berbew | 9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d.exe
Size

128KB
MD5

239e50c73e7180aaba8a01cec1b2d8bd
SHA1

131fb4f373ea383ae7b3b75246d66f86d938e8d2
SHA256

9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d
SHA512

55140aff8ac20afb786bc7d8d5581776137f4294deff71715ae96e3707eec89566cbcd1fabb0876afef3772cf8c1f68ab21e24b8a8e958ed4951db94853ad4c5
SSDEEP

3072:HRrje4PlDTKTcE7pRz2LxMrNukVv1CYDd1AZoUBW3FJeRuaWNXmgu+tT:lZPwjjz2erGSdWZHEFJ7aWN1T

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mllchico.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjhmnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddqjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chlngg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogdmaocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onqbdihj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfqpcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moleonmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqambk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgmnjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npabof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acgfil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbdbmace.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kppigdlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iacbkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moleonmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlihoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cppepdbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmqgcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hacjdplo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpghdoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbobgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnpimkfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflfhkee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fncblj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkiokn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdgffq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nonbem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfqkgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgmnjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goedbkag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoogiiil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iocqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfcmqknf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibmjdca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnamib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnopcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jijanl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Canlon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnlebibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kijjejae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcgama32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogdmaocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnafinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdijecgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jndmacoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgminggi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqcjhkaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhjpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hacqofpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iglhckde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keeknl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miomggom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djcfok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnbpkcad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjhmnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdiclq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iegomnmf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1036	Lmbmlmbl.exe
1976	Mboeddad.exe
4100	Memapppg.exe
2772	Mgmnjb32.exe
2928	Mmgfgl32.exe
3020	Mebkko32.exe
4724	Mllchico.exe
4824	Mgageace.exe
1696	Mpjlngje.exe
4980	Mchhjbii.exe
2120	Mnnlgkho.exe
180	Ndhdde32.exe
1188	Ngfqqa32.exe
2648	Nnpimkfl.exe
3672	Npoeif32.exe
3076	Ncmaeb32.exe
3116	Neknam32.exe
4276	Nnbebk32.exe
2848	Npabof32.exe
3620	Nconka32.exe
1540	Nenjgm32.exe
2024	Nnebhj32.exe
2892	Npcodf32.exe
5088	Ngmgap32.exe
4912	Njlcmk32.exe
5032	Nljoig32.exe
4816	Npekjeph.exe
4788	Ncdgfaol.exe
1156	Nfbdblnp.exe
1196	Njnpck32.exe
380	Nlllof32.exe
3636	Odcdpd32.exe
4332	Ogbploeb.exe
1164	Ofeqhl32.exe
4492	Onlhii32.exe
4008	Opjeee32.exe
4772	Odfqecdl.exe
2324	Ogdmaocp.exe
3784	Ofgmml32.exe
4748	Olaejfag.exe
3852	Odhmkcbi.exe
4960	Ogfjgo32.exe
4568	Ofijckhg.exe
4264	Onqbdihj.exe
3424	Oqonpdgn.exe
5044	Ocmjlpfa.exe
4696	Oflfhkee.exe
1872	Oncoihfg.exe
1524	Olfoee32.exe
3292	Odmgfb32.exe
4992	Ogkcbn32.exe
4268	Ojjooilk.exe
2508	Onekoh32.exe
3748	Pqcgkc32.exe
1980	Pfqpcj32.exe
1444	Pmjhpdil.exe
4324	Pdapabjo.exe
4700	Pfcmij32.exe
2228	Pnjejgpo.exe
4164	Pqhafcoc.exe
4876	Pcgmbnnf.exe
4104	Pfeiojnj.exe
3264	Pjqeoh32.exe
4972	Pmoakd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nhkpib32.exe	Ngjcajgo.exe
File created	C:\Windows\SysWOW64\Bjlggnjh.exe	Bfqkgp32.exe
File created	C:\Windows\SysWOW64\Djcfok32.exe	Ddjnbanp.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmlmbl.exe	9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d.exe
File created	C:\Windows\SysWOW64\Celeel32.exe	Cnamib32.exe
File created	C:\Windows\SysWOW64\Cabfjmkc.exe	Cmgjjn32.exe
File created	C:\Windows\SysWOW64\Hklehl32.exe	Hhnilp32.exe
File created	C:\Windows\SysWOW64\Kpbfld32.exe	Khknkgjb.exe
File created	C:\Windows\SysWOW64\Ikkfebid.dll	Diicpgje.exe
File created	C:\Windows\SysWOW64\Kajaijjb.dll	Memapppg.exe
File created	C:\Windows\SysWOW64\Lnapigob.dll	Bmngcp32.exe
File opened for modification	C:\Windows\SysWOW64\Chlngg32.exe	Cabfjmkc.exe
File created	C:\Windows\SysWOW64\Ibopkdfn.exe	Hoadoigj.exe
File created	C:\Windows\SysWOW64\Olheph32.dll	Bappnpkh.exe
File created	C:\Windows\SysWOW64\Kddajffm.dll	Idpilp32.exe
File created	C:\Windows\SysWOW64\Kjldplne.dll	Jnbpkcad.exe
File created	C:\Windows\SysWOW64\Klapqf32.exe	Keghdl32.exe
File created	C:\Windows\SysWOW64\Dllcch32.dll	Miomggom.exe
File created	C:\Windows\SysWOW64\Podcbh32.dll	Egbdoaie.exe
File opened for modification	C:\Windows\SysWOW64\Daieqf32.exe	Djomdljb.exe
File opened for modification	C:\Windows\SysWOW64\Efmcil32.exe	Diicpgje.exe
File created	C:\Windows\SysWOW64\Nkmjpi32.dll	Cmaidicc.exe
File opened for modification	C:\Windows\SysWOW64\Iqklbi32.exe	Inmpfn32.exe
File opened for modification	C:\Windows\SysWOW64\Qcppimfl.exe	Qqadmagh.exe
File opened for modification	C:\Windows\SysWOW64\Aqfmhacc.exe	Anhaledo.exe
File created	C:\Windows\SysWOW64\Jelihn32.exe	Jnbpkcad.exe
File opened for modification	C:\Windows\SysWOW64\Pojjgiba.exe	Pcdjbh32.exe
File created	C:\Windows\SysWOW64\Ihofki32.dll	Qjehpanb.exe
File opened for modification	C:\Windows\SysWOW64\Anmjfe32.exe	Afebeg32.exe
File created	C:\Windows\SysWOW64\Fgbmfo32.exe	Fddqjc32.exe
File created	C:\Windows\SysWOW64\Jjfnpo32.exe	Jhdaif32.exe
File created	C:\Windows\SysWOW64\Jhgnnfno.exe	Jjfnpo32.exe
File created	C:\Windows\SysWOW64\Ihpgngcf.exe	Iddlmh32.exe
File created	C:\Windows\SysWOW64\Idpilp32.exe	Ibampd32.exe
File created	C:\Windows\SysWOW64\Nclbea32.dll	Ikokdi32.exe
File created	C:\Windows\SysWOW64\Jooppg32.exe	Jiehcmcm.exe
File opened for modification	C:\Windows\SysWOW64\Nhdjhcce.exe	Mfcmqknf.exe
File created	C:\Windows\SysWOW64\Oipend32.exe	Ocfmajin.exe
File created	C:\Windows\SysWOW64\Hlkcoo32.dll	Oekpnebi.exe
File created	C:\Windows\SysWOW64\Qqdhbf32.dll	Jhgnnfno.exe
File created	C:\Windows\SysWOW64\Kepkgp32.dll	Oeafmpfh.exe
File created	C:\Windows\SysWOW64\Afafca32.dll	Pnoneglj.exe
File opened for modification	C:\Windows\SysWOW64\Bjjalepf.exe	Bfoelf32.exe
File created	C:\Windows\SysWOW64\Qjpcecca.dll	Goedbkag.exe
File opened for modification	C:\Windows\SysWOW64\Jpffqfdb.exe	Jgonohdp.exe
File created	C:\Windows\SysWOW64\Ocopgiac.exe	Oekpnebi.exe
File created	C:\Windows\SysWOW64\Ojdgmgll.dll	Noehelej.exe
File created	C:\Windows\SysWOW64\Gbmnad32.dll	Ejklpjpe.exe
File created	C:\Windows\SysWOW64\Nconka32.exe	Npabof32.exe
File opened for modification	C:\Windows\SysWOW64\Qcnccm32.exe	Qqoggb32.exe
File created	C:\Windows\SysWOW64\Jhphocbp.dll	Gnfhihjd.exe
File created	C:\Windows\SysWOW64\Hknamkdi.exe	Hhpeapee.exe
File opened for modification	C:\Windows\SysWOW64\Hbmcedhp.exe	Hoogiiil.exe
File created	C:\Windows\SysWOW64\Nfnehjqi.dll	Bepeinol.exe
File created	C:\Windows\SysWOW64\Cfkegd32.exe	Cdlhki32.exe
File opened for modification	C:\Windows\SysWOW64\Ggicfn32.exe	Gdkgjb32.exe
File created	C:\Windows\SysWOW64\Ifpefbja.exe	Inhneeio.exe
File opened for modification	C:\Windows\SysWOW64\Jiehcmcm.exe	Jbkpfb32.exe
File created	C:\Windows\SysWOW64\Kfehhohi.exe	Kpkple32.exe
File created	C:\Windows\SysWOW64\Moeooo32.exe	Mpbocblb.exe
File opened for modification	C:\Windows\SysWOW64\Oipend32.exe	Ocfmajin.exe
File created	C:\Windows\SysWOW64\Daieqf32.exe	Djomdljb.exe
File created	C:\Windows\SysWOW64\Gkpoag32.exe	Gagjia32.exe
File created	C:\Windows\SysWOW64\Oelfff32.dll	Odmgfb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
11128	11000	WerFault.exe	533

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkhpgolm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljmmhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Macdpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igekijlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noqojm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcdkpdph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfcogecg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eokhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oimihe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfqqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noehelej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oognqfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajoaqfjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fddqjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djomdljb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odfqecdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnjejgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anhaledo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kphcfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbekcoec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnbebk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfedbomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eeeqbhoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fobofmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njbojh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjmcanog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neknam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoeaili.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjfnpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdijecgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhpeapee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafhkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onlhii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maeafc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdaddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memapppg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kppigdlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdhlaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnckpog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmnigdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgakeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikndjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Canlon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fejjnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibopkdfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bepeinol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnamib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdkpapgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idpilp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpbocblb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhkpib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kklpkq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebkko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdbmkaoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eehnhhmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gamjngfc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fejjnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hknamkdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nockpmgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhkpib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccpklbfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibmjdca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngmgap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oelfff32.dll"	Odmgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqfeclf.dll"	Cfhhbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Femgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajoaqfjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfcmqknf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oheboa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccpklbfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hacjdplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqdqbaee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feochgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhegi32.dll"	Kphcfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbgoba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nidfbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhjpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leibaqof.dll"	Bfcogecg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehhen32.dll"	Edcgcfja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jooppg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kelaokko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmnpg32.dll"	Hnaqjplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hladdbpk.dll"	Gonnblgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inmgpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nockpmgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gipbgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Incmpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehjaa32.dll"	Mankedbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnakkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fejjnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkllanen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haoehe32.dll"	Qoaqhhlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkhpgolm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kedddf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Albmog32.dll"	Bmkjnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhekcplc.dll"	Bebbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cppepdbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndaibi32.dll"	Cmipeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhdjhcce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mecjlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlakdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhkinl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnamib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfmpjejf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocjglj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqcjhkaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdbhnfon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efmcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmebn32.dll"	Ambgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddajffm.dll"	Idpilp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphcfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oimihe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqlfcb32.dll"	Fpcdco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijlkjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Labkif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chlngg32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\1 igH34qf?<:bV{f#r!-fV(nUd4:7853-f>lD1)5"-fvu3L1y`.}1x$`Vig:8pgi}H2-`f!9dvL1vcWFs?:5#y7"pH5#yfs?H9!y8(:?:5!pH34qfs?H;(:?\s\|&V(nUd4:.(C1V=ZYhp5K{L1)`2?!q #8<D.d=DziaOmL1)x	Oahgba32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1036	1624	9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d.exe	82
PID 1624 wrote to memory of 1036	1624	9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d.exe	82
PID 1624 wrote to memory of 1036	1624	9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d.exe	82
PID 1036 wrote to memory of 1976	1036	Lmbmlmbl.exe	84
PID 1036 wrote to memory of 1976	1036	Lmbmlmbl.exe	84
PID 1036 wrote to memory of 1976	1036	Lmbmlmbl.exe	84
PID 1976 wrote to memory of 4100	1976	Mboeddad.exe	85
PID 1976 wrote to memory of 4100	1976	Mboeddad.exe	85
PID 1976 wrote to memory of 4100	1976	Mboeddad.exe	85
PID 4100 wrote to memory of 2772	4100	Memapppg.exe	86
PID 4100 wrote to memory of 2772	4100	Memapppg.exe	86
PID 4100 wrote to memory of 2772	4100	Memapppg.exe	86
PID 2772 wrote to memory of 2928	2772	Mgmnjb32.exe	88
PID 2772 wrote to memory of 2928	2772	Mgmnjb32.exe	88
PID 2772 wrote to memory of 2928	2772	Mgmnjb32.exe	88
PID 2928 wrote to memory of 3020	2928	Mmgfgl32.exe	89
PID 2928 wrote to memory of 3020	2928	Mmgfgl32.exe	89
PID 2928 wrote to memory of 3020	2928	Mmgfgl32.exe	89
PID 3020 wrote to memory of 4724	3020	Mebkko32.exe	90
PID 3020 wrote to memory of 4724	3020	Mebkko32.exe	90
PID 3020 wrote to memory of 4724	3020	Mebkko32.exe	90
PID 4724 wrote to memory of 4824	4724	Mllchico.exe	92
PID 4724 wrote to memory of 4824	4724	Mllchico.exe	92
PID 4724 wrote to memory of 4824	4724	Mllchico.exe	92
PID 4824 wrote to memory of 1696	4824	Mgageace.exe	93
PID 4824 wrote to memory of 1696	4824	Mgageace.exe	93
PID 4824 wrote to memory of 1696	4824	Mgageace.exe	93
PID 1696 wrote to memory of 4980	1696	Mpjlngje.exe	94
PID 1696 wrote to memory of 4980	1696	Mpjlngje.exe	94
PID 1696 wrote to memory of 4980	1696	Mpjlngje.exe	94
PID 4980 wrote to memory of 2120	4980	Mchhjbii.exe	95
PID 4980 wrote to memory of 2120	4980	Mchhjbii.exe	95
PID 4980 wrote to memory of 2120	4980	Mchhjbii.exe	95
PID 2120 wrote to memory of 180	2120	Mnnlgkho.exe	96
PID 2120 wrote to memory of 180	2120	Mnnlgkho.exe	96
PID 2120 wrote to memory of 180	2120	Mnnlgkho.exe	96
PID 180 wrote to memory of 1188	180	Ndhdde32.exe	97
PID 180 wrote to memory of 1188	180	Ndhdde32.exe	97
PID 180 wrote to memory of 1188	180	Ndhdde32.exe	97
PID 1188 wrote to memory of 2648	1188	Ngfqqa32.exe	98
PID 1188 wrote to memory of 2648	1188	Ngfqqa32.exe	98
PID 1188 wrote to memory of 2648	1188	Ngfqqa32.exe	98
PID 2648 wrote to memory of 3672	2648	Nnpimkfl.exe	99
PID 2648 wrote to memory of 3672	2648	Nnpimkfl.exe	99
PID 2648 wrote to memory of 3672	2648	Nnpimkfl.exe	99
PID 3672 wrote to memory of 3076	3672	Npoeif32.exe	100
PID 3672 wrote to memory of 3076	3672	Npoeif32.exe	100
PID 3672 wrote to memory of 3076	3672	Npoeif32.exe	100
PID 3076 wrote to memory of 3116	3076	Ncmaeb32.exe	101
PID 3076 wrote to memory of 3116	3076	Ncmaeb32.exe	101
PID 3076 wrote to memory of 3116	3076	Ncmaeb32.exe	101
PID 3116 wrote to memory of 4276	3116	Neknam32.exe	102
PID 3116 wrote to memory of 4276	3116	Neknam32.exe	102
PID 3116 wrote to memory of 4276	3116	Neknam32.exe	102
PID 4276 wrote to memory of 2848	4276	Nnbebk32.exe	103
PID 4276 wrote to memory of 2848	4276	Nnbebk32.exe	103
PID 4276 wrote to memory of 2848	4276	Nnbebk32.exe	103
PID 2848 wrote to memory of 3620	2848	Npabof32.exe	104
PID 2848 wrote to memory of 3620	2848	Npabof32.exe	104
PID 2848 wrote to memory of 3620	2848	Npabof32.exe	104
PID 3620 wrote to memory of 1540	3620	Nconka32.exe	105
PID 3620 wrote to memory of 1540	3620	Nconka32.exe	105
PID 3620 wrote to memory of 1540	3620	Nconka32.exe	105
PID 1540 wrote to memory of 2024	1540	Nenjgm32.exe	106

C:\Users\Admin\AppData\Local\Temp\9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d.exe
"C:\Users\Admin\AppData\Local\Temp\9855da6a16ba16b2849ea7963abfaca81f0fda228f913e502dc364765d24069d.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\Lmbmlmbl.exe
  C:\Windows\system32\Lmbmlmbl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\SysWOW64\Mboeddad.exe
    C:\Windows\system32\Mboeddad.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\Memapppg.exe
      C:\Windows\system32\Memapppg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\SysWOW64\Mgmnjb32.exe
        
        C:\Windows\system32\Mgmnjb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\Mmgfgl32.exe
        
        C:\Windows\system32\Mmgfgl32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Mebkko32.exe
        
        C:\Windows\system32\Mebkko32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mllchico.exe
        
        C:\Windows\system32\Mllchico.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Mgageace.exe
        
        C:\Windows\system32\Mgageace.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Mpjlngje.exe
        
        C:\Windows\system32\Mpjlngje.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Mchhjbii.exe
        
        C:\Windows\system32\Mchhjbii.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Mnnlgkho.exe
        
        C:\Windows\system32\Mnnlgkho.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Ndhdde32.exe
        
        C:\Windows\system32\Ndhdde32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:180
        
        C:\Windows\SysWOW64\Ngfqqa32.exe
        
        C:\Windows\system32\Ngfqqa32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Nnpimkfl.exe
        
        C:\Windows\system32\Nnpimkfl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Npoeif32.exe
        
        C:\Windows\system32\Npoeif32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Ncmaeb32.exe
        
        C:\Windows\system32\Ncmaeb32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Neknam32.exe
        
        C:\Windows\system32\Neknam32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Nnbebk32.exe
        
        C:\Windows\system32\Nnbebk32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Npabof32.exe
        
        C:\Windows\system32\Npabof32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Nconka32.exe
        
        C:\Windows\system32\Nconka32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Nenjgm32.exe
        
        C:\Windows\system32\Nenjgm32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Nnebhj32.exe
        
        C:\Windows\system32\Nnebhj32.exe
        23⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Npcodf32.exe
        
        C:\Windows\system32\Npcodf32.exe
        24⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Ngmgap32.exe
        
        C:\Windows\system32\Ngmgap32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Njlcmk32.exe
        
        C:\Windows\system32\Njlcmk32.exe
        26⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Nljoig32.exe
        
        C:\Windows\system32\Nljoig32.exe
        27⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Npekjeph.exe
        
        C:\Windows\system32\Npekjeph.exe
        28⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Ncdgfaol.exe
        
        C:\Windows\system32\Ncdgfaol.exe
        29⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Nfbdblnp.exe
        
        C:\Windows\system32\Nfbdblnp.exe
        30⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Njnpck32.exe
        
        C:\Windows\system32\Njnpck32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Nlllof32.exe
        
        C:\Windows\system32\Nlllof32.exe
        32⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Odcdpd32.exe
        
        C:\Windows\system32\Odcdpd32.exe
        33⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Ogbploeb.exe
        
        C:\Windows\system32\Ogbploeb.exe
        34⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Ofeqhl32.exe
        
        C:\Windows\system32\Ofeqhl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Onlhii32.exe
        
        C:\Windows\system32\Onlhii32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Opjeee32.exe
        
        C:\Windows\system32\Opjeee32.exe
        37⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Odfqecdl.exe
        
        C:\Windows\system32\Odfqecdl.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Ogdmaocp.exe
        
        C:\Windows\system32\Ogdmaocp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Ofgmml32.exe
        
        C:\Windows\system32\Ofgmml32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\Olaejfag.exe
        
        C:\Windows\system32\Olaejfag.exe
        41⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Odhmkcbi.exe
        
        C:\Windows\system32\Odhmkcbi.exe
        42⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Ogfjgo32.exe
        
        C:\Windows\system32\Ogfjgo32.exe
        43⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Ofijckhg.exe
        
        C:\Windows\system32\Ofijckhg.exe
        44⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Onqbdihj.exe
        
        C:\Windows\system32\Onqbdihj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Oqonpdgn.exe
        
        C:\Windows\system32\Oqonpdgn.exe
        46⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\Ocmjlpfa.exe
        
        C:\Windows\system32\Ocmjlpfa.exe
        47⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Oflfhkee.exe
        
        C:\Windows\system32\Oflfhkee.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Oncoihfg.exe
        
        C:\Windows\system32\Oncoihfg.exe
        49⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\Olfoee32.exe
        
        C:\Windows\system32\Olfoee32.exe
        50⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Odmgfb32.exe
        
        C:\Windows\system32\Odmgfb32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Ogkcbn32.exe
        
        C:\Windows\system32\Ogkcbn32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Ojjooilk.exe
        
        C:\Windows\system32\Ojjooilk.exe
        53⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Onekoh32.exe
        
        C:\Windows\system32\Onekoh32.exe
        54⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\Pqcgkc32.exe
        
        C:\Windows\system32\Pqcgkc32.exe
        55⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Windows\SysWOW64\Pfqpcj32.exe
        
        C:\Windows\system32\Pfqpcj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\Pmjhpdil.exe
        
        C:\Windows\system32\Pmjhpdil.exe
        57⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Pdapabjo.exe
        
        C:\Windows\system32\Pdapabjo.exe
        58⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Pfcmij32.exe
        
        C:\Windows\system32\Pfcmij32.exe
        59⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\SysWOW64\Pnjejgpo.exe
        
        C:\Windows\system32\Pnjejgpo.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Pqhafcoc.exe
        
        C:\Windows\system32\Pqhafcoc.exe
        61⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Pcgmbnnf.exe
        
        C:\Windows\system32\Pcgmbnnf.exe
        62⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Pfeiojnj.exe
        
        C:\Windows\system32\Pfeiojnj.exe
        63⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Pjqeoh32.exe
        
        C:\Windows\system32\Pjqeoh32.exe
        64⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Pmoakd32.exe
        
        C:\Windows\system32\Pmoakd32.exe
        65⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Pdfjla32.exe
        
        C:\Windows\system32\Pdfjla32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Pgdfim32.exe
        
        C:\Windows\system32\Pgdfim32.exe
        67⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Pnoneglj.exe
        
        C:\Windows\system32\Pnoneglj.exe
        68⤵
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Pqmjab32.exe
        
        C:\Windows\system32\Pqmjab32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Pckfnn32.exe
        
        C:\Windows\system32\Pckfnn32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Pfjcji32.exe
        
        C:\Windows\system32\Pfjcji32.exe
        71⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Pnakkf32.exe
        
        C:\Windows\system32\Pnakkf32.exe
        72⤵
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Qqoggb32.exe
        
        C:\Windows\system32\Qqoggb32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Qcnccm32.exe
        
        C:\Windows\system32\Qcnccm32.exe
        74⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\Qflpoi32.exe
        
        C:\Windows\system32\Qflpoi32.exe
        75⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Qncgqf32.exe
        
        C:\Windows\system32\Qncgqf32.exe
        76⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Qqadmagh.exe
        
        C:\Windows\system32\Qqadmagh.exe
        77⤵
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Qcppimfl.exe
        
        C:\Windows\system32\Qcppimfl.exe
        78⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Qfolehep.exe
        
        C:\Windows\system32\Qfolehep.exe
        79⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Anedfffb.exe
        
        C:\Windows\system32\Anedfffb.exe
        80⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Aqdqbaee.exe
        
        C:\Windows\system32\Aqdqbaee.exe
        81⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Acbmnmdi.exe
        
        C:\Windows\system32\Acbmnmdi.exe
        82⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Afaijhcm.exe
        
        C:\Windows\system32\Afaijhcm.exe
        83⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Anhaledo.exe
        
        C:\Windows\system32\Anhaledo.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Aqfmhacc.exe
        
        C:\Windows\system32\Aqfmhacc.exe
        85⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Aebihpkl.exe
        
        C:\Windows\system32\Aebihpkl.exe
        86⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Agpedkjp.exe
        
        C:\Windows\system32\Agpedkjp.exe
        87⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ajoaqfjc.exe
        
        C:\Windows\system32\Ajoaqfjc.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Ammnmbig.exe
        
        C:\Windows\system32\Ammnmbig.exe
        89⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Aqijmq32.exe
        
        C:\Windows\system32\Aqijmq32.exe
        90⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Acgfil32.exe
        
        C:\Windows\system32\Acgfil32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Afebeg32.exe
        
        C:\Windows\system32\Afebeg32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Anmjfe32.exe
        
        C:\Windows\system32\Anmjfe32.exe
        93⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Aakfcp32.exe
        
        C:\Windows\system32\Aakfcp32.exe
        94⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Acicol32.exe
        
        C:\Windows\system32\Acicol32.exe
        95⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Ageopj32.exe
        
        C:\Windows\system32\Ageopj32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Ajcklf32.exe
        
        C:\Windows\system32\Ajcklf32.exe
        97⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Ambgha32.exe
        
        C:\Windows\system32\Ambgha32.exe
        98⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Aeioio32.exe
        
        C:\Windows\system32\Aeioio32.exe
        99⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Agglej32.exe
        
        C:\Windows\system32\Agglej32.exe
        100⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Bjfhae32.exe
        
        C:\Windows\system32\Bjfhae32.exe
        101⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Bnadadld.exe
        
        C:\Windows\system32\Bnadadld.exe
        102⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Bappnpkh.exe
        
        C:\Windows\system32\Bappnpkh.exe
        103⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Bcnljkjl.exe
        
        C:\Windows\system32\Bcnljkjl.exe
        104⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Bfmhff32.exe
        
        C:\Windows\system32\Bfmhff32.exe
        105⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Bncqgd32.exe
        
        C:\Windows\system32\Bncqgd32.exe
        106⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Babmco32.exe
        
        C:\Windows\system32\Babmco32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Benidnao.exe
        
        C:\Windows\system32\Benidnao.exe
        108⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Bfoelf32.exe
        
        C:\Windows\system32\Bfoelf32.exe
        109⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Bjjalepf.exe
        
        C:\Windows\system32\Bjjalepf.exe
        110⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Bmimhpoj.exe
        
        C:\Windows\system32\Bmimhpoj.exe
        111⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Bepeinol.exe
        
        C:\Windows\system32\Bepeinol.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Bgnafinp.exe
        
        C:\Windows\system32\Bgnafinp.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Bjmnbd32.exe
        
        C:\Windows\system32\Bjmnbd32.exe
        114⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Bmkjnp32.exe
        
        C:\Windows\system32\Bmkjnp32.exe
        115⤵
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Bebbom32.exe
        
        C:\Windows\system32\Bebbom32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Bfcogecg.exe
        
        C:\Windows\system32\Bfcogecg.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Bmngcp32.exe
        
        C:\Windows\system32\Bmngcp32.exe
        118⤵
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Cmpcioha.exe
        
        C:\Windows\system32\Cmpcioha.exe
        119⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Cegljmid.exe
        
        C:\Windows\system32\Cegljmid.exe
        120⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Cfhhbe32.exe
        
        C:\Windows\system32\Cfhhbe32.exe
        121⤵
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Cnopcb32.exe
        
        C:\Windows\system32\Cnopcb32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4596
        
        C:\Windows\SysWOW64\Canlon32.exe
        
        C:\Windows\system32\Canlon32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Cdlhki32.exe
        
        C:\Windows\system32\Cdlhki32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Cfkegd32.exe
        
        C:\Windows\system32\Cfkegd32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Cnamib32.exe
        
        C:\Windows\system32\Cnamib32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Celeel32.exe
        
        C:\Windows\system32\Celeel32.exe
        127⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Cdoeaili.exe
        
        C:\Windows\system32\Cdoeaili.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\Cjhmnc32.exe
        
        C:\Windows\system32\Cjhmnc32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5056
        
        C:\Windows\SysWOW64\Cmgjjn32.exe
        
        C:\Windows\system32\Cmgjjn32.exe
        130⤵
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Cabfjmkc.exe
        
        C:\Windows\system32\Cabfjmkc.exe
        131⤵
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Chlngg32.exe
        
        C:\Windows\system32\Chlngg32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Cjkjcb32.exe
        
        C:\Windows\system32\Cjkjcb32.exe
        133⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Ehjjhefp.exe
        
        C:\Windows\system32\Ehjjhefp.exe
        134⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Ekifdqec.exe
        
        C:\Windows\system32\Ekifdqec.exe
        135⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\Emgbqldg.exe
        
        C:\Windows\system32\Emgbqldg.exe
        136⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Eeokaiei.exe
        
        C:\Windows\system32\Eeokaiei.exe
        137⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Ehmgne32.exe
        
        C:\Windows\system32\Ehmgne32.exe
        138⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Ekkcjp32.exe
        
        C:\Windows\system32\Ekkcjp32.exe
        139⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Emjofl32.exe
        
        C:\Windows\system32\Emjofl32.exe
        140⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Edcgcfja.exe
        
        C:\Windows\system32\Edcgcfja.exe
        141⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Egbdoaie.exe
        
        C:\Windows\system32\Egbdoaie.exe
        142⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Emlllk32.exe
        
        C:\Windows\system32\Emlllk32.exe
        143⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Eaghljhk.exe
        
        C:\Windows\system32\Eaghljhk.exe
        144⤵
        
        PID:688
        
        C:\Windows\SysWOW64\Edfdhego.exe
        
        C:\Windows\system32\Edfdhego.exe
        145⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Egdqdagb.exe
        
        C:\Windows\system32\Egdqdagb.exe
        146⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\Eokhfn32.exe
        
        C:\Windows\system32\Eokhfn32.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Eeeqbhoa.exe
        
        C:\Windows\system32\Eeeqbhoa.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Ehdmodne.exe
        
        C:\Windows\system32\Ehdmodne.exe
        149⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Ekbikomi.exe
        
        C:\Windows\system32\Ekbikomi.exe
        150⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Emqegkll.exe
        
        C:\Windows\system32\Emqegkll.exe
        151⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Eehnhhmo.exe
        
        C:\Windows\system32\Eehnhhmo.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Fkdfpokf.exe
        
        C:\Windows\system32\Fkdfpokf.exe
        153⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Fncblj32.exe
        
        C:\Windows\system32\Fncblj32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:972
        
        C:\Windows\SysWOW64\Fejjnh32.exe
        
        C:\Windows\system32\Fejjnh32.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Fhhfjc32.exe
        
        C:\Windows\system32\Fhhfjc32.exe
        156⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Fobofmal.exe
        
        C:\Windows\system32\Fobofmal.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Femgcg32.exe
        
        C:\Windows\system32\Femgcg32.exe
        158⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Fdogodpd.exe
        
        C:\Windows\system32\Fdogodpd.exe
        159⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Fgnckpog.exe
        
        C:\Windows\system32\Fgnckpog.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Fkiokn32.exe
        
        C:\Windows\system32\Fkiokn32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4544
        
        C:\Windows\SysWOW64\Fnhlgjfd.exe
        
        C:\Windows\system32\Fnhlgjfd.exe
        162⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Feochgff.exe
        
        C:\Windows\system32\Feochgff.exe
        163⤵
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Fdaddd32.exe
        
        C:\Windows\system32\Fdaddd32.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Fkllanen.exe
        
        C:\Windows\system32\Fkllanen.exe
        165⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Fogham32.exe
        
        C:\Windows\system32\Fogham32.exe
        166⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Faednh32.exe
        
        C:\Windows\system32\Faednh32.exe
        167⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Fddqjc32.exe
        
        C:\Windows\system32\Fddqjc32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Fgbmfo32.exe
        
        C:\Windows\system32\Fgbmfo32.exe
        169⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Foiegl32.exe
        
        C:\Windows\system32\Foiegl32.exe
        170⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Fnlebibo.exe
        
        C:\Windows\system32\Fnlebibo.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Gecmcf32.exe
        
        C:\Windows\system32\Gecmcf32.exe
        172⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Ghbipb32.exe
        
        C:\Windows\system32\Ghbipb32.exe
        173⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Gkpelm32.exe
        
        C:\Windows\system32\Gkpelm32.exe
        174⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Golamlib.exe
        
        C:\Windows\system32\Golamlib.exe
        175⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Gajnighe.exe
        
        C:\Windows\system32\Gajnighe.exe
        176⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Gdijecgi.exe
        
        C:\Windows\system32\Gdijecgi.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6588
        
        C:\Windows\SysWOW64\Gggfanfm.exe
        
        C:\Windows\system32\Gggfanfm.exe
        178⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Gonnblgo.exe
        
        C:\Windows\system32\Gonnblgo.exe
        179⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Gamjngfc.exe
        
        C:\Windows\system32\Gamjngfc.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6740
        
        C:\Windows\SysWOW64\Gdkgjb32.exe
        
        C:\Windows\system32\Gdkgjb32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6780
        
        C:\Windows\SysWOW64\Ggicfn32.exe
        
        C:\Windows\system32\Ggicfn32.exe
        182⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Gnckchlg.exe
        
        C:\Windows\system32\Gnckchlg.exe
        183⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Gekcdeli.exe
        
        C:\Windows\system32\Gekcdeli.exe
        184⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Ghioqqlm.exe
        
        C:\Windows\system32\Ghioqqlm.exe
        185⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Gkglmlkq.exe
        
        C:\Windows\system32\Gkglmlkq.exe
        186⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Gnfhihjd.exe
        
        C:\Windows\system32\Gnfhihjd.exe
        187⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Gfmpjejf.exe
        
        C:\Windows\system32\Gfmpjejf.exe
        188⤵
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Gdppeb32.exe
        
        C:\Windows\system32\Gdppeb32.exe
        189⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Goedbkag.exe
        
        C:\Windows\system32\Goedbkag.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Hacqofpk.exe
        
        C:\Windows\system32\Hacqofpk.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6264
        
        C:\Windows\SysWOW64\Hdbmkaoo.exe
        
        C:\Windows\system32\Hdbmkaoo.exe
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:6304
        
        C:\Windows\SysWOW64\Hhnilp32.exe
        
        C:\Windows\system32\Hhnilp32.exe
        193⤵
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Hklehl32.exe
        
        C:\Windows\system32\Hklehl32.exe
        194⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Hohahjod.exe
        
        C:\Windows\system32\Hohahjod.exe
        195⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Hbfmdfnh.exe
        
        C:\Windows\system32\Hbfmdfnh.exe
        196⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Hhpeapee.exe
        
        C:\Windows\system32\Hhpeapee.exe
        197⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6692
        
        C:\Windows\SysWOW64\Hknamkdi.exe
        
        C:\Windows\system32\Hknamkdi.exe
        198⤵
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Hnmnigdl.exe
        
        C:\Windows\system32\Hnmnigdl.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:6864
        
        C:\Windows\SysWOW64\Hdgffq32.exe
        
        C:\Windows\system32\Hdgffq32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Holjci32.exe
        
        C:\Windows\system32\Holjci32.exe
        201⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Hdiclq32.exe
        
        C:\Windows\system32\Hdiclq32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Hggohl32.exe
        
        C:\Windows\system32\Hggohl32.exe
        203⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Hoogiiil.exe
        
        C:\Windows\system32\Hoogiiil.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Hbmcedhp.exe
        
        C:\Windows\system32\Hbmcedhp.exe
        205⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Hdkpapgd.exe
        
        C:\Windows\system32\Hdkpapgd.exe
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Hgjlmlfg.exe
        
        C:\Windows\system32\Hgjlmlfg.exe
        207⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Hoadoigj.exe
        
        C:\Windows\system32\Hoadoigj.exe
        208⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Ibopkdfn.exe
        
        C:\Windows\system32\Ibopkdfn.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:6856
        
        C:\Windows\SysWOW64\Idnlgpea.exe
        
        C:\Windows\system32\Idnlgpea.exe
        210⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Iglhckde.exe
        
        C:\Windows\system32\Iglhckde.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Iocqdh32.exe
        
        C:\Windows\system32\Iocqdh32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Ibampd32.exe
        
        C:\Windows\system32\Ibampd32.exe
        213⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Idpilp32.exe
        
        C:\Windows\system32\Idpilp32.exe
        214⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Igoehk32.exe
        
        C:\Windows\system32\Igoehk32.exe
        215⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Inhneeio.exe
        
        C:\Windows\system32\Inhneeio.exe
        216⤵
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Ifpefbja.exe
        
        C:\Windows\system32\Ifpefbja.exe
        217⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Igabnk32.exe
        
        C:\Windows\system32\Igabnk32.exe
        218⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Inkjkd32.exe
        
        C:\Windows\system32\Inkjkd32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6836
        
        C:\Windows\SysWOW64\Ifbblb32.exe
        
        C:\Windows\system32\Ifbblb32.exe
        220⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Iipohm32.exe
        
        C:\Windows\system32\Iipohm32.exe
        221⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Ikokdi32.exe
        
        C:\Windows\system32\Ikokdi32.exe
        222⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Inmgpd32.exe
        
        C:\Windows\system32\Inmgpd32.exe
        223⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Iegomnmf.exe
        
        C:\Windows\system32\Iegomnmf.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7032
        
        C:\Windows\SysWOW64\Igekijlj.exe
        
        C:\Windows\system32\Igekijlj.exe
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:7176
        
        C:\Windows\SysWOW64\Iomcjgml.exe
        
        C:\Windows\system32\Iomcjgml.exe
        226⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Jbkpfb32.exe
        
        C:\Windows\system32\Jbkpfb32.exe
        227⤵
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Jiehcmcm.exe
        
        C:\Windows\system32\Jiehcmcm.exe
        228⤵
        Drops file in System32 directory
        
        PID:7312
        
        C:\Windows\SysWOW64\Jooppg32.exe
        
        C:\Windows\system32\Jooppg32.exe
        229⤵
        Modifies registry class
        
        PID:7356
        
        C:\Windows\SysWOW64\Jnbpkcad.exe
        
        C:\Windows\system32\Jnbpkcad.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7400
        
        C:\Windows\SysWOW64\Jelihn32.exe
        
        C:\Windows\system32\Jelihn32.exe
        231⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Jkfaehpn.exe
        
        C:\Windows\system32\Jkfaehpn.exe
        232⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Jndmacoa.exe
        
        C:\Windows\system32\Jndmacoa.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7548
        
        C:\Windows\SysWOW64\Jfkebq32.exe
        
        C:\Windows\system32\Jfkebq32.exe
        234⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Jijanl32.exe
        
        C:\Windows\system32\Jijanl32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7660
        
        C:\Windows\SysWOW64\Jkhnjg32.exe
        
        C:\Windows\system32\Jkhnjg32.exe
        236⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Jbbfgafh.exe
        
        C:\Windows\system32\Jbbfgafh.exe
        237⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Jeqbcmel.exe
        
        C:\Windows\system32\Jeqbcmel.exe
        238⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Jgonohdp.exe
        
        C:\Windows\system32\Jgonohdp.exe
        239⤵
        Drops file in System32 directory
        
        PID:7884
        
        C:\Windows\SysWOW64\Jpffqfdb.exe
        
        C:\Windows\system32\Jpffqfdb.exe
        240⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Jbdbmace.exe
        
        C:\Windows\system32\Jbdbmace.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8036
        
        C:\Windows\SysWOW64\Jecoimci.exe
        
        C:\Windows\system32\Jecoimci.exe
        242⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Jgakeh32.exe
        
        C:\Windows\system32\Jgakeh32.exe
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:8128
        
        C:\Windows\SysWOW64\Kphcfe32.exe
        
        C:\Windows\system32\Kphcfe32.exe
        244⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8172
        
        C:\Windows\SysWOW64\Kbgoba32.exe
        
        C:\Windows\system32\Kbgoba32.exe
        245⤵
        Modifies registry class
        
        PID:7192
        
        C:\Windows\SysWOW64\Keeknl32.exe
        
        C:\Windows\system32\Keeknl32.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7272
        
        C:\Windows\SysWOW64\Kgchjh32.exe
        
        C:\Windows\system32\Kgchjh32.exe
        247⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Kpkple32.exe
        
        C:\Windows\system32\Kpkple32.exe
        248⤵
        Drops file in System32 directory
        
        PID:7412
        
        C:\Windows\SysWOW64\Kfehhohi.exe
        
        C:\Windows\system32\Kfehhohi.exe
        249⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Keghdl32.exe
        
        C:\Windows\system32\Keghdl32.exe
        250⤵
        Drops file in System32 directory
        
        PID:7592
        
        C:\Windows\SysWOW64\Klapqf32.exe
        
        C:\Windows\system32\Klapqf32.exe
        251⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Kieajj32.exe
        
        C:\Windows\system32\Kieajj32.exe
        252⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Kppigdlg.exe
        
        C:\Windows\system32\Kppigdlg.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7864
        
        C:\Windows\SysWOW64\Kelaokko.exe
        
        C:\Windows\system32\Kelaokko.exe
        254⤵
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Khknkgjb.exe
        
        C:\Windows\system32\Khknkgjb.exe
        255⤵
        Drops file in System32 directory
        
        PID:8100
        
        C:\Windows\SysWOW64\Kpbfld32.exe
        
        C:\Windows\system32\Kpbfld32.exe
        256⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Kijjejae.exe
        
        C:\Windows\system32\Kijjejae.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7232
        
        C:\Windows\SysWOW64\Leakjk32.exe
        
        C:\Windows\system32\Leakjk32.exe
        258⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Llkcgenf.exe
        
        C:\Windows\system32\Llkcgenf.exe
        259⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Lbekcoec.exe
        
        C:\Windows\system32\Lbekcoec.exe
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:7584
        
        C:\Windows\SysWOW64\Lnllhp32.exe
        
        C:\Windows\system32\Lnllhp32.exe
        261⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Leedejbd.exe
        
        C:\Windows\system32\Leedejbd.exe
        262⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Llpmbd32.exe
        
        C:\Windows\system32\Llpmbd32.exe
        263⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Lbieon32.exe
        
        C:\Windows\system32\Lbieon32.exe
        264⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Llbigdhn.exe
        
        C:\Windows\system32\Llbigdhn.exe
        265⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Memjfill.exe
        
        C:\Windows\system32\Memjfill.exe
        266⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Mpbocblb.exe
        
        C:\Windows\system32\Mpbocblb.exe
        267⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7728
        
        C:\Windows\SysWOW64\Moeooo32.exe
        
        C:\Windows\system32\Moeooo32.exe
        268⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Mpdkiajo.exe
        
        C:\Windows\system32\Mpdkiajo.exe
        269⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Mfocelal.exe
        
        C:\Windows\system32\Mfocelal.exe
        270⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Mhppmd32.exe
        
        C:\Windows\system32\Mhppmd32.exe
        271⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Mlklnbpc.exe
        
        C:\Windows\system32\Mlklnbpc.exe
        272⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Mfapkkpi.exe
        
        C:\Windows\system32\Mfapkkpi.exe
        273⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Miomggom.exe
        
        C:\Windows\system32\Miomggom.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7184
        
        C:\Windows\SysWOW64\Moleonmd.exe
        
        C:\Windows\system32\Moleonmd.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8072
        
        C:\Windows\SysWOW64\Mfcmqknf.exe
        
        C:\Windows\system32\Mfcmqknf.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7248
        
        C:\Windows\SysWOW64\Nhdjhcce.exe
        
        C:\Windows\system32\Nhdjhcce.exe
        277⤵
        Modifies registry class
        
        PID:8204
        
        C:\Windows\SysWOW64\Nonbem32.exe
        
        C:\Windows\system32\Nonbem32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8248
        
        C:\Windows\SysWOW64\Nidfbf32.exe
        
        C:\Windows\system32\Nidfbf32.exe
        279⤵
        Modifies registry class
        
        PID:8292
        
        C:\Windows\SysWOW64\Noqojm32.exe
        
        C:\Windows\system32\Noqojm32.exe
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:8336
        
        C:\Windows\SysWOW64\Nekgggpl.exe
        
        C:\Windows\system32\Nekgggpl.exe
        281⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\Nockpmgl.exe
        
        C:\Windows\system32\Nockpmgl.exe
        282⤵
        Modifies registry class
        
        PID:8424
        
        C:\Windows\SysWOW64\Ngjcajgo.exe
        
        C:\Windows\system32\Ngjcajgo.exe
        283⤵
        Drops file in System32 directory
        
        PID:8468
        
        C:\Windows\SysWOW64\Nhkpib32.exe
        
        C:\Windows\system32\Nhkpib32.exe
        284⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8512
        
        C:\Windows\SysWOW64\Noehelej.exe
        
        C:\Windows\system32\Noehelej.exe
        285⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8556
        
        C:\Windows\SysWOW64\Neopbf32.exe
        
        C:\Windows\system32\Neopbf32.exe
        286⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\Nlihoq32.exe
        
        C:\Windows\system32\Nlihoq32.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8644
        
        C:\Windows\SysWOW64\Ngomli32.exe
        
        C:\Windows\system32\Ngomli32.exe
        288⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Oimihe32.exe
        
        C:\Windows\system32\Oimihe32.exe
        289⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8732
        
        C:\Windows\SysWOW64\Ocfmajin.exe
        
        C:\Windows\system32\Ocfmajin.exe
        290⤵
        Drops file in System32 directory
        
        PID:8776
        
        C:\Windows\SysWOW64\Oipend32.exe
        
        C:\Windows\system32\Oipend32.exe
        291⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Opjnko32.exe
        
        C:\Windows\system32\Opjnko32.exe
        292⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\Oheboa32.exe
        
        C:\Windows\system32\Oheboa32.exe
        293⤵
        Modifies registry class
        
        PID:8916
        
        C:\Windows\SysWOW64\Olpoppnk.exe
        
        C:\Windows\system32\Olpoppnk.exe
        294⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Ocjglj32.exe
        
        C:\Windows\system32\Ocjglj32.exe
        295⤵
        Modifies registry class
        
        PID:9028
        
        C:\Windows\SysWOW64\Olbkeoki.exe
        
        C:\Windows\system32\Olbkeoki.exe
        296⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Oekpnebi.exe
        
        C:\Windows\system32\Oekpnebi.exe
        297⤵
        Drops file in System32 directory
        
        PID:9124
        
        C:\Windows\SysWOW64\Ocopgiac.exe
        
        C:\Windows\system32\Ocopgiac.exe
        298⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Phlippoj.exe
        
        C:\Windows\system32\Phlippoj.exe
        299⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Pgminggi.exe
        
        C:\Windows\system32\Pgminggi.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8244
        
        C:\Windows\SysWOW64\Pcdjbh32.exe
        
        C:\Windows\system32\Pcdjbh32.exe
        301⤵
        Drops file in System32 directory
        
        PID:8320
        
        C:\Windows\SysWOW64\Pojjgiba.exe
        
        C:\Windows\system32\Pojjgiba.exe
        302⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Pgdonf32.exe
        
        C:\Windows\system32\Pgdonf32.exe
        303⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Poodbi32.exe
        
        C:\Windows\system32\Poodbi32.exe
        304⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Qjehpanb.exe
        
        C:\Windows\system32\Qjehpanb.exe
        305⤵
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Qoaqhhlj.exe
        
        C:\Windows\system32\Qoaqhhlj.exe
        306⤵
        Modifies registry class
        
        PID:8588
        
        C:\Windows\SysWOW64\Qqambk32.exe
        
        C:\Windows\system32\Qqambk32.exe
        307⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8632
        
        C:\Windows\SysWOW64\Aqcjhkaj.exe
        
        C:\Windows\system32\Aqcjhkaj.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8728
        
        C:\Windows\SysWOW64\Ajlnqq32.exe
        
        C:\Windows\system32\Ajlnqq32.exe
        309⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Agpoje32.exe
        
        C:\Windows\system32\Agpoje32.exe
        310⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Aokcngdo.exe
        
        C:\Windows\system32\Aokcngdo.exe
        311⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Amodhkci.exe
        
        C:\Windows\system32\Amodhkci.exe
        312⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Aiedml32.exe
        
        C:\Windows\system32\Aiedml32.exe
        313⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Bopmif32.exe
        
        C:\Windows\system32\Bopmif32.exe
        314⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\Bjeago32.exe
        
        C:\Windows\system32\Bjeago32.exe
        315⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Bflalped.exe
        
        C:\Windows\system32\Bflalped.exe
        316⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\Bimkmk32.exe
        
        C:\Windows\system32\Bimkmk32.exe
        317⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Bfqkgp32.exe
        
        C:\Windows\system32\Bfqkgp32.exe
        318⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8500
        
        C:\Windows\SysWOW64\Bjlggnjh.exe
        
        C:\Windows\system32\Bjlggnjh.exe
        319⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\Bcdkpdph.exe
        
        C:\Windows\system32\Bcdkpdph.exe
        320⤵
        System Location Discovery: System Language Discovery
        
        PID:8612
        
        C:\Windows\SysWOW64\Biadhkop.exe
        
        C:\Windows\system32\Biadhkop.exe
        321⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Cqhljhob.exe
        
        C:\Windows\system32\Cqhljhob.exe
        322⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\Cfedbomi.exe
        
        C:\Windows\system32\Cfedbomi.exe
        323⤵
        System Location Discovery: System Language Discovery
        
        PID:8968
        
        C:\Windows\SysWOW64\Cmaidicc.exe
        
        C:\Windows\system32\Cmaidicc.exe
        324⤵
        Drops file in System32 directory
        
        PID:9088
        
        C:\Windows\SysWOW64\Cppepdbg.exe
        
        C:\Windows\system32\Cppepdbg.exe
        325⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9208
        
        C:\Windows\SysWOW64\Cihjij32.exe
        
        C:\Windows\system32\Cihjij32.exe
        326⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Cjhfcm32.exe
        
        C:\Windows\system32\Cjhfcm32.exe
        327⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Ccpklbfk.exe
        
        C:\Windows\system32\Ccpklbfk.exe
        328⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Cfoghneo.exe
        
        C:\Windows\system32\Cfoghneo.exe
        329⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Cmipeh32.exe
        
        C:\Windows\system32\Cmipeh32.exe
        330⤵
        Modifies registry class
        
        PID:8856
        
        C:\Windows\SysWOW64\Dpglac32.exe
        
        C:\Windows\system32\Dpglac32.exe
        331⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Dcbhabdh.exe
        
        C:\Windows\system32\Dcbhabdh.exe
        332⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Dfadnmcl.exe
        
        C:\Windows\system32\Dfadnmcl.exe
        333⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Diopji32.exe
        
        C:\Windows\system32\Diopji32.exe
        334⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Dafhkf32.exe
        
        C:\Windows\system32\Dafhkf32.exe
        335⤵
        System Location Discovery: System Language Discovery
        
        PID:8812
        
        C:\Windows\SysWOW64\Dcedga32.exe
        
        C:\Windows\system32\Dcedga32.exe
        336⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Dfcqcm32.exe
        
        C:\Windows\system32\Dfcqcm32.exe
        337⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\Djomdljb.exe
        
        C:\Windows\system32\Djomdljb.exe
        338⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9312
        
        C:\Windows\SysWOW64\Daieqf32.exe
        
        C:\Windows\system32\Daieqf32.exe
        339⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Dcgama32.exe
        
        C:\Windows\system32\Dcgama32.exe
        340⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9408
        
        C:\Windows\SysWOW64\Dffmim32.exe
        
        C:\Windows\system32\Dffmim32.exe
        341⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Didjeh32.exe
        
        C:\Windows\system32\Didjeh32.exe
        342⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Dakafeol.exe
        
        C:\Windows\system32\Dakafeol.exe
        343⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Ddjnbanp.exe
        
        C:\Windows\system32\Ddjnbanp.exe
        344⤵
        Drops file in System32 directory
        
        PID:9592
        
        C:\Windows\SysWOW64\Djcfok32.exe
        
        C:\Windows\system32\Djcfok32.exe
        345⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9636
        
        C:\Windows\SysWOW64\Ddlkhqln.exe
        
        C:\Windows\system32\Ddlkhqln.exe
        346⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Diicpgje.exe
        
        C:\Windows\system32\Diicpgje.exe
        347⤵
        Drops file in System32 directory
        
        PID:9724
        
        C:\Windows\SysWOW64\Efmcil32.exe
        
        C:\Windows\system32\Efmcil32.exe
        348⤵
        Modifies registry class
        
        PID:9764
        
        C:\Windows\SysWOW64\Ejklpjpe.exe
        
        C:\Windows\system32\Ejklpjpe.exe
        349⤵
        Drops file in System32 directory
        
        PID:9812
        
        C:\Windows\SysWOW64\Ehomin32.exe
        
        C:\Windows\system32\Ehomin32.exe
        350⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\Ejmiej32.exe
        
        C:\Windows\system32\Ejmiej32.exe
        351⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\Eagabceo.exe
        
        C:\Windows\system32\Eagabceo.exe
        352⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\Emnbgd32.exe
        
        C:\Windows\system32\Emnbgd32.exe
        353⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\Edhjco32.exe
        
        C:\Windows\system32\Edhjco32.exe
        354⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Ekabpiim.exe
        
        C:\Windows\system32\Ekabpiim.exe
        355⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\Fhecjmhf.exe
        
        C:\Windows\system32\Fhecjmhf.exe
        356⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Fpagnpea.exe
        
        C:\Windows\system32\Fpagnpea.exe
        357⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\Fpcdco32.exe
        
        C:\Windows\system32\Fpcdco32.exe
        358⤵
        Modifies registry class
        
        PID:10216
        
        C:\Windows\SysWOW64\Fkihah32.exe
        
        C:\Windows\system32\Fkihah32.exe
        359⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\Fpeaio32.exe
        
        C:\Windows\system32\Fpeaio32.exe
        360⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\Fkkefgab.exe
        
        C:\Windows\system32\Fkkefgab.exe
        361⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\Fgbfkh32.exe
        
        C:\Windows\system32\Fgbfkh32.exe
        362⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\Gipbgd32.exe
        
        C:\Windows\system32\Gipbgd32.exe
        363⤵
        Modifies registry class
        
        PID:9544
        
        C:\Windows\SysWOW64\Gagjia32.exe
        
        C:\Windows\system32\Gagjia32.exe
        364⤵
        Drops file in System32 directory
        
        PID:9600
        
        C:\Windows\SysWOW64\Gkpoag32.exe
        
        C:\Windows\system32\Gkpoag32.exe
        365⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\Gmqgcb32.exe
        
        C:\Windows\system32\Gmqgcb32.exe
        366⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1448
        
        C:\Windows\SysWOW64\Gdjpplak.exe
        
        C:\Windows\system32\Gdjpplak.exe
        367⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Gpaqemgo.exe
        
        C:\Windows\system32\Gpaqemgo.exe
        368⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Gneanafi.exe
        
        C:\Windows\system32\Gneanafi.exe
        369⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\Hgnegg32.exe
        
        C:\Windows\system32\Hgnegg32.exe
        370⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Hacjdplo.exe
        
        C:\Windows\system32\Hacjdplo.exe
        371⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10080
        
        C:\Windows\SysWOW64\Hgpbmfkf.exe
        
        C:\Windows\system32\Hgpbmfkf.exe
        372⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\Hnjjiq32.exe
        
        C:\Windows\system32\Hnjjiq32.exe
        373⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\Hphgel32.exe
        
        C:\Windows\system32\Hphgel32.exe
        374⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\Hhoogi32.exe
        
        C:\Windows\system32\Hhoogi32.exe
        375⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\Hknkce32.exe
        
        C:\Windows\system32\Hknkce32.exe
        376⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\Hnlgop32.exe
        
        C:\Windows\system32\Hnlgop32.exe
        377⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Hpkcklod.exe
        
        C:\Windows\system32\Hpkcklod.exe
        378⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\Hhaklipf.exe
        
        C:\Windows\system32\Hhaklipf.exe
        379⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\Hkpghdoj.exe
        
        C:\Windows\system32\Hkpghdoj.exe
        380⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9872
        
        C:\Windows\SysWOW64\Hnoddpnn.exe
        
        C:\Windows\system32\Hnoddpnn.exe
        381⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\Hdhlaj32.exe
        
        C:\Windows\system32\Hdhlaj32.exe
        382⤵
        System Location Discovery: System Language Discovery
        
        PID:10096
        
        C:\Windows\SysWOW64\Hkbdndmh.exe
        
        C:\Windows\system32\Hkbdndmh.exe
        383⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Hnaqjplk.exe
        
        C:\Windows\system32\Hnaqjplk.exe
        384⤵
        Modifies registry class
        
        PID:9328
        
        C:\Windows\SysWOW64\Hpomfkko.exe
        
        C:\Windows\system32\Hpomfkko.exe
        385⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Hhfegh32.exe
        
        C:\Windows\system32\Hhfegh32.exe
        386⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Incmpo32.exe
        
        C:\Windows\system32\Incmpo32.exe
        387⤵
        Modifies registry class
        
        PID:9748
        
        C:\Windows\SysWOW64\Ihiamh32.exe
        
        C:\Windows\system32\Ihiamh32.exe
        388⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Ikgnic32.exe
        
        C:\Windows\system32\Ikgnic32.exe
        389⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\Inejeo32.exe
        
        C:\Windows\system32\Inejeo32.exe
        390⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Idpbbioc.exe
        
        C:\Windows\system32\Idpbbioc.exe
        391⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\Ignnnd32.exe
        
        C:\Windows\system32\Ignnnd32.exe
        392⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\Ijlkjp32.exe
        
        C:\Windows\system32\Ijlkjp32.exe
        393⤵
        Modifies registry class
        
        PID:9896
        
        C:\Windows\SysWOW64\Iacbkm32.exe
        
        C:\Windows\system32\Iacbkm32.exe
        394⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10076
        
        C:\Windows\SysWOW64\Ihmkhgfi.exe
        
        C:\Windows\system32\Ihmkhgfi.exe
        395⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\Igpkcd32.exe
        
        C:\Windows\system32\Igpkcd32.exe
        396⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\Ijogpp32.exe
        
        C:\Windows\system32\Ijogpp32.exe
        397⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\Injcpndq.exe
        
        C:\Windows\system32\Injcpndq.exe
        398⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Ibfoam32.exe
        
        C:\Windows\system32\Ibfoam32.exe
        399⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\Iddlmh32.exe
        
        C:\Windows\system32\Iddlmh32.exe
        400⤵
        Drops file in System32 directory
        
        PID:9944
        
        C:\Windows\SysWOW64\Ihpgngcf.exe
        
        C:\Windows\system32\Ihpgngcf.exe
        401⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\Ikndjb32.exe
        
        C:\Windows\system32\Ikndjb32.exe
        402⤵
        System Location Discovery: System Language Discovery
        
        PID:10316
        
        C:\Windows\SysWOW64\Inmpfn32.exe
        
        C:\Windows\system32\Inmpfn32.exe
        403⤵
        Drops file in System32 directory
        
        PID:10352
        
        C:\Windows\SysWOW64\Iqklbi32.exe
        
        C:\Windows\system32\Iqklbi32.exe
        404⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\Jgedocho.exe
        
        C:\Windows\system32\Jgedocho.exe
        405⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\Jhdaif32.exe
        
        C:\Windows\system32\Jhdaif32.exe
        406⤵
        Drops file in System32 directory
        
        PID:10468
        
        C:\Windows\SysWOW64\Jjfnpo32.exe
        
        C:\Windows\system32\Jjfnpo32.exe
        407⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:10504
        
        C:\Windows\SysWOW64\Jhgnnfno.exe
        
        C:\Windows\system32\Jhgnnfno.exe
        408⤵
        Drops file in System32 directory
        
        PID:10544
        
        C:\Windows\SysWOW64\Jbobgl32.exe
        
        C:\Windows\system32\Jbobgl32.exe
        409⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10580
        
        C:\Windows\SysWOW64\Jqdohh32.exe
        
        C:\Windows\system32\Jqdohh32.exe
        410⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\Jjmcanog.exe
        
        C:\Windows\system32\Jjmcanog.exe
        411⤵
        System Location Discovery: System Language Discovery
        
        PID:10652
        
        C:\Windows\SysWOW64\Kdbhnfon.exe
        
        C:\Windows\system32\Kdbhnfon.exe
        412⤵
        Modifies registry class
        
        PID:10688
        
        C:\Windows\SysWOW64\Kklpkq32.exe
        
        C:\Windows\system32\Kklpkq32.exe
        413⤵
        System Location Discovery: System Language Discovery
        
        PID:10728
        
        C:\Windows\SysWOW64\Kedddf32.exe
        
        C:\Windows\system32\Kedddf32.exe
        414⤵
        Modifies registry class
        
        PID:10764
        
        C:\Windows\SysWOW64\Kkomqpdh.exe
        
        C:\Windows\system32\Kkomqpdh.exe
        415⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\Kibmjdca.exe
        
        C:\Windows\system32\Kibmjdca.exe
        416⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10836
        
        C:\Windows\SysWOW64\Kanbng32.exe
        
        C:\Windows\system32\Kanbng32.exe
        417⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\Kelkdegc.exe
        
        C:\Windows\system32\Kelkdegc.exe
        418⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\Labkif32.exe
        
        C:\Windows\system32\Labkif32.exe
        419⤵
        Modifies registry class
        
        PID:10956
        
        C:\Windows\SysWOW64\Lkhpgolm.exe
        
        C:\Windows\system32\Lkhpgolm.exe
        420⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10992
        
        C:\Windows\SysWOW64\Ljmmhk32.exe
        
        C:\Windows\system32\Ljmmhk32.exe
        421⤵
        System Location Discovery: System Language Discovery
        
        PID:11028
        
        C:\Windows\SysWOW64\Llmibn32.exe
        
        C:\Windows\system32\Llmibn32.exe
        422⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\Liqikb32.exe
        
        C:\Windows\system32\Liqikb32.exe
        423⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\Lalnpe32.exe
        
        C:\Windows\system32\Lalnpe32.exe
        424⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\Lhfflo32.exe
        
        C:\Windows\system32\Lhfflo32.exe
        425⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\Mankedbj.exe
        
        C:\Windows\system32\Mankedbj.exe
        426⤵
        Modifies registry class
        
        PID:11216
        
        C:\Windows\SysWOW64\Mhjpgn32.exe
        
        C:\Windows\system32\Mhjpgn32.exe
        427⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:11252
        
        C:\Windows\SysWOW64\Macdpd32.exe
        
        C:\Windows\system32\Macdpd32.exe
        428⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Maeafc32.exe
        
        C:\Windows\system32\Maeafc32.exe
        429⤵
        System Location Discovery: System Language Discovery
        
        PID:10308
        
        C:\Windows\SysWOW64\Mecjlb32.exe
        
        C:\Windows\system32\Mecjlb32.exe
        430⤵
        Modifies registry class
        
        PID:7496
        
        C:\Windows\SysWOW64\Najjachl.exe
        
        C:\Windows\system32\Najjachl.exe
        431⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Njbojh32.exe
        
        C:\Windows\system32\Njbojh32.exe
        432⤵
        System Location Discovery: System Language Discovery
        
        PID:10380
        
        C:\Windows\SysWOW64\Nicohp32.exe
        
        C:\Windows\system32\Nicohp32.exe
        433⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\Nlakdk32.exe
        
        C:\Windows\system32\Nlakdk32.exe
        434⤵
        Modifies registry class
        
        PID:10488
        
        C:\Windows\SysWOW64\Nophpg32.exe
        
        C:\Windows\system32\Nophpg32.exe
        435⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\Nhhlilld.exe
        
        C:\Windows\system32\Nhhlilld.exe
        436⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\Naaqabbd.exe
        
        C:\Windows\system32\Naaqabbd.exe
        437⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\Nhkinl32.exe
        
        C:\Windows\system32\Nhkinl32.exe
        438⤵
        Modifies registry class
        
        PID:10684
        
        C:\Windows\SysWOW64\Nbpmle32.exe
        
        C:\Windows\system32\Nbpmle32.exe
        439⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\Nhmedl32.exe
        
        C:\Windows\system32\Nhmedl32.exe
        440⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Oognqfok.exe
        
        C:\Windows\system32\Oognqfok.exe
        441⤵
        System Location Discovery: System Language Discovery
        
        PID:10860
        
        C:\Windows\SysWOW64\Oeafmpfh.exe
        
        C:\Windows\system32\Oeafmpfh.exe
        442⤵
        Drops file in System32 directory
        
        PID:10944
        
        C:\Windows\SysWOW64\Oahgba32.exe
        
        C:\Windows\system32\Oahgba32.exe
        443⤵
        NTFS ADS
        
        PID:11000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11000 -s 408
        444⤵
        Program crash
        
        PID:11128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 11000 -ip 11000
1⤵
PID:11096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Alobfh32.dll

Filesize
7KB

MD5
f416838ab4d0b40c6ac9760df69af2ce

SHA1
2e7c784637df29db7008503895e53b7fbac69ad0

SHA256
3ef3bc123c45f6430b0ac98ca5af4c2b4b91849388761f3ed96bc1523a9c4b2d

SHA512
95674e7424cc165fc22f1327dd0b2f4b1e5b67ce63fe31de61ecc94a41568eac94ba70461e954f53ca0241f2d91dc555c74d05d1ef46dfe19376d310ffc150d4

Download Submit
C:\Windows\SysWOW64\Bjeago32.exe

Filesize
128KB

MD5
74dbaefca52c4ec2ce498019793e40ce

SHA1
62ed660141de00336fe67d38316eca5b3dd18995

SHA256
245e8dd1c80b4c5d8c982ce23c14a098d72e623005006f8f0fb17df28c74203f

SHA512
bc6f8c687626ac9aef491c13d548605115f02474af57b054b8ef92f135f6145947dce2bc36f6b652c99cdc1d3390aa55acec558b681c3f4bd8e3b591ba4fb353

Download Submit
C:\Windows\SysWOW64\Bmngcp32.exe

Filesize
128KB

MD5
aea65d06afb16231a364cb916d8a8e44

SHA1
0c84b76566f68af87c4af3a50ab5ca79de3ab96f

SHA256
1e1f5763d9974857f0e5964efac872a1e72047d33a902e56457aba2883ba07d3

SHA512
b31e31f07f878a17f0a28aeaa067d74e0b4ff7b5911a27bf543bf0310c4e944c8b92c0ed4199f73f1fc46ec4a83f05be47934cfd1f33786cd4db0492c4a95b8a

Download Submit
C:\Windows\SysWOW64\Cdlhki32.exe

Filesize
128KB

MD5
3f6efcfc9d99721687150a3c4998715d

SHA1
892b5e764c534f0e1836c9952d104e620c0148d7

SHA256
cf2ac4d0cb2573970ecf07b9d68459ae530a7537b6fea3c5c8eb38a8a0731495

SHA512
2cdc45bf44687277d6697631d3c8d90c0d2d75d5e26c64651e0480a3aedbd39d0cb3cafbd92de4733382de9f2a52df5f5274ec436a2a1a800ff8a45a64464e40

Download Submit
C:\Windows\SysWOW64\Cfedbomi.exe

Filesize
128KB

MD5
6439455a0529a8e54c27dce2ce860076

SHA1
2cc19573c42695f8afac8fe516293ac6ac73a2de

SHA256
2f8cc8f97a62bff9e94b46e8305635c1f2ab0e5b47d18464a65016605bc412eb

SHA512
d051aa0486eadf08aa5f6be7703be685307ac01c3d39f13ac8a39beac2287c73ed15ff931a19e8cc1205f6ad18daf45d01e30bc77f832496e6ec20749a9b509a

Download Submit
C:\Windows\SysWOW64\Cihjij32.exe

Filesize
128KB

MD5
84be85f5cb2f06f84e6ca65a929f80ae

SHA1
6f6aa4cf99c3a455bb7c038a98b2e5a188346715

SHA256
b252cc67e62f39e654198ca0e3ba875959c1f185bbea90b6cc3720d9a0582c6e

SHA512
d0de39d71ddb0552813b39bb2ce119f0b9396e449fff24a623b4ab4b5da99df74d1a08b85ce892c5fb2335cf7a165d6106ce5efccfd951ef55c83a0becc63540

Download Submit
C:\Windows\SysWOW64\Cmipeh32.exe

Filesize
128KB

MD5
d4ae0493cb553c9a03370f2ebd457a3b

SHA1
a7b9d666c954353f9029eaa075f54ce764fe1288

SHA256
05313caeaecd1870ee913a01a683a5efad2fd39929685bac6464be986eca4ffd

SHA512
14e8436d5ab56cb39a2a4e9ad539c0400b411643c49c3d2a06b833bdaeadfdc27bf425c17d7e184fb448de5da53062b1e03bd040f8ecdbf1c69002edf12e8c26

Download Submit
C:\Windows\SysWOW64\Cqhljhob.exe

Filesize
128KB

MD5
697ba3743bdb3b82df6e11af9bdb2b90

SHA1
d6b7b56e169d509a45a2d90852d39eb29ba30888

SHA256
75875cf5de846f54c80a276e4c092fd36bd63b4a623dd68ab5795a796aecfcc3

SHA512
a55d0fd90de6a412f2543c2c2f4783b1b4a0901fcc9aad52f0fbfe098c0c302c044f42348950a694c25db2104e626ae6339cda6418f493d4b184cc1a829f7916

Download Submit
C:\Windows\SysWOW64\Ddjnbanp.exe

Filesize
128KB

MD5
4cf5d18de7bd45eaf4cd4a6c3bae88f5

SHA1
50c50a8c68eaf5ea93dd1b4920007bd3fb97d3c0

SHA256
fcebd3aae1bbd3ee6e8ea946f1622d1c67f58e08bdcbd7d745e4cc8252c91389

SHA512
81ae8b64e4adfe61d5ef0bff4c2e3db733a39d18a56698434fd8239d911961a4559ad9cc56bb619c1a2310a098e72f92205cf3869eb27bd8d82560e939cb624d

Download Submit
C:\Windows\SysWOW64\Ddlkhqln.exe

Filesize
128KB

MD5
54bd026697dca4f3ba987218cf92df15

SHA1
55b0b53ca75d207a1f8e3309dd7a6164167ca12b

SHA256
332838d141ee5262c06b8e4daafcd20232676eb6c8e042a388407d710321cce6

SHA512
7cdfbe33eba30fcb7b2cb7bbcebda66a928a221c60bc5827c9fac1acd14c7c46dc892dad676090155bd2324151c60fabeaa34ab3a756353ff82582ea0d789781

Download Submit
C:\Windows\SysWOW64\Ekbikomi.exe

Filesize
128KB

MD5
8fc5efc18e5a0f90d14e4a383cab9172

SHA1
1b2c5a2a11f53849aeaa0e594988e8a4191f070b

SHA256
4a7e6603da31f81bf5925361c622491b45a5cae3e55fe5e238606b691136af14

SHA512
efc1246b4708738ece2f29f225f3aa6964bf2dab6ad5a53f81782bf34399e09486a061f5284bff864d35cb373dedf86ea4aabf3687793409844d4859d3765067

Download Submit
C:\Windows\SysWOW64\Ekkcjp32.exe

Filesize
128KB

MD5
41e01076c31046ee5f6c0b8cad71ff69

SHA1
e27fd2e53a43547eb236c9f7eef51efa3d8563fb

SHA256
fcbeb9ba190471427d13334c4301512887cd8469283336e818c685100e98907d

SHA512
423fd1a0d2d8a0cf24db931c22ad38ff83c7624bd8bcdfdcef8f679988158e4d1c996894ca86e6fffa6ec53341e04c785ff90dd711f27cfa0d42985191cc001b

Download Submit
C:\Windows\SysWOW64\Emnbgd32.exe

Filesize
128KB

MD5
530a56ceec9613f592a0f13263f6914c

SHA1
d165a0aaf517957cb41fd8aaf2e420c5036b2c42

SHA256
0df490692d13fc71a4c8cdacaab44c2f5f8bb949fe7157c2fc39163a2d1db43a

SHA512
979167adbe80599a875c4f227837f4850f1db55c6c050f8367150564ff1b355914fbb116dddf476c14c10bc8ce70a8c8090cbfda7e03e0199bf806c37ea5657d

Download Submit
C:\Windows\SysWOW64\Fpagnpea.exe

Filesize
128KB

MD5
01ef4ec588299011e71183c9cedf3a25

SHA1
32337b6ea5cfe3f4d421e0a914fab33b1eb47227

SHA256
8075413a828e6ca2f37486a8f8dc57f4042f6d2fc6112d2056496415094abde1

SHA512
17f5b4d68f506a03488e9a903965f11502337d569aa657d851b7ec3055856680ef753f459574120d7c52519b848e1d43cba34e755cf181e132fe2f1fb41de453

Download Submit
C:\Windows\SysWOW64\Gdkgjb32.exe

Filesize
128KB

MD5
e28f84e07f2115acee6c26fedc9aae4e

SHA1
1ded4def86bbabd94c8b70bb2be895583488fdff

SHA256
ce19d040c3732671e9f2f3fbd19e1bc3e17c50fc1a8b1f454488885c3543d0e5

SHA512
e5362886ecf8154e65672f807c31ae3becc2cde0853bbb508b827e0c04956ab12ad22b9cbf7ec9044ff272ebd98497bfdfacb2cc8c193cd06af5f5d2987742c2

Download Submit
C:\Windows\SysWOW64\Gmqgcb32.exe

Filesize
128KB

MD5
60bfa267f041fd13b4a9b2dbaa7d3cba

SHA1
72aceed69ca94930fdf4ded73e4959190fb04729

SHA256
c1fee1028de1ae5ca3bf8fb2e295f78fc5be557ba7ff38ecda328e9895b7f923

SHA512
19f82c91ebba60862a07b4a6b5f202d39606091e3fad9827179cc1d3ce33b9d481e75e61e2602a2725611a5665d34577c2864d82d8304586a90a5924df57d594

Download Submit
C:\Windows\SysWOW64\Gnckchlg.exe

Filesize
128KB

MD5
a4f23330cf1cd88228d2534e2a8cfa39

SHA1
628a8571e41a6454f0a7faaafccff31a39f2ca5a

SHA256
ecc2311081c45fa7beda554c1a70320d4cceb169e489d5dfc6bc99def975e8f8

SHA512
d300878d490ff7d2266b2c2e739425f169957ef7fb04d738686855db3b8c2b238ee734cc7c7539be69f78e6ca081e2e5c366fd0f6059de93022608b8137488e5

Download Submit
C:\Windows\SysWOW64\Hggohl32.exe

Filesize
128KB

MD5
c715de5a3a208fd5e1fe23ba00383bc3

SHA1
e82e562933862471f177c4e2e0e8958569e2960c

SHA256
b5251f90bb54620dfb7e6b31a2937c55a7ff03d9904285a54d8ae395bf8d77b5

SHA512
f0d104f0cb10ba846daa1775cdc65c74bf0541c358ecfc2eb711e118320c8796f1edb3802d7ee65d6892321a44ae9bc7de56433bdab40bed115db301beb52d01

Download Submit
C:\Windows\SysWOW64\Hnoddpnn.exe

Filesize
128KB

MD5
d4487e6246d002ce53c9dc7e1b644b44

SHA1
53603baa518c67169865c1e5fc3e936bf68d761c

SHA256
da9375ff0c9ce8c8caedcce5e78f27805b8fdaff6fb6c7b6833a8c63d58101b0

SHA512
f7fa5ab7b2e0728abeff2f286a0335a518949f630bdb02acb1f8dfb55c6c2b709dae83307024d5665cc9e64dd9f69b092dc578be940e6d1bae1775d755b53d31

Download Submit
C:\Windows\SysWOW64\Holjci32.exe

Filesize
128KB

MD5
d27579f4af934045af2a9ccd4ab61e70

SHA1
c2f9c77aaa817ebb4df3d93b0b538c19e7329491

SHA256
0a9ef3eb2d4802f516e34ef0e5678a2b1cb34d49abbb7674acb69fa29a587a0b

SHA512
e6fba83eb49141835d9ff634ef9afe9181078622d38dc2b959bbbed6563ad32ac2d61b131aad31f14b68bd48869800329a87ad4346748ada071f48a888db3d2b

Download Submit
C:\Windows\SysWOW64\Ijlkjp32.exe

Filesize
64KB

MD5
3e7ada321550e0861f85cb843e6f6472

SHA1
331707a61bc9697ac5caeee44d4ed28b27310a74

SHA256
915a5fd36c506a2d12a598930a5e2a2490a9c06adf0a1e702da820f035b9a48a

SHA512
d45e9705846adf32d64e760e48af0e48d37f6f30c882b4417907bb12fa0654ad2ba89c30223a5f8f5e05e89313f6e7ea4688b18924534b747ec7e462217aeb33

Download Submit
C:\Windows\SysWOW64\Incmpo32.exe

Filesize
128KB

MD5
14c4a5b8c3f15496c20e421bc53a825b

SHA1
60fef84b4d2a01a04d9d6ea4863b16c8dcc70549

SHA256
13295ebd6b5d2d14f14133cd42f1e146d3cf348da7394a8ae6519e7a4eb188fd

SHA512
0bc31ecc920344d18805a5e34f90dae01125d3d313bd307ee750a8e984b688a5482caa1f515db4dfe87e63b94948fee5969b23a37df1a85230a456cef35fc2d5

Download Submit
C:\Windows\SysWOW64\Inhneeio.exe

Filesize
128KB

MD5
3b113dba56d717b6cb00a41d888671b9

SHA1
dc80a56960a8f3a893664b4fc0c516915209076a

SHA256
d18bfef07a2597a74d6fae81bb1d0bd73eaf98c8a2251a7027b8df3a06d04a7b

SHA512
0359f5d9e8fdea61895ac28262a4c56154754096fe2c9e8e9f43a8daaa8b64106c57be64856307a57af5036a27fb05bceb6da368abbef7a52a81b342c4d54273

Download Submit
C:\Windows\SysWOW64\Inkjkd32.exe

Filesize
128KB

MD5
102a6daa34d86249201362990db61668

SHA1
221f599ef512372d80d5daea73ff708fbe747104

SHA256
7a46695ab6da5846328bb9a68add673c3107e46ea4166147798d05a8a2adea19

SHA512
b91059fedb06f545a57662e4dccfc17dd915c4510fc7915e8c55373ce4bcf3574c8d223b8904047863b23ea3f5de888130cd5c191563529ea1243dfef2d607e3

Download Submit
C:\Windows\SysWOW64\Jbbfgafh.exe

Filesize
128KB

MD5
ab2e3fac80c5dffee3d699f7b752eb18

SHA1
59daa74bfb491bc14c1c44f064808f5080a6dd20

SHA256
58f2af456b6a7f1aa317badb43f6d724362209b5b0a3cbab875feb2070969698

SHA512
ea723debfcd56f78e0ebcedfe9bbfb6407471c260b9abf71f1661bb8bfdcbead68aeeed56ccf4c91dc49437ff0b9eb34fe7380294a86a5703bd2569425378d89

Download Submit
C:\Windows\SysWOW64\Jbobgl32.exe

Filesize
128KB

MD5
1fa234e84a2f1d0381062b30398cca47

SHA1
b845e84048515f927f4ad6bbab5336760b6071a0

SHA256
1a54a1e99013e9e6360b4d4c29b683d8ac965f59150faeb007075abd05d73e5c

SHA512
70092aa987915d8742cbf4fcca4ec3505d785e66d0c23743d50d7f50df0261495fb5173ea7b26a0f75528e9b6c6702f36d5910a58fecaab678548cb67b3cba28

Download Submit
C:\Windows\SysWOW64\Jgedocho.exe

Filesize
128KB

MD5
45558c0cea8e694f43ab7c4467e6ffc4

SHA1
9844b1399f0de2f965a943ba4feb976b60068d31

SHA256
182d6d883b640b371876b562dad724a341f4e11c50abb22fc46cdac6c7b4013d

SHA512
5bd659c71ba1242087c76f2850755004ad1cb4f85d354b67d37884f3d0bfe31c8e58e987ae1cce118a1a6aea4038849d892e6cd84458df9e96b2d6cf6a95fda1

Download Submit
C:\Windows\SysWOW64\Kanbng32.exe

Filesize
128KB

MD5
e97c8eb246112cf562da552528d61dae

SHA1
6c17b7e0c197d74afeb4b0f3829b5b7c195d2d81

SHA256
3323fbd29f14b869e0060046e985dad9caca8926c5da1ba3b26c9c492367edf3

SHA512
06798b88c65ac97f29acd76ed87418460468d620cdb09157e716f9ae107f09ee3ef155dc32491ec75652b66764e5c46716bc20f00c1be2b8c234e56d95238f87

Download Submit
C:\Windows\SysWOW64\Kijjejae.exe

Filesize
128KB

MD5
0015a30f5bd55927d73c0227b8f7c5a1

SHA1
4caf565c91f58e3afecb1abeef18a6b2705e1a4f

SHA256
2ee550ecdc93311c26ce3525c59c30196a1156b10c02bb7a02ddf2261ab5447c

SHA512
7dc739b9cfc7694b8ef2e983c555ec4429ee7b843fed8e3efcf239446cade312f6f1892c54bf53a0fd7e531668c6eeadc9928674c52edb966cb64e81856faecf

Download Submit
C:\Windows\SysWOW64\Kkomqpdh.exe

Filesize
128KB

MD5
9e9f7c4fad153ab86f80e0cda7c85962

SHA1
6ab91062664dd512938d74c310d6592c5909a7aa

SHA256
bc79209e0fa8530a94d24845784fa55375a2bceb8cede5a50eb7ec20f562c6da

SHA512
6722982b7dc3e4bb1b8d98695f2c33950f0fc9709c842edce033e7bc981a75df2f5815d698e3e90afcc4e76e7cbc0dda06614b47dbeb0cd8830824fde03d6335

Download Submit
C:\Windows\SysWOW64\Klapqf32.exe

Filesize
128KB

MD5
0d5916c98802cf30f959f4a75522d5d4

SHA1
afa97a83a984563c4503683983e66173f6a133ea

SHA256
45828f610a702511fe5722c4d1824578e42262155075c8a0c37fb419f2a50bbb

SHA512
d91ab7fcc2a52a9d6d30905aa5ddba6d121f45538f6d537eb7cd51487203c5e670140276a71a637d78f0bcf3747adc0ce4187174a1b22a46acefbe4daac1c2c1

Download Submit
C:\Windows\SysWOW64\Kpkple32.exe

Filesize
128KB

MD5
f73f39f7441068f1e0fe7b4f70dc68d1

SHA1
dedeaa290eb4d9fd7b74512b407dc6988a2ea8ae

SHA256
138cd1be5b4713292f4d4976c39f626b88d4be0a9867e190b18623c578794df1

SHA512
54e4bc3bddc7190e8c8d1c7c272d4593e30ddc2fb3b09bff37bd753b4d6af37c4ad9a54902b97c4aeccdfc30e805a0d50632898395bc34ac1c93561d719f8055

Download Submit
C:\Windows\SysWOW64\Ljmmhk32.exe

Filesize
128KB

MD5
0d5cffacc15dffcfd2e5d8a361ae506a

SHA1
551a849b1f959a68d07e1f9bb4c018b6e385b9cb

SHA256
ab9d43b616bb7f3d26855809a399ceda8d14fbfb0365216944cbc83e007f6768

SHA512
b994a1b9bfecad1bf2d17a8bc33c22ac0c8ecc406b46add4a18faac06466a585560f6abaa9c32685cdc537aa5f73040b32816b887e6880505f5b1e5f70991d7f

Download Submit
C:\Windows\SysWOW64\Llbigdhn.exe

Filesize
128KB

MD5
d007133c8df9ed6b9a801790ba765f6c

SHA1
651f49b5ae4cfa2bc5a2b76413da86b795689df5

SHA256
39d00caba702991dd747eae912bddb71d43cef81252bb5bee0a5cc7c91dc1a4a

SHA512
b893443886b20f4c4d555e084ddc019611442aefe0fa22a9d0b77945798594c35774dc744f3393dec473e9a10ba25dcbdb4cf520518fee0b0dbea421a2ec152f

Download Submit
C:\Windows\SysWOW64\Llpmbd32.exe

Filesize
128KB

MD5
181bda7bf8a88f0f7c0f81ae9cefbb9d

SHA1
ba18c88d151e2525d8439a8b1cecd5e44581e471

SHA256
ce799342b4aa93ae34b2f9c9fb507c1d74cde84a215d3cc2022e227fcad9b673

SHA512
8513b6a35014874460b3f8ade8c60197c3bcfdd02ddfbd19f2161ab4f592b3c2ecd4a7116a8a3ea08566369da691c91dbd8cb971f7aa1c41030b02b9ee9c1199

Download Submit
C:\Windows\SysWOW64\Lmbmlmbl.exe

Filesize
128KB

MD5
9da82bd5bc7a852650afa71a0bbfded3

SHA1
de4b62a3d783c8b1ec0217e4c9aa7a53c0104773

SHA256
154127c8b94d5e62c94654481edabf0233a52dac14587172fa9a2fedf282859e

SHA512
fdf87a3031f794307c4740bf55184e74fd751df9dfea0bb83c1c0ec876b0f72f8aefe3b510d4c24d29517545550d8eacb8204507b147d4c8f2e70fa9eb3a02d8

Download Submit
C:\Windows\SysWOW64\Lnllhp32.exe

Filesize
64KB

MD5
5c22c671e991691f4198fc6ed2e9b561

SHA1
ae37e235372211ae74634180ff26b8ec45e31b1f

SHA256
2aea6c4f00d2323f43ec99f802a24b1c7fbd1fcb9d9b024588cebf2862b6e8c8

SHA512
db01f266d17d76c371d1f79ca6eb48d5ba6cddbdc0eddb060f069342ba5554e753d742d4be25e6f658a75e4a45ff7d589fb967afa667d7dbc003c35a04352511

Download Submit
C:\Windows\SysWOW64\Macdpd32.exe

Filesize
128KB

MD5
65702b35434f60dca7476c1211ca494b

SHA1
6023136b1e42713e112fecc9321e0c09c5556b07

SHA256
61ff9f5334495eec8e5c1a4f85709154608d2de8e72de95cfc5b5e268da2efcb

SHA512
a66c8ad9d515dc081d318d1784407430b4f7c5d887e917f0d7f800170d591c9898e8fdd03fff16bd2fc07b75e57019224bc1765741931b54693ee64829a7ba17

Download Submit
C:\Windows\SysWOW64\Mankedbj.exe

Filesize
128KB

MD5
afe034003ab5dc4e976b62dc5a0ecc61

SHA1
2fe9e89c594a13a0558022695a2178c4f2ba6f94

SHA256
174e578cefacb3d7f5bdaf8d045fea2f78259d782ed9cb43e0ac7f011a14e567

SHA512
ae19dfd9f3a15da332f8f473e2bce05039ccfc53d55d8934dce183be5c8317feb83ae668c6e1f30b4ab35cd5149948a04e486a1f57ae5a945e6e9486fd03b15b

Download Submit
C:\Windows\SysWOW64\Mboeddad.exe

Filesize
128KB

MD5
cb2f910e759938283159df691644567c

SHA1
bcec36cb70d7ae0b97168808113310518e785ba1

SHA256
d98738f9c110376411d53887607072f2e1d8191d34ade8182a1c5fb027c05455

SHA512
b0a44743b04318cffc9f7265f9e7244c159de736f552fc5f15f1b1622423dc55202329e3f920bde557e13d095d426e1eb98b823e59d26fe7fa255ff3fecd98a7

Download Submit
C:\Windows\SysWOW64\Mchhjbii.exe

Filesize
128KB

MD5
72e9bb29b76a01e6f194430248231706

SHA1
826bcefe7420d0de1ce06a2a01ba09b8fdada44e

SHA256
4640434008b2cfd3550abf1837bf173aa9a0905640b664811dda33d4bad18a24

SHA512
23c2cacd5496fa6dabfcc15bbdad001b5703068f3813a956e53f8818ba4019d147eb2f57e864fa240906e2734cfdbd52e6186b06922a4a0e33cfc740dc2e16eb

Download Submit
C:\Windows\SysWOW64\Mebkko32.exe

Filesize
128KB

MD5
3eb1d2dd26e488672bf9a595b1acdf83

SHA1
898eaaf933b9e60f1785699c9e0f0a6f811fa3e0

SHA256
2021f9697900cff66443d6303e22e03464eda4615ffbba94d42d423f316cd045

SHA512
fcf76dc235e6a2819d2c4d79db151526bbba11824be3d56a268293f96532b433d7f09ab34dbeee07cb0558dcd3d1c0c12582107a1ee75f94af780c091e78971f

Download Submit
C:\Windows\SysWOW64\Mecjlb32.exe

Filesize
128KB

MD5
b2e2b32d5779d6efac49ab343b25f6c9

SHA1
fb043ead100df982afe8e92c565ee11657049b64

SHA256
da6af023ed5c2db1ca5ae378ccc03c722c61d5ed28412b6907cce28af7c897d4

SHA512
015650dfcb31e9a0ab4095a6bc91f38e0dcd59df3f8991a3006e7b9e48c98670c9f1fdf87eae023ff128b0a1a6cce9d7c6b537e6c31aa6e049bfcd7bb32350ab

Download Submit
C:\Windows\SysWOW64\Memapppg.exe

Filesize
128KB

MD5
cd14b6ee7baebc7bf5472baa4d0ca4a0

SHA1
f0cbf86f22fb6205df5dbc9c5a3cd23088b47a28

SHA256
445f5c4a5e852a62b63af968da469c10993c668f71f35738e8a4af5b0c5dad27

SHA512
f7e39cc64f26bedc4e7b2f0a1ed89593d42ba42b25e82e41a2b53ef2cbb01183543f8c86463a961da304f3c2e24452ea8e1265db0b5468bd9782079a6966cae6

Download Submit
C:\Windows\SysWOW64\Mfocelal.exe

Filesize
128KB

MD5
dfd75baa964b926a8209cb08c6145d23

SHA1
af2f1d1478ba81ff61ccc0a761686f5a0592bef9

SHA256
b7982cb4367b78a605b513e8b5b933916a694200ec6c67ecd46516706d34adeb

SHA512
f039434718a6a577f39badd4167e481203ca40106f570ad84778cddc80fd222142e9278c193996507a781783ee403444c3a89f3b7835c2802c5aa36cd433b94d

Download Submit
C:\Windows\SysWOW64\Mgageace.exe

Filesize
128KB

MD5
b97a3380b62c14f3747c78bbc2d9e0c6

SHA1
e89eec2a5a041f47747367b0e7d5c1381de4b417

SHA256
eed5792babfa5dd9aabbd955aa2f0c0ad3279c14bf32c04b1cce12acc7fee692

SHA512
4fdaac6de364d39a4f811af4c0656a112c0dd1ebac612f1827f08058506fa0d0f7aefe7a4eeb37a9d8cd67de6b03cc7bc8d4bb68f34582c2810af7241e09f908

Download Submit
C:\Windows\SysWOW64\Mgmnjb32.exe

Filesize
128KB

MD5
54cafb72c6ae5d7be2ed3d6ffd6f929c

SHA1
5e5e2417ec70b8ab1f6fcb3735c679f39ab0965c

SHA256
c9fc159cfba1abfdfcd88b0b7710a0212b82e8f74dd9d30e6eb1ba513af2229d

SHA512
ad395098d03132aff1ce1b10dcb2012b1e1b13bc9e1dbdd8eaec503f1eb196c7d8554bafdbfe91b311c06946475e7076dc46db879a1727b8bfc21c2183d504ea

Download Submit
C:\Windows\SysWOW64\Mlklnbpc.exe

Filesize
128KB

MD5
9c3ad69f10324bd8379df587633ce303

SHA1
a014f22dfdb7591e0f7b21ccf14294d305472c45

SHA256
8e78d8a52fbf5ee74dce49008c6b1bdb6eccc36816839ad7dff2679485a6ad66

SHA512
8e57d170dc4b1717cf9dbf4782ec7cb4f8235dde8f89526acf149b57dc8154e2d5125e6e96f791a3dbc5e8c230b13fc47d909599cdb4c69678ea91672bf38a84

Download Submit
C:\Windows\SysWOW64\Mllchico.exe

Filesize
128KB

MD5
5a23b956e1a1bebf41aec68d46b85552

SHA1
cc5f1346b58f209efa2d668be84eaf3cc0023517

SHA256
4fa6af5215f4158c5f710c93e95be4febef6d030fc4e735ec624ce0f769bd3f2

SHA512
e77da0526d9d9b9044e7b463ed4be233f424ef7a0c421bc13fe91f900e8cfac935e03c6935fd63d9b1f2f9ecd1097898146ab8874ede1dcde4373e8d7c929de6

Download Submit
C:\Windows\SysWOW64\Mmgfgl32.exe

Filesize
128KB

MD5
962d4cead32001b094bada57cff89210

SHA1
bf2948227c8f5044fbb6edd74d6fc1ccbc962a33

SHA256
6faef4b5163145dc358e28a9b9b21e3a71d6f7d3875884bb5e891723bad189de

SHA512
a01a76c0fea2de0d6e3152468ffee15c750c32172127d169d787c24a22d2bf2ad8476f9f8997c92189da111c0f042743345fff1629d8516b59c117a31db1e389

Download Submit
C:\Windows\SysWOW64\Mnnlgkho.exe

Filesize
128KB

MD5
c67dd141644f114eecca470ee00b97d4

SHA1
0fabdcb62e56f8f2f01715be46c8f37a4bacf674

SHA256
372526ee8c62173c04e144ebc2a3c9680c22cf39778efcc279792246111bff5c

SHA512
e28066808d408d82486248e57d2bea0c0751408804b9f62c1058cf0abdc6417401eb57cedffd2cc2e141aedd45b813ebb24f8cac620d978296cf34f149c44e75

Download Submit
C:\Windows\SysWOW64\Moleonmd.exe

Filesize
128KB

MD5
5d73557ec3546503492b4c5ecaa4f784

SHA1
1d001c958acfab3c3133d2643c31346820420257

SHA256
7b8316a66e3441bc42f0334aaf6272c9c1d47da3d897c4e5141c84a03379b4e4

SHA512
968a3a3cdfd196fe3fd2a2d1d64f319d355ec7b4a0a5936b78dd90c06fc3c123f4483a49b8fb076e4d875f4591f24634fb22b0df455710f2e9be7070a06c6d3d

Download Submit
C:\Windows\SysWOW64\Mpjlngje.exe

Filesize
128KB

MD5
93672b2ab49d0f4a96c511cf77cda17f

SHA1
6e36d778e1137133a1cf40f97cf187daa7d7d139

SHA256
3933ef8fbd4025936d288e1827690344f9d7162b40f96b80c63e608991ddcd4d

SHA512
cc03e31e6da61f6525bb682b362cdf0d2fee237e2250871b2a3e90c8076570edf80dd021ade5ae3947e155dbf9a41e0b0dfd9d16570f630a85643d0b7515d749

Download Submit
C:\Windows\SysWOW64\Naaqabbd.exe

Filesize
128KB

MD5
6dc03ec2fef024422f551aeb5dfafef6

SHA1
f106afbe30c9b73798cbd8ccc5e4caabd3f16de6

SHA256
e77993c253f87827e2d73aaa0531f5ed450388e90f152be7d1191d402f8a2689

SHA512
06fd55f172c649cb9a723ebc697abac65476644ffc92e75f9fca365e6fc521c426b9f8af20299ff401bfd5e34e639163bc8a161a67752df607fba048ea49c940

Download Submit
C:\Windows\SysWOW64\Ncdgfaol.exe

Filesize
128KB

MD5
e113a93142310684d19ec463c8ddcdfa

SHA1
8fa3027e82736f46371b402b7230b75a11c16da9

SHA256
3e048fc23ee05e2feea1b9aeb409a00a8076ef754cc2f414a1af1f65f3627018

SHA512
e6703a0d49d17e1041758b02b8bc7d65048957ab62e85f69f4f95a9be4061d0201b215c5cfce03c0c1c48bc55258a49eadd379c1e88941b5abf6bbe2254e825d

Download Submit
C:\Windows\SysWOW64\Ncmaeb32.exe

Filesize
128KB

MD5
c532bb811851a42807e01cd2d5651157

SHA1
61cc2576de3ef7710466a578807caa183c68f0c0

SHA256
31893a27dc83c92d1960696cf214c90810e69980c7b19626665af551dbb730ff

SHA512
071a511fdab8a52d33dd93565ca91943265e2b0e2922c3b793532dc633d974a23b3afed2b2b39b471fb443edbc131ef39f13e82a332022a4d273bfaa73f797c0

Download Submit
C:\Windows\SysWOW64\Nconka32.exe

Filesize
128KB

MD5
064a4caa778b5bfe19b9f7850e41db5b

SHA1
18a82d3bdcc01f700bb1ac3155b76502ca9bac7a

SHA256
18c06025c5d68990a349d1025ecc5e39c59bc7e3e77cca0f63ec640edda6e0b3

SHA512
b5d4abdd30e1e7869293f76b45d6b05f90334674c1f6c344dc5568bb4d7ef1f9d6a3efbb7cfc54dfbe676c9e051308019addd5ee7fe8b920063b1794afe501fe

Download Submit
C:\Windows\SysWOW64\Ndhdde32.exe

Filesize
128KB

MD5
26d6a1c19becbaa2781a0807990c56df

SHA1
0a4f2d962aab24ba529b4ec1ddd6d3e16e11d2ef

SHA256
e1cd8f0fcd0ef21336e3dff0a166d2020894b8d660846bebed14e43e36f34822

SHA512
b0c9e4e4c09d86933f07403281c09f9d6d27916dff58d399a3bda0bd9d3d1e23d23ea110a049de7370ca1aba4c73f04cea14117064081c65d3556f28dc638ce2

Download Submit
C:\Windows\SysWOW64\Neknam32.exe

Filesize
128KB

MD5
eb3be72f711604bc07537ff208cabff2

SHA1
9e522ee14fc88cab7ead26d3bc6ee330643911d9

SHA256
c29d97606e4ff1f99809f4eefb1d79a8b1fa8fd0da49c177758e31f55f7d8657

SHA512
f40e6685d42f478094f8d9e1aca101f80b8570b606b9dd85efd2f91f46776383b225e3c3681e7e5e7e8f5a83af538d3dcd1306aa20dca7a9ad0c21d24fc6a73a

Download Submit
C:\Windows\SysWOW64\Nenjgm32.exe

Filesize
128KB

MD5
76c0706dde315139ba1e6977c17aaf81

SHA1
7b98aa9d2c32fd28e2b918bf214f7a014aaea09e

SHA256
7330179db955c308aa6c1c939aa05657a46485d4d5a7f68b2bc1e8c857d1d1d7

SHA512
de6c358a85c81de69a115056bb6034d603980be9bf689002e9f4635a53d930e2df09df99b7e710bbae7651f3f352029d05efa8d4945fee25228de9e33860edb0

Download Submit
C:\Windows\SysWOW64\Nfbdblnp.exe

Filesize
128KB

MD5
7ac03f987d730ab1ccf46c1e1aab112d

SHA1
c866ddb4aa39162c240ece778e0e0d3bb156670f

SHA256
1e21cee9ef94518918085f0abe72de8e0d72e83cac88f554e5839e01d280c48f

SHA512
97f0d653dcc316d3d5b22dd67fe51756b1e4d8470de3463c22e5dbe95c0bb7063f2eceb45e926d866d5f82a5ba1ca175c346cc64aac6bf4c24d9877196903075

Download Submit
C:\Windows\SysWOW64\Ngfqqa32.exe

Filesize
128KB

MD5
fca3af4991d9b861588369534a92e228

SHA1
123691fc9da958afd5356899840d6a65544bc891

SHA256
a7615ffecc1905c83b8304679cdccffebda4e5c0116526fcbbfc3ccd8d56e55a

SHA512
3fa4788f2f036f24469ccd3b35df9bd6c6ef6ad00829b44449ad90f691949f1c757a348dda4723475f60f01876c56d5bd227382554c038caa18fcaf08c911469

Download Submit
C:\Windows\SysWOW64\Ngmgap32.exe

Filesize
128KB

MD5
5ecf9bdb542711e5d2efa8514f074397

SHA1
e82c5c479ff5905d81a43757f51c594e0941682f

SHA256
0fd7222f186e53b00b0f52d031b129f9eb4b2b5885b03782af23e77759e676e0

SHA512
9be3fd2f031cdd0f317fe41e09cd7bd8e30aac1d6ba57e0198d4635c00ef8f8acd87aef0589f6751aff316f14f105ed2a114c7636279c7d4ac70d723964a90fc

Download Submit
C:\Windows\SysWOW64\Nidfbf32.exe

Filesize
128KB

MD5
c5b190f46173c6553b076aea64d96ed7

SHA1
63587ac149a7b7d10bc46796a42e5cbfc88b3e86

SHA256
900123fb92617ce792b765af163665c38619a4584e4aab53fe50f58b0a6e47cd

SHA512
7083dea3df50cd408af5a5f88cf4a94bb0c20402fe4c3bb83c3d6fa43880fb1ea37c84eda824af17fe08fae76091acb541a0695194b41238d8b2d96e2eea4701

Download Submit
C:\Windows\SysWOW64\Njbojh32.exe

Filesize
128KB

MD5
16dc5fb782bd246533ed1f2eee8aaf96

SHA1
9803f4af553b760eeb1d9a2f7f6c1c61f7ec33e7

SHA256
fdbae2fabd94f868f8e3c902bfd75589a18b6af48faba3a4ced5dce74f5539f1

SHA512
85d97fd63fa14cc305807c98cadea6a61b4a4b5cdb8219863fed1277962cf5b8a94c754665fff2748664e2087867d89f5e5e3813f72e2017739b3b10d15a83e8

Download Submit
C:\Windows\SysWOW64\Njlcmk32.exe

Filesize
128KB

MD5
c8de7ef6940df71a0a55f1cd2a23f91c

SHA1
4549749ddc4e361a71bb47569ed3d67194a3c48b

SHA256
f3e8e3f5d279ac22aa24294872c8f55494b13db8e6f0c74cc85030af3429ae96

SHA512
7ffda50d328de818b7601f2e36400a66819ebd3fb2e518b6c76e4c4eea5729f4e869db1e11927d1c30a42d0a5a00a237bb5a0ae51572078be1c43dd47b532503

Download Submit
C:\Windows\SysWOW64\Njnpck32.exe

Filesize
128KB

MD5
4ea1cdcf804483ae40ba6c6528cfb0bf

SHA1
7ae693d81440d6f612a91c382c4d79c81e6ae70b

SHA256
4cde0409f9c16a9356bf1632e126da8d7e4def6fb1b7d9debccdf17672e51816

SHA512
e5a4a0a919060721222624512d86407483f095c04fc5524a9cb46862b31e8e45aeb56e790453f763e88e5dfa43415a0df2df081d5e57c44c3b5ccde7808725a2

Download Submit
C:\Windows\SysWOW64\Nljoig32.exe

Filesize
128KB

MD5
d4e30ed8f0f79be19ad67748dc7701ab

SHA1
4c6e8a64adba8bbede7546327fa3db0d3bd9e721

SHA256
de627f4d26ce61116656250a3ea12dadbb796bc0aca45d826b55d57afedafd28

SHA512
67b4f7d4d8d4b530f3399139f76ba830290ad2967c7220d9d9d53d1dc9d15ab1ecdf0de082902e3f427e7cdac256e73b9783f0da6ef6ecaaa6372e9de8628465

Download Submit
C:\Windows\SysWOW64\Nlllof32.exe

Filesize
128KB

MD5
64ea96a53aee5b46c6706477e2d9b5fa

SHA1
da54a83bfdeb6d405937188eec369fea1ce55cf1

SHA256
c85a2a666cf7b9957abd12d0e1d83ed8ce44f197a14bd5e81d35a851a396900b

SHA512
1cda4302d9967e03702cef7a750b794806b57f1f901bb6d0ed4438ecaa6defb774b1c981ff4d4629d8685f801db00fec74909bd5fbbe3d3646d2ce331ae4d7d1

Download Submit
C:\Windows\SysWOW64\Nnbebk32.exe

Filesize
128KB

MD5
ed629da6ca04f0fee8dbb437e91765fd

SHA1
f6832d28a0c05cdc043e3e021a334a7cb56848d9

SHA256
c4d85ac64757bfea57576ff7dda487c72aa433b6d9a7c9f2ea9a1ae2524cf13f

SHA512
ae547673b40f2d45ee831a6a27a9d4d6700c985d34bacc1fad000144fee23714ad9b7a6968d14f7c602567b23dc5e573e52a99c62026375269d75ba49572c7ea

Download Submit
C:\Windows\SysWOW64\Nnebhj32.exe

Filesize
128KB

MD5
6795403213fd0ff1afc6b1d729932d6a

SHA1
1e06bbffc131c34e90bcb0e2c85b30b1f1ace9a2

SHA256
0a75634c9322f5004806615ddf2ac0f0727a363b0a50d240b9ece680f627c8c7

SHA512
036755967c5b52672c93a0bacf1273eaddca16fd78a88ed1eb716cf3b567e350f44fe244daf0494022f7b523b8819da2cd94aae492e7be4ed6f5035a7faf213f

Download Submit
C:\Windows\SysWOW64\Nnpimkfl.exe

Filesize
128KB

MD5
3aa04d81f9227a6823e6bca0e760519d

SHA1
ff573438db323f0aa64dcd017c3798a66da7eb27

SHA256
5417f80a99df3379a864259fc77a3d23ac2e8561ff5878a4e65967854e2f48ac

SHA512
11e0b7796a5b107419a8f219e5adcf8f43e65f582aa2f782dc95d9c9771d6e1884a78587a322e6058d23c79dbc6f1ed2d813dd6f5d60db83dac392e124ddf1ce

Download Submit
C:\Windows\SysWOW64\Noehelej.exe

Filesize
128KB

MD5
0aa7b06e11972608af9ce4b9c6e1c082

SHA1
d175b0ce56c353e1ec1afc1b03ff58c949a6bba1

SHA256
794772702f5c154ab82f91066eaec7d850f5038a0bd298b4f2eb17a0dc21396f

SHA512
2d5fe82eccabfb9ddbcb097267dcaca88c26e9d89eaf0adcaab0eb4f6ab552cf2a4a630bc64a496019f7a4787385e95311fe6afc223aa5c23bcf0448d7f0630a

Download Submit
C:\Windows\SysWOW64\Npabof32.exe

Filesize
128KB

MD5
2513e9cfa531293ec657289d67423053

SHA1
e1c6345272ff4133882b2ab5ac3dcd676dc94991

SHA256
b4b9eef6dc17f284d68ddda8f6a297854c7ba6e43e38873d9266b6e8165ca141

SHA512
c168dcbc94db6a8a270bb1dd87f20075330998c20ec8c344c89dd97937e88e0276226e14f3d8b816d45330386ede03cc1dd2e4c48358034862393897a03605ea

Download Submit
C:\Windows\SysWOW64\Npcodf32.exe

Filesize
128KB

MD5
82318ce468c6a4c4ffc99b33d7b18012

SHA1
f68109ab3458f9709dd0cd2108096ae64b82ece2

SHA256
a911d704a1306d71bcbd606217782088cc06b6531f89da131324d66a2d7c97c9

SHA512
e9db76fcb66b80c2691de5d796c1e4aef8efbb9ab0d811b69e0122c0f00ef3de6a4143b1dbf3c971441f5464cd941b6d173f5846fd234f0d7b2ca69c378fb503

Download Submit
C:\Windows\SysWOW64\Npekjeph.exe

Filesize
128KB

MD5
6c564f9e9a4f1fe4592ada158b2397f2

SHA1
d7aa616fe02e6d70597c26e3be6019529ba034af

SHA256
19252e9d757f0791757e2d81761d8df18ee03e5c3da145d359d05833298bda00

SHA512
0095accf8b5add4f0acb473d93592ebb504f382442c05bc8949405f6fc060119e15cac19de0a9d584837f6e853c6bb02c153ad8f48d54a6b20e74746a6638aae

Download Submit
C:\Windows\SysWOW64\Npoeif32.exe

Filesize
128KB

MD5
67ee6c557120884856e05e1e6168adc9

SHA1
94710fc205238397ce17b6cafc4d877a477bd1f8

SHA256
ededfb2db4dd7d8d3b60d781f8a737cfcaf5e42fcb367658af6a14eff7cafac0

SHA512
e76dcf28a842027fc6174bf4216b93cbdc932d70750e9debb34c584bf7a5ebd3fceb002e882d30314c73149c99113e78c290642161433590288715e21f4f2bc0

Download Submit
C:\Windows\SysWOW64\Ocopgiac.exe

Filesize
128KB

MD5
02876f3197fe691c5ebcc4efa93b7e64

SHA1
847ef9afd9fdfaa3a3db3254fc275290e53c0df4

SHA256
87c441367ddffb8f4c8246cbbed507547048b2f2c9e3dabcfbb58f164252e037

SHA512
1e8158a1b98d98d64270e0f421a08fb67e21e2b9e194595089f3b2412d8957f1a7e365782daa41cf8feeb06e1bb9dfe77c2e545ea7a003baec00b7d4a4cc9b85

Download Submit
C:\Windows\SysWOW64\Odcdpd32.exe

Filesize
128KB

MD5
b6e23c52e69903f553e4d03858ae7434

SHA1
bb1ffa43a29efdba9ad4c7d3e4d9818ec0d372fb

SHA256
88dace3ee9e8fe345a71cb6d32bb3e6caca3593dbeb59464057edcae8876a282

SHA512
323d0ce00d6303b28fac8ac1fb16a21e2b1cc60803b40e868b5822df450a8afaad05245436655740e4ade88fe48f529a9ef1879679073ad384f0969f44b7c2b3

Download Submit
C:\Windows\SysWOW64\Olbkeoki.exe

Filesize
128KB

MD5
94cde4865b91fb17731427cabe3e598d

SHA1
326885d91a63b7dce9559a1d2fabdd0b37f4c69a

SHA256
f6b4407e7e246ee2e6bd7130fea4d70ef9c5915275472b52dca19565ba16ef26

SHA512
2533a951f34502c8cf63dd3baa44f761ef21e8a877dc9c206e260cb297a509726d230ea39d70e154da071d3f0e676115b0540baf677daeae41e9247b1cf3481e

Download Submit
C:\Windows\SysWOW64\Pgminggi.exe

Filesize
128KB

MD5
f659b2d80f2862177d5054dccdd71b26

SHA1
97229d08b981eca72270a9a3f02ef8533ccd510c

SHA256
64532535a6176f993d8f9cdf244221d459ea278bc6f538fdf5829d63063c774d

SHA512
9f5368d037926cd26f4917c82eaf70639f46cb4476a9f01fc33415c922eeefe24d26c110e7cf1aca76bd1e35d94b1d151eb10c1a3576a8fbebebca75cc393e75

Download Submit
C:\Windows\SysWOW64\Pojjgiba.exe

Filesize
128KB

MD5
cdd4c1d5da479dfafdd22a0756167f10

SHA1
75bff56880d5390022a096a729bf8b20a47452e2

SHA256
9d7a9155dd6f1700c7262a9b669f4ba10eebd7c736a9099a9984f730a9366f6f

SHA512
5e4f31190665279a8346d61fe05b9f56926e48e8330a4f2465d15f0e10ee1926dd46b168dac6161029e3c9d191fce561ff70da53c2eef236927f8a83af4a67b2

Download Submit
C:\Windows\SysWOW64\Qjehpanb.exe

Filesize
128KB

MD5
722e459d8fef48df55278a1009fba040

SHA1
d0cd378ed4b8a928794459f79b69bf607123533d

SHA256
a87bfbafbf049027ea284303f87939f1297e26bef2c14ddda13839a5cd3210c3

SHA512
f5f04fa02df1b2935df2fd82f96251b45007c614d4a6ec227d896a8a44db5af636ac8ec8552b98f4acf7129346bea8488ec7b31c13d924082ce993a4c20a1d31

Download Submit
memory/180-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/380-265-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1036-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1036-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-489-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-550-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1156-249-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1164-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1188-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1188-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1196-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1444-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1456-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1540-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1620-543-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1624-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1624-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1684-537-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1696-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1696-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1764-477-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1840-519-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1872-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1976-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1976-102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1980-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2024-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2112-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2228-435-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2324-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2552-525-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-122-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-531-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2848-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2892-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2928-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2928-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3076-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3116-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3264-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3292-381-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3424-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3620-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3636-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3672-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3748-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3784-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3852-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4008-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4020-471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4100-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4100-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4104-453-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4164-441-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4264-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4268-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4276-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-423-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4332-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-483-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4436-513-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4568-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4692-556-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4696-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4700-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4724-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4724-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4772-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4816-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4960-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4980-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4980-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5088-210-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5160-562-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5204-569-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads