655fe765631dc500d2f9f646094be47d

SHA1
57347f121609a6349daf86b6d2920439b72598c8

SHA256
4e0878c1a56fc725324403409da30411220461775e0cbb8689d9c2dfe0621fc2

SHA512
c1146d4bc4297b92f8d6c8cf450d7f9bef00550b5c0504e0a0b4bfd6033be7b2b50c10e7980a85885e78e7ba40bad7d284e86ecc8032568b09ef6a5575d3364c

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
ac72ed6274a66411740059b7868ec8e1

SHA1
d22b2c965ce6382e6599db0a693a9dbaea3f35b8

SHA256
1fa3a464a3e58e8efee19ac431654b8d958cb1d84e248e8e734780a6006de519

SHA512
7258266c2c27a615f8b4805c3fda3e5bff2e369d96fe7353789fb0d7f484dbd9ebc6898b4d3159f45fd05850f7e033f10a12394acb1206205cf2be00b9209451

Download Submit
C:\Windows\SysWOW64\Pjkolmml.dll

Filesize
7KB

MD5
da2e1e86961a85d73fbf667278f2f722

SHA1
c6556fe6ae8c72c3caa2b752eb555812c1f70047

SHA256
e7cf2c3f25ffa72251af6e09ad9745b4c2e424870c5ee29ddbfa3a585cb1d7c0

SHA512
3492a76eabc26b6021b91ff11d10b6b1351dff1a3af03d25b57cf0cd7b16de857cd496e8f86ce339eb1abe4eac10cc79275939ee3c2996375d756cfab5e692a5

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
96KB

MD5
391c8ae58ea73a4348b6458477cdd3e1

SHA1
ba06e5179d6e3c46d51da01fd45db74cb654e4e3

SHA256
1e5f73fb1fe86b7d5d544ad6419b0f96d8a92b53d559521ffd2c87f0b2048c77

SHA512
f2d3cc3bcc43ec4ba262442100d27726be0524021450ad2f9d0bfb92eb9c439ac6a9cea30ffa8c2a6bfc746188080a500b57ceac78f8de1ad29e10af28f001b7

Download Submit
memory/624-498-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/640-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/640-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/672-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/696-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/696-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/848-491-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1100-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1164-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1176-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1536-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1612-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1612-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-473-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-282-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1780-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2104-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2104-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2120-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2564-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2744-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2744-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2940-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-483-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3080-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3104-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3104-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3172-393-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3176-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3176-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3236-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3236-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3256-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3288-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3288-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3312-265-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3420-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3444-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3444-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3724-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3732-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3748-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3748-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3776-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3820-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3872-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3912-455-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3936-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3972-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3972-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3992-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3992-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4044-497-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4044-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4084-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4084-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4172-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4228-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-467-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4352-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4400-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4428-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4456-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4692-504-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4692-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4844-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4876-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4876-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5036-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5036-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads