berbew | 26f7066a3b95ae7d1b91f990b9667b48cec38042fe6099fb9a7fd24981938ae8

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26f7066a3b95ae7d1b91f990b9667b48cec38042fe6099fb9a7fd24981938ae8.exe
Size

128KB
MD5

2e45549ffdcb0a1c720d14d07460f327
SHA1

4ed32b6b47ae4fbfd8b67e34b1cb1b749fa9d633
SHA256

26f7066a3b95ae7d1b91f990b9667b48cec38042fe6099fb9a7fd24981938ae8
SHA512

f04ce1419ef0f5f9536e4d732425480635471c93ba678fb354e43b73dfecbabb708c9f1239e36750f07e1c5ed00ccf6d6fccb32dc5fc7cc945f1e32643222695
SSDEEP

3072:i56D1eW3W0Hj12m1NOcOtutAfeSlj9pui6yYPaI7DehizrVtNB:i56D13VD1xkY+2Opui6yYPaIGcr

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmfeidbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mplafeil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhmigagd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnhghcki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iklgah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qepkbpak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgndoeag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idbodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Plndcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qlggjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnfgcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejflhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llflea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efccmidp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elpkep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Midfokpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Plagcbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phjenbhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haoimcgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipoopgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Diicml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlmbfqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidabppl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ooagno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fielph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glcaambb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncofplba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpodlbng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Inomhbeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pllgnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbndfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbadcpbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngaionfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jglklggl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlpokp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oboijgbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkaicd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oblmdhdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanfen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aonoao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objpoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inomhbeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olgncmim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpdin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nagpeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biogppeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmcdffmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdcliikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lndagg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcicklnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahchda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaajed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlhljhbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfnoqc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2276	Mfcmmp32.exe
2044	Mplafeil.exe
1320	Midfokpm.exe
1488	Mfhfhong.exe
3168	Mockmala.exe
4304	Nhlpfgbb.exe
2060	Nbadcpbh.exe
2440	Nhnlkfpp.exe
4876	Nohehq32.exe
4576	Nebmekoi.exe
3816	Ngaionfl.exe
2016	Nipekiep.exe
4956	Nchjdo32.exe
932	Nplkmckj.exe
2404	Ohgoaehe.exe
3496	Ooagno32.exe
4880	Oigllh32.exe
1088	Ocopdn32.exe
4092	Oiihahme.exe
1444	Ogmijllo.exe
4984	Oljaccjf.exe
668	Ogpepl32.exe
2836	Ohqbhdpj.exe
4128	Ophjiaql.exe
4072	Ppjgoaoj.exe
1412	Pcicklnn.exe
868	Plagcbdn.exe
3020	Pjehmfch.exe
2896	Poaqemao.exe
2916	Phjenbhp.exe
4696	Pgkelj32.exe
4028	Pqcjepfo.exe
756	Qfpbmfdf.exe
1140	Qljjjqlc.exe
3372	Qcdbfk32.exe
2080	Qlmgopjq.exe
4420	Afelhf32.exe
380	Ahchda32.exe
2680	Acilajpk.exe
2112	Afghneoo.exe
3204	Aqmlknnd.exe
3028	Afjeceml.exe
4992	Aqoiqn32.exe
748	Agiamhdo.exe
2924	Ajhniccb.exe
2912	Aodfajaj.exe
2180	Afnnnd32.exe
4000	Bogcgj32.exe
2320	Bgnkhg32.exe
4556	Biogppeg.exe
3956	Biadeoce.exe
3448	Boklbi32.exe
4140	Bgbdcgld.exe
3588	Bidqko32.exe
2336	Bqkill32.exe
1844	Bgeaifia.exe
4616	Bqmeal32.exe
1324	Bfjnjcni.exe
4112	Cmdfgm32.exe
1164	Cpbbch32.exe
4340	Cflkpblf.exe
3992	Cikglnkj.exe
1292	Ccqkigkp.exe
3436	Cfogeb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ekkkoj32.exe	Dbbffdlq.exe
File created	C:\Windows\SysWOW64\Cadlbk32.exe	Cfogeb32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnoiqdq.exe	Gldglf32.exe
File opened for modification	C:\Windows\SysWOW64\Ophjiaql.exe	Ohqbhdpj.exe
File created	C:\Windows\SysWOW64\Papdfone.dll	Maodigil.exe
File created	C:\Windows\SysWOW64\Dpbdopck.exe	Dmdhcddh.exe
File opened for modification	C:\Windows\SysWOW64\Lcjcnoej.exe	Ljaoeini.exe
File created	C:\Windows\SysWOW64\Lokdnjkg.exe	Lnjgfb32.exe
File opened for modification	C:\Windows\SysWOW64\Nplkmckj.exe	Nchjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Phjenbhp.exe	Poaqemao.exe
File opened for modification	C:\Windows\SysWOW64\Cikglnkj.exe	Cflkpblf.exe
File created	C:\Windows\SysWOW64\Acilajpk.exe	Ahchda32.exe
File created	C:\Windows\SysWOW64\Hmpjmn32.exe	Hdhedh32.exe
File opened for modification	C:\Windows\SysWOW64\Fmhdkknd.exe	Fngcmcfe.exe
File opened for modification	C:\Windows\SysWOW64\Iqipio32.exe	Iklgah32.exe
File created	C:\Windows\SysWOW64\Gmiadfmi.dll	Fflohaij.exe
File created	C:\Windows\SysWOW64\Hmdlmg32.exe	Hbohpn32.exe
File opened for modification	C:\Windows\SysWOW64\Lqpamb32.exe	Lcjcnoej.exe
File opened for modification	C:\Windows\SysWOW64\Lnpofnhk.exe	Lbinam32.exe
File created	C:\Windows\SysWOW64\Llodgnja.exe	Ljqhkckn.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Ebkibb32.dll	Olbdhn32.exe
File created	C:\Windows\SysWOW64\Lgqfdnah.exe	Kkjeomld.exe
File opened for modification	C:\Windows\SysWOW64\Fjmkoeqi.exe	Fmikeaap.exe
File created	C:\Windows\SysWOW64\Aonoao32.exe	Anobgl32.exe
File created	C:\Windows\SysWOW64\Kpdjljdk.dll	Lfjfecno.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Igleoo32.dll	Caienjfd.exe
File created	C:\Windows\SysWOW64\Cfnqklgh.exe	Cmflbf32.exe
File created	C:\Windows\SysWOW64\Gdencf32.dll	Nnbnhedj.exe
File created	C:\Windows\SysWOW64\Nndjndbh.exe	Ncofplba.exe
File created	C:\Windows\SysWOW64\Mcecjmkl.exe	Mgobel32.exe
File opened for modification	C:\Windows\SysWOW64\Mfhbga32.exe	Monjjgkb.exe
File opened for modification	C:\Windows\SysWOW64\Bgnkhg32.exe	Bogcgj32.exe
File opened for modification	C:\Windows\SysWOW64\Plbmokop.exe	Pidabppl.exe
File created	C:\Windows\SysWOW64\Ackhdo32.dll	Gkhkjd32.exe
File created	C:\Windows\SysWOW64\Jgpmmp32.exe	Jnhidk32.exe
File created	C:\Windows\SysWOW64\Fcpjljph.dll	Lgpoihnl.exe
File created	C:\Windows\SysWOW64\Bbgeno32.exe	Bohibc32.exe
File created	C:\Windows\SysWOW64\Fcniglmb.exe	Efjimhnh.exe
File opened for modification	C:\Windows\SysWOW64\Ijcjmmil.exe	Idfaefkd.exe
File opened for modification	C:\Windows\SysWOW64\Cbgnemjj.exe	Coiaiakf.exe
File opened for modification	C:\Windows\SysWOW64\Nhokljge.exe	Nnfgcd32.exe
File created	C:\Windows\SysWOW64\Gedobm32.dll	Bmofagfp.exe
File created	C:\Windows\SysWOW64\Inqbclob.exe	Iggjga32.exe
File opened for modification	C:\Windows\SysWOW64\Ggnedlao.exe	Gaamlecg.exe
File created	C:\Windows\SysWOW64\Oimkbaed.exe	Oafcqcea.exe
File created	C:\Windows\SysWOW64\Lnkapdda.dll	Akcjkfij.exe
File created	C:\Windows\SysWOW64\Kmdpiacg.dll	Bebjdgmj.exe
File created	C:\Windows\SysWOW64\Njghbl32.exe	Maodigil.exe
File opened for modification	C:\Windows\SysWOW64\Adfnofpd.exe	Aknifq32.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Achgjc32.dll	Kiggbhda.exe
File created	C:\Windows\SysWOW64\Gkbofaoj.dll	Efccmidp.exe
File opened for modification	C:\Windows\SysWOW64\Kflide32.exe	Kckqbj32.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Dhblne32.dll	Bkkple32.exe
File opened for modification	C:\Windows\SysWOW64\Dfgcakon.exe	Dcigeooj.exe
File created	C:\Windows\SysWOW64\Ccoecbmi.dll	Bmeandma.exe
File opened for modification	C:\Windows\SysWOW64\Fajgkfio.exe	Fibojhim.exe
File created	C:\Windows\SysWOW64\Ghmpjalb.dll	Hammhcij.exe
File created	C:\Windows\SysWOW64\Epjajeqo.exe	Emlenj32.exe
File opened for modification	C:\Windows\SysWOW64\Fdcjlb32.exe	Faenpf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3160	4332	WerFault.exe	662

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnfcia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bopocbcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmhdkknd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdcjlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddbcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diicml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epndknin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgibpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jklphekp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pocfpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkkple32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbndfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnfnlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cidjbmcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpgeee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjjnae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnhdgpii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmpjmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lndagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnfpcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kckqbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfhbga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqoiqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plejdkmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bohibc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqbpojnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonoao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faenpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olgncmim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Giinpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nklbmllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnhcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joahqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngaionfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knflpoqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanfen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbelcblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcmdaljn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohgoaehe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dabhdinj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efeihb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njfkmphe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplafeil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnmdme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpdegjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glgcbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccqkigkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgndoeag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojlaeei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijhjcchb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jglklggl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkcfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajndioga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlgepanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfhfhong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhniccb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjchaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddligq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljqhkckn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chnbbqpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejbgd32.dll"	Nipekiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgkelj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cflkpblf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnilk32.dll"	Cippgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqmlknnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehjlaaig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lqikmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdgc32.dll"	Iklgah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ennqfenp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfokn32.dll"	Geohklaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iqbbpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llflea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cihclh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbdlop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioenpjfm.dll"	Bheffh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hildmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjnfknb.dll"	Mqdcnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgqfdnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folnlh32.dll"	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agiamhdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaeaha32.dll"	Liqihglg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oblmdhdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjnffjkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnahdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhgag32.dll"	Hbohpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lndagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbiipkjk.dll"	Mgobel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jqhafffk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liabph32.dll"	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famkjfqd.dll"	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajhniccb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Edmclccp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbgnemjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecalcl32.dll"	Akepfpcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bohibc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caienjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmdjapgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oljaccjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gkgeoklj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnchkf32.dll"	Ijadbdoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kiejmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aonoao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afkknogn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogakfe32.dll"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackekpfe.dll"	Aonoao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efdjgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lqikmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkcckgg.dll"	Ncofplba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndchiip.dll"	Mlbkap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjdebfnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklcfhik.dll"	Kiejmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjajmpkj.dll"	Iggjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Najmjokc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nohehq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 2276	3096	26f7066a3b95ae7d1b91f990b9667b48cec38042fe6099fb9a7fd24981938ae8.exe	85
PID 3096 wrote to memory of 2276	3096	26f7066a3b95ae7d1b91f990b9667b48cec38042fe6099fb9a7fd24981938ae8.exe	85
PID 3096 wrote to memory of 2276	3096	26f7066a3b95ae7d1b91f990b9667b48cec38042fe6099fb9a7fd24981938ae8.exe	85
PID 2276 wrote to memory of 2044	2276	Mfcmmp32.exe	86
PID 2276 wrote to memory of 2044	2276	Mfcmmp32.exe	86
PID 2276 wrote to memory of 2044	2276	Mfcmmp32.exe	86
PID 2044 wrote to memory of 1320	2044	Mplafeil.exe	87
PID 2044 wrote to memory of 1320	2044	Mplafeil.exe	87
PID 2044 wrote to memory of 1320	2044	Mplafeil.exe	87
PID 1320 wrote to memory of 1488	1320	Midfokpm.exe	88
PID 1320 wrote to memory of 1488	1320	Midfokpm.exe	88
PID 1320 wrote to memory of 1488	1320	Midfokpm.exe	88
PID 1488 wrote to memory of 3168	1488	Mfhfhong.exe	89
PID 1488 wrote to memory of 3168	1488	Mfhfhong.exe	89
PID 1488 wrote to memory of 3168	1488	Mfhfhong.exe	89
PID 3168 wrote to memory of 4304	3168	Mockmala.exe	90
PID 3168 wrote to memory of 4304	3168	Mockmala.exe	90
PID 3168 wrote to memory of 4304	3168	Mockmala.exe	90
PID 4304 wrote to memory of 2060	4304	Nhlpfgbb.exe	91
PID 4304 wrote to memory of 2060	4304	Nhlpfgbb.exe	91
PID 4304 wrote to memory of 2060	4304	Nhlpfgbb.exe	91
PID 2060 wrote to memory of 2440	2060	Nbadcpbh.exe	92
PID 2060 wrote to memory of 2440	2060	Nbadcpbh.exe	92
PID 2060 wrote to memory of 2440	2060	Nbadcpbh.exe	92
PID 2440 wrote to memory of 4876	2440	Nhnlkfpp.exe	94
PID 2440 wrote to memory of 4876	2440	Nhnlkfpp.exe	94
PID 2440 wrote to memory of 4876	2440	Nhnlkfpp.exe	94
PID 4876 wrote to memory of 4576	4876	Nohehq32.exe	95
PID 4876 wrote to memory of 4576	4876	Nohehq32.exe	95
PID 4876 wrote to memory of 4576	4876	Nohehq32.exe	95
PID 4576 wrote to memory of 3816	4576	Nebmekoi.exe	96
PID 4576 wrote to memory of 3816	4576	Nebmekoi.exe	96
PID 4576 wrote to memory of 3816	4576	Nebmekoi.exe	96
PID 3816 wrote to memory of 2016	3816	Ngaionfl.exe	97
PID 3816 wrote to memory of 2016	3816	Ngaionfl.exe	97
PID 3816 wrote to memory of 2016	3816	Ngaionfl.exe	97
PID 2016 wrote to memory of 4956	2016	Nipekiep.exe	98
PID 2016 wrote to memory of 4956	2016	Nipekiep.exe	98
PID 2016 wrote to memory of 4956	2016	Nipekiep.exe	98
PID 4956 wrote to memory of 932	4956	Nchjdo32.exe	99
PID 4956 wrote to memory of 932	4956	Nchjdo32.exe	99
PID 4956 wrote to memory of 932	4956	Nchjdo32.exe	99
PID 932 wrote to memory of 2404	932	Nplkmckj.exe	100
PID 932 wrote to memory of 2404	932	Nplkmckj.exe	100
PID 932 wrote to memory of 2404	932	Nplkmckj.exe	100
PID 2404 wrote to memory of 3496	2404	Ohgoaehe.exe	101
PID 2404 wrote to memory of 3496	2404	Ohgoaehe.exe	101
PID 2404 wrote to memory of 3496	2404	Ohgoaehe.exe	101
PID 3496 wrote to memory of 4880	3496	Ooagno32.exe	102
PID 3496 wrote to memory of 4880	3496	Ooagno32.exe	102
PID 3496 wrote to memory of 4880	3496	Ooagno32.exe	102
PID 4880 wrote to memory of 1088	4880	Oigllh32.exe	103
PID 4880 wrote to memory of 1088	4880	Oigllh32.exe	103
PID 4880 wrote to memory of 1088	4880	Oigllh32.exe	103
PID 1088 wrote to memory of 4092	1088	Ocopdn32.exe	104
PID 1088 wrote to memory of 4092	1088	Ocopdn32.exe	104
PID 1088 wrote to memory of 4092	1088	Ocopdn32.exe	104
PID 4092 wrote to memory of 1444	4092	Oiihahme.exe	105
PID 4092 wrote to memory of 1444	4092	Oiihahme.exe	105
PID 4092 wrote to memory of 1444	4092	Oiihahme.exe	105
PID 1444 wrote to memory of 4984	1444	Ogmijllo.exe	106
PID 1444 wrote to memory of 4984	1444	Ogmijllo.exe	106
PID 1444 wrote to memory of 4984	1444	Ogmijllo.exe	106
PID 4984 wrote to memory of 668	4984	Oljaccjf.exe	107

C:\Users\Admin\AppData\Local\Temp\26f7066a3b95ae7d1b91f990b9667b48cec38042fe6099fb9a7fd24981938ae8.exe
"C:\Users\Admin\AppData\Local\Temp\26f7066a3b95ae7d1b91f990b9667b48cec38042fe6099fb9a7fd24981938ae8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\Mfcmmp32.exe
  C:\Windows\system32\Mfcmmp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\Mplafeil.exe
    C:\Windows\system32\Mplafeil.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\Midfokpm.exe
      C:\Windows\system32\Midfokpm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Windows\SysWOW64\Mfhfhong.exe
        
        C:\Windows\system32\Mfhfhong.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\SysWOW64\Mockmala.exe
        
        C:\Windows\system32\Mockmala.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Nhlpfgbb.exe
        
        C:\Windows\system32\Nhlpfgbb.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Nbadcpbh.exe
        
        C:\Windows\system32\Nbadcpbh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Nhnlkfpp.exe
        
        C:\Windows\system32\Nhnlkfpp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Nohehq32.exe
        
        C:\Windows\system32\Nohehq32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Nebmekoi.exe
        
        C:\Windows\system32\Nebmekoi.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Ngaionfl.exe
        
        C:\Windows\system32\Ngaionfl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Nipekiep.exe
        
        C:\Windows\system32\Nipekiep.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Nchjdo32.exe
        
        C:\Windows\system32\Nchjdo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Nplkmckj.exe
        
        C:\Windows\system32\Nplkmckj.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Ohgoaehe.exe
        
        C:\Windows\system32\Ohgoaehe.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Ooagno32.exe
        
        C:\Windows\system32\Ooagno32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Oigllh32.exe
        
        C:\Windows\system32\Oigllh32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Ocopdn32.exe
        
        C:\Windows\system32\Ocopdn32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Oiihahme.exe
        
        C:\Windows\system32\Oiihahme.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Ogmijllo.exe
        
        C:\Windows\system32\Ogmijllo.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Oljaccjf.exe
        
        C:\Windows\system32\Oljaccjf.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Ogpepl32.exe
        
        C:\Windows\system32\Ogpepl32.exe
        23⤵
        Executes dropped EXE
        
        PID:668
        
        C:\Windows\SysWOW64\Ohqbhdpj.exe
        
        C:\Windows\system32\Ohqbhdpj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\Ophjiaql.exe
        
        C:\Windows\system32\Ophjiaql.exe
        25⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Ppjgoaoj.exe
        
        C:\Windows\system32\Ppjgoaoj.exe
        26⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Pcicklnn.exe
        
        C:\Windows\system32\Pcicklnn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Plagcbdn.exe
        
        C:\Windows\system32\Plagcbdn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Pjehmfch.exe
        
        C:\Windows\system32\Pjehmfch.exe
        29⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Poaqemao.exe
        
        C:\Windows\system32\Poaqemao.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Phjenbhp.exe
        
        C:\Windows\system32\Phjenbhp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Pgkelj32.exe
        
        C:\Windows\system32\Pgkelj32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Pqcjepfo.exe
        
        C:\Windows\system32\Pqcjepfo.exe
        33⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Qfpbmfdf.exe
        
        C:\Windows\system32\Qfpbmfdf.exe
        34⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Qljjjqlc.exe
        
        C:\Windows\system32\Qljjjqlc.exe
        35⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Qcdbfk32.exe
        
        C:\Windows\system32\Qcdbfk32.exe
        36⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Qlmgopjq.exe
        
        C:\Windows\system32\Qlmgopjq.exe
        37⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\Afelhf32.exe
        
        C:\Windows\system32\Afelhf32.exe
        38⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Ahchda32.exe
        
        C:\Windows\system32\Ahchda32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Acilajpk.exe
        
        C:\Windows\system32\Acilajpk.exe
        40⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Afghneoo.exe
        
        C:\Windows\system32\Afghneoo.exe
        41⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Aqmlknnd.exe
        
        C:\Windows\system32\Aqmlknnd.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Afjeceml.exe
        
        C:\Windows\system32\Afjeceml.exe
        43⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Aqoiqn32.exe
        
        C:\Windows\system32\Aqoiqn32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Agiamhdo.exe
        
        C:\Windows\system32\Agiamhdo.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Ajhniccb.exe
        
        C:\Windows\system32\Ajhniccb.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Aodfajaj.exe
        
        C:\Windows\system32\Aodfajaj.exe
        47⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\Afnnnd32.exe
        
        C:\Windows\system32\Afnnnd32.exe
        48⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Bogcgj32.exe
        
        C:\Windows\system32\Bogcgj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Bgnkhg32.exe
        
        C:\Windows\system32\Bgnkhg32.exe
        50⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Biogppeg.exe
        
        C:\Windows\system32\Biogppeg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Biadeoce.exe
        
        C:\Windows\system32\Biadeoce.exe
        52⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Boklbi32.exe
        
        C:\Windows\system32\Boklbi32.exe
        53⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Bgbdcgld.exe
        
        C:\Windows\system32\Bgbdcgld.exe
        54⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Bidqko32.exe
        
        C:\Windows\system32\Bidqko32.exe
        55⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Bqkill32.exe
        
        C:\Windows\system32\Bqkill32.exe
        56⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Bgeaifia.exe
        
        C:\Windows\system32\Bgeaifia.exe
        57⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Bqmeal32.exe
        
        C:\Windows\system32\Bqmeal32.exe
        58⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Bfjnjcni.exe
        
        C:\Windows\system32\Bfjnjcni.exe
        59⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\Cmdfgm32.exe
        
        C:\Windows\system32\Cmdfgm32.exe
        60⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Cpbbch32.exe
        
        C:\Windows\system32\Cpbbch32.exe
        61⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Cflkpblf.exe
        
        C:\Windows\system32\Cflkpblf.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Cikglnkj.exe
        
        C:\Windows\system32\Cikglnkj.exe
        63⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Ccqkigkp.exe
        
        C:\Windows\system32\Ccqkigkp.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\Cfogeb32.exe
        
        C:\Windows\system32\Cfogeb32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Cadlbk32.exe
        
        C:\Windows\system32\Cadlbk32.exe
        66⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Cgndoeag.exe
        
        C:\Windows\system32\Cgndoeag.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Cippgm32.exe
        
        C:\Windows\system32\Cippgm32.exe
        68⤵
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Caghhk32.exe
        
        C:\Windows\system32\Caghhk32.exe
        69⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Cceddf32.exe
        
        C:\Windows\system32\Cceddf32.exe
        70⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Cibmlmeb.exe
        
        C:\Windows\system32\Cibmlmeb.exe
        71⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Caienjfd.exe
        
        C:\Windows\system32\Caienjfd.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Cgcmjd32.exe
        
        C:\Windows\system32\Cgcmjd32.exe
        73⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Cidjbmcp.exe
        
        C:\Windows\system32\Cidjbmcp.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Dpnbog32.exe
        
        C:\Windows\system32\Dpnbog32.exe
        75⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\Diffglam.exe
        
        C:\Windows\system32\Diffglam.exe
        76⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\Dclkee32.exe
        
        C:\Windows\system32\Dclkee32.exe
        77⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Diicml32.exe
        
        C:\Windows\system32\Diicml32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\Dcogje32.exe
        
        C:\Windows\system32\Dcogje32.exe
        79⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\Djhpgofm.exe
        
        C:\Windows\system32\Djhpgofm.exe
        80⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Dabhdinj.exe
        
        C:\Windows\system32\Dabhdinj.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\Ddadpdmn.exe
        
        C:\Windows\system32\Ddadpdmn.exe
        82⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Djklmo32.exe
        
        C:\Windows\system32\Djklmo32.exe
        83⤵
        
        PID:512
        
        C:\Windows\SysWOW64\Dpgeee32.exe
        
        C:\Windows\system32\Dpgeee32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Djmibn32.exe
        
        C:\Windows\system32\Djmibn32.exe
        85⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Emlenj32.exe
        
        C:\Windows\system32\Emlenj32.exe
        86⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Epjajeqo.exe
        
        C:\Windows\system32\Epjajeqo.exe
        87⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Efdjgo32.exe
        
        C:\Windows\system32\Efdjgo32.exe
        88⤵
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Emnbdioi.exe
        
        C:\Windows\system32\Emnbdioi.exe
        89⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Edhjqc32.exe
        
        C:\Windows\system32\Edhjqc32.exe
        90⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Ealkjh32.exe
        
        C:\Windows\system32\Ealkjh32.exe
        91⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Edjgfcec.exe
        
        C:\Windows\system32\Edjgfcec.exe
        92⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\Efhcbodf.exe
        
        C:\Windows\system32\Efhcbodf.exe
        93⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Embkoi32.exe
        
        C:\Windows\system32\Embkoi32.exe
        94⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Eangpgcl.exe
        
        C:\Windows\system32\Eangpgcl.exe
        95⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Edmclccp.exe
        
        C:\Windows\system32\Edmclccp.exe
        96⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Ejflhm32.exe
        
        C:\Windows\system32\Ejflhm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Emehdh32.exe
        
        C:\Windows\system32\Emehdh32.exe
        98⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Epcdqd32.exe
        
        C:\Windows\system32\Epcdqd32.exe
        99⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Ehjlaaig.exe
        
        C:\Windows\system32\Ehjlaaig.exe
        100⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Fkihnmhj.exe
        
        C:\Windows\system32\Fkihnmhj.exe
        101⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Fmgejhgn.exe
        
        C:\Windows\system32\Fmgejhgn.exe
        102⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Fpeafcfa.exe
        
        C:\Windows\system32\Fpeafcfa.exe
        103⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Fhmigagd.exe
        
        C:\Windows\system32\Fhmigagd.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Ffpicn32.exe
        
        C:\Windows\system32\Ffpicn32.exe
        105⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Fineoi32.exe
        
        C:\Windows\system32\Fineoi32.exe
        106⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Faenpf32.exe
        
        C:\Windows\system32\Faenpf32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Fdcjlb32.exe
        
        C:\Windows\system32\Fdcjlb32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Fgbfhmll.exe
        
        C:\Windows\system32\Fgbfhmll.exe
        109⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Fagjfflb.exe
        
        C:\Windows\system32\Fagjfflb.exe
        110⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Fdffbake.exe
        
        C:\Windows\system32\Fdffbake.exe
        111⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Fgdbnmji.exe
        
        C:\Windows\system32\Fgdbnmji.exe
        112⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Fibojhim.exe
        
        C:\Windows\system32\Fibojhim.exe
        113⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Fajgkfio.exe
        
        C:\Windows\system32\Fajgkfio.exe
        114⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Fggocmhf.exe
        
        C:\Windows\system32\Fggocmhf.exe
        115⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Fielph32.exe
        
        C:\Windows\system32\Fielph32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Fpodlbng.exe
        
        C:\Windows\system32\Fpodlbng.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Fhflnpoi.exe
        
        C:\Windows\system32\Fhflnpoi.exe
        118⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Gigheh32.exe
        
        C:\Windows\system32\Gigheh32.exe
        119⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Gmcdffmq.exe
        
        C:\Windows\system32\Gmcdffmq.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Gpaqbbld.exe
        
        C:\Windows\system32\Gpaqbbld.exe
        121⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Ghhhcomg.exe
        
        C:\Windows\system32\Ghhhcomg.exe
        122⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Gkgeoklj.exe
        
        C:\Windows\system32\Gkgeoklj.exe
        123⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Gaamlecg.exe
        
        C:\Windows\system32\Gaamlecg.exe
        124⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Ggnedlao.exe
        
        C:\Windows\system32\Ggnedlao.exe
        125⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Gilapgqb.exe
        
        C:\Windows\system32\Gilapgqb.exe
        126⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Gpfjma32.exe
        
        C:\Windows\system32\Gpfjma32.exe
        127⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Ggpbjkpl.exe
        
        C:\Windows\system32\Ggpbjkpl.exe
        128⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Gklnjj32.exe
        
        C:\Windows\system32\Gklnjj32.exe
        129⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Gaefgd32.exe
        
        C:\Windows\system32\Gaefgd32.exe
        130⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Gddbcp32.exe
        
        C:\Windows\system32\Gddbcp32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Giqkkf32.exe
        
        C:\Windows\system32\Giqkkf32.exe
        132⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Hjchaf32.exe
        
        C:\Windows\system32\Hjchaf32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Hajpbckl.exe
        
        C:\Windows\system32\Hajpbckl.exe
        134⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Hkbdki32.exe
        
        C:\Windows\system32\Hkbdki32.exe
        135⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Hammhcij.exe
        
        C:\Windows\system32\Hammhcij.exe
        136⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Hhfedm32.exe
        
        C:\Windows\system32\Hhfedm32.exe
        137⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Hkeaqi32.exe
        
        C:\Windows\system32\Hkeaqi32.exe
        138⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Haoimcgg.exe
        
        C:\Windows\system32\Haoimcgg.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Hdmein32.exe
        
        C:\Windows\system32\Hdmein32.exe
        140⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Hglaej32.exe
        
        C:\Windows\system32\Hglaej32.exe
        141⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Hjjnae32.exe
        
        C:\Windows\system32\Hjjnae32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Hhknpmma.exe
        
        C:\Windows\system32\Hhknpmma.exe
        143⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Hnhghcki.exe
        
        C:\Windows\system32\Hnhghcki.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Iklgah32.exe
        
        C:\Windows\system32\Iklgah32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Iqipio32.exe
        
        C:\Windows\system32\Iqipio32.exe
        147⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Ijadbdoj.exe
        
        C:\Windows\system32\Ijadbdoj.exe
        148⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Idghpmnp.exe
        
        C:\Windows\system32\Idghpmnp.exe
        149⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Igedlh32.exe
        
        C:\Windows\system32\Igedlh32.exe
        150⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Inomhbeq.exe
        
        C:\Windows\system32\Inomhbeq.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Iqmidndd.exe
        
        C:\Windows\system32\Iqmidndd.exe
        152⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Ihdafkdg.exe
        
        C:\Windows\system32\Ihdafkdg.exe
        153⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Ijfnmc32.exe
        
        C:\Windows\system32\Ijfnmc32.exe
        154⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Inainbcn.exe
        
        C:\Windows\system32\Inainbcn.exe
        155⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Igjngh32.exe
        
        C:\Windows\system32\Igjngh32.exe
        156⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Ijhjcchb.exe
        
        C:\Windows\system32\Ijhjcchb.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6232
        
        C:\Windows\SysWOW64\Iqbbpm32.exe
        
        C:\Windows\system32\Iqbbpm32.exe
        158⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Jglklggl.exe
        
        C:\Windows\system32\Jglklggl.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6320
        
        C:\Windows\SysWOW64\Jnfcia32.exe
        
        C:\Windows\system32\Jnfcia32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6368
        
        C:\Windows\SysWOW64\Jdpkflfe.exe
        
        C:\Windows\system32\Jdpkflfe.exe
        161⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Jkjcbe32.exe
        
        C:\Windows\system32\Jkjcbe32.exe
        162⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Jbdlop32.exe
        
        C:\Windows\system32\Jbdlop32.exe
        163⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Jdbhkk32.exe
        
        C:\Windows\system32\Jdbhkk32.exe
        164⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Jklphekp.exe
        
        C:\Windows\system32\Jklphekp.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:6624
        
        C:\Windows\SysWOW64\Jjopcb32.exe
        
        C:\Windows\system32\Jjopcb32.exe
        166⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Jhpqaiji.exe
        
        C:\Windows\system32\Jhpqaiji.exe
        167⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Jnmijq32.exe
        
        C:\Windows\system32\Jnmijq32.exe
        168⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Jqlefl32.exe
        
        C:\Windows\system32\Jqlefl32.exe
        169⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Jkaicd32.exe
        
        C:\Windows\system32\Jkaicd32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Jnpfop32.exe
        
        C:\Windows\system32\Jnpfop32.exe
        171⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Kiejmi32.exe
        
        C:\Windows\system32\Kiejmi32.exe
        172⤵
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Kkcfid32.exe
        
        C:\Windows\system32\Kkcfid32.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:6972
        
        C:\Windows\SysWOW64\Kiggbhda.exe
        
        C:\Windows\system32\Kiggbhda.exe
        174⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Kbpkkn32.exe
        
        C:\Windows\system32\Kbpkkn32.exe
        175⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Kijchhbo.exe
        
        C:\Windows\system32\Kijchhbo.exe
        176⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Knflpoqf.exe
        
        C:\Windows\system32\Knflpoqf.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:7148
        
        C:\Windows\SysWOW64\Kniieo32.exe
        
        C:\Windows\system32\Kniieo32.exe
        178⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Kgamnded.exe
        
        C:\Windows\system32\Kgamnded.exe
        179⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Liqihglg.exe
        
        C:\Windows\system32\Liqihglg.exe
        180⤵
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Lbinam32.exe
        
        C:\Windows\system32\Lbinam32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Lnpofnhk.exe
        
        C:\Windows\system32\Lnpofnhk.exe
        182⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Lldopb32.exe
        
        C:\Windows\system32\Lldopb32.exe
        183⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Llflea32.exe
        
        C:\Windows\system32\Llflea32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Lacdmh32.exe
        
        C:\Windows\system32\Lacdmh32.exe
        185⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Mngegmbc.exe
        
        C:\Windows\system32\Mngegmbc.exe
        186⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Meamcg32.exe
        
        C:\Windows\system32\Meamcg32.exe
        187⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Mahnhhod.exe
        
        C:\Windows\system32\Mahnhhod.exe
        188⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Mlmbfqoj.exe
        
        C:\Windows\system32\Mlmbfqoj.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Mlpokp32.exe
        
        C:\Windows\system32\Mlpokp32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3584
        
        C:\Windows\SysWOW64\Mnnkgl32.exe
        
        C:\Windows\system32\Mnnkgl32.exe
        191⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Mlbkap32.exe
        
        C:\Windows\system32\Mlbkap32.exe
        192⤵
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Maodigil.exe
        
        C:\Windows\system32\Maodigil.exe
        193⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Njghbl32.exe
        
        C:\Windows\system32\Njghbl32.exe
        194⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Nlfelogp.exe
        
        C:\Windows\system32\Nlfelogp.exe
        195⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Nbqmiinl.exe
        
        C:\Windows\system32\Nbqmiinl.exe
        196⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Nklbmllg.exe
        
        C:\Windows\system32\Nklbmllg.exe
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:6556
        
        C:\Windows\SysWOW64\Nlkngo32.exe
        
        C:\Windows\system32\Nlkngo32.exe
        198⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Nbefdijg.exe
        
        C:\Windows\system32\Nbefdijg.exe
        199⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Nolgijpk.exe
        
        C:\Windows\system32\Nolgijpk.exe
        200⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Objpoh32.exe
        
        C:\Windows\system32\Objpoh32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4204
        
        C:\Windows\SysWOW64\Olbdhn32.exe
        
        C:\Windows\system32\Olbdhn32.exe
        202⤵
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Oblmdhdo.exe
        
        C:\Windows\system32\Oblmdhdo.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Oifeab32.exe
        
        C:\Windows\system32\Oifeab32.exe
        204⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Oldamm32.exe
        
        C:\Windows\system32\Oldamm32.exe
        205⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Oboijgbl.exe
        
        C:\Windows\system32\Oboijgbl.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Oaajed32.exe
        
        C:\Windows\system32\Oaajed32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4036
        
        C:\Windows\SysWOW64\Oihagaji.exe
        
        C:\Windows\system32\Oihagaji.exe
        208⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Olgncmim.exe
        
        C:\Windows\system32\Olgncmim.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6396
        
        C:\Windows\SysWOW64\Obafpg32.exe
        
        C:\Windows\system32\Obafpg32.exe
        210⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Oiknlagg.exe
        
        C:\Windows\system32\Oiknlagg.exe
        211⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Ohnohn32.exe
        
        C:\Windows\system32\Ohnohn32.exe
        212⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Oohgdhfn.exe
        
        C:\Windows\system32\Oohgdhfn.exe
        213⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Oafcqcea.exe
        
        C:\Windows\system32\Oafcqcea.exe
        214⤵
        Drops file in System32 directory
        
        PID:7224
        
        C:\Windows\SysWOW64\Oimkbaed.exe
        
        C:\Windows\system32\Oimkbaed.exe
        215⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Pllgnl32.exe
        
        C:\Windows\system32\Pllgnl32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7336
        
        C:\Windows\SysWOW64\Pkogiikb.exe
        
        C:\Windows\system32\Pkogiikb.exe
        217⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Pedlgbkh.exe
        
        C:\Windows\system32\Pedlgbkh.exe
        218⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Plndcl32.exe
        
        C:\Windows\system32\Plndcl32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7500
        
        C:\Windows\SysWOW64\Pakllc32.exe
        
        C:\Windows\system32\Pakllc32.exe
        220⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Pibdmp32.exe
        
        C:\Windows\system32\Pibdmp32.exe
        221⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Poomegpf.exe
        
        C:\Windows\system32\Poomegpf.exe
        222⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Pamiaboj.exe
        
        C:\Windows\system32\Pamiaboj.exe
        223⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Pidabppl.exe
        
        C:\Windows\system32\Pidabppl.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7728
        
        C:\Windows\SysWOW64\Plbmokop.exe
        
        C:\Windows\system32\Plbmokop.exe
        225⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Pcmeke32.exe
        
        C:\Windows\system32\Pcmeke32.exe
        226⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Pekbga32.exe
        
        C:\Windows\system32\Pekbga32.exe
        227⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Pifnhpmi.exe
        
        C:\Windows\system32\Pifnhpmi.exe
        228⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Plejdkmm.exe
        
        C:\Windows\system32\Plejdkmm.exe
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:7968
        
        C:\Windows\SysWOW64\Pocfpf32.exe
        
        C:\Windows\system32\Pocfpf32.exe
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:8012
        
        C:\Windows\SysWOW64\Pabblb32.exe
        
        C:\Windows\system32\Pabblb32.exe
        231⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Piijno32.exe
        
        C:\Windows\system32\Piijno32.exe
        232⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Qlggjk32.exe
        
        C:\Windows\system32\Qlggjk32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8144
        
        C:\Windows\SysWOW64\Qofcff32.exe
        
        C:\Windows\system32\Qofcff32.exe
        234⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Qadoba32.exe
        
        C:\Windows\system32\Qadoba32.exe
        235⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Qepkbpak.exe
        
        C:\Windows\system32\Qepkbpak.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7316
        
        C:\Windows\SysWOW64\Qohpkf32.exe
        
        C:\Windows\system32\Qohpkf32.exe
        237⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Qaflgago.exe
        
        C:\Windows\system32\Qaflgago.exe
        238⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Ajndioga.exe
        
        C:\Windows\system32\Ajndioga.exe
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:7576
        
        C:\Windows\SysWOW64\Allpejfe.exe
        
        C:\Windows\system32\Allpejfe.exe
        240⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:7680
        
        C:\Windows\SysWOW64\Acfhad32.exe
        
        C:\Windows\system32\Acfhad32.exe
        242⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Aomifecf.exe
        
        C:\Windows\system32\Aomifecf.exe
        243⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Afgacokc.exe
        
        C:\Windows\system32\Afgacokc.exe
        244⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Akcjkfij.exe
        
        C:\Windows\system32\Akcjkfij.exe
        245⤵
        Drops file in System32 directory
        
        PID:7956
        
        C:\Windows\SysWOW64\Ahgjejhd.exe
        
        C:\Windows\system32\Ahgjejhd.exe
        246⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Abponp32.exe
        
        C:\Windows\system32\Abponp32.exe
        247⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Afkknogn.exe
        
        C:\Windows\system32\Afkknogn.exe
        248⤵
        Modifies registry class
        
        PID:8184
        
        C:\Windows\SysWOW64\Ahjgjj32.exe
        
        C:\Windows\system32\Ahjgjj32.exe
        249⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Bfngdn32.exe
        
        C:\Windows\system32\Bfngdn32.exe
        250⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Bkkple32.exe
        
        C:\Windows\system32\Bkkple32.exe
        251⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7556
        
        C:\Windows\SysWOW64\Bcahmb32.exe
        
        C:\Windows\system32\Bcahmb32.exe
        252⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Bfpdin32.exe
        
        C:\Windows\system32\Bfpdin32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7796
        
        C:\Windows\SysWOW64\Bohibc32.exe
        
        C:\Windows\system32\Bohibc32.exe
        254⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7708
        
        C:\Windows\SysWOW64\Bbgeno32.exe
        
        C:\Windows\system32\Bbgeno32.exe
        255⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Bhamkipi.exe
        
        C:\Windows\system32\Bhamkipi.exe
        256⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Bkoigdom.exe
        
        C:\Windows\system32\Bkoigdom.exe
        257⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Bbiado32.exe
        
        C:\Windows\system32\Bbiado32.exe
        258⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Bjpjel32.exe
        
        C:\Windows\system32\Bjpjel32.exe
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:7408
        
        C:\Windows\SysWOW64\Bmofagfp.exe
        
        C:\Windows\system32\Bmofagfp.exe
        260⤵
        Drops file in System32 directory
        
        PID:7488
        
        C:\Windows\SysWOW64\Bombmcec.exe
        
        C:\Windows\system32\Bombmcec.exe
        261⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Bblnindg.exe
        
        C:\Windows\system32\Bblnindg.exe
        262⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Bheffh32.exe
        
        C:\Windows\system32\Bheffh32.exe
        263⤵
        Modifies registry class
        
        PID:7960
        
        C:\Windows\SysWOW64\Bopocbcq.exe
        
        C:\Windows\system32\Bopocbcq.exe
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:8156
        
        C:\Windows\SysWOW64\Bckkca32.exe
        
        C:\Windows\system32\Bckkca32.exe
        265⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Cfigpm32.exe
        
        C:\Windows\system32\Cfigpm32.exe
        266⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Cihclh32.exe
        
        C:\Windows\system32\Cihclh32.exe
        267⤵
        Modifies registry class
        
        PID:7952
        
        C:\Windows\SysWOW64\Ckfphc32.exe
        
        C:\Windows\system32\Ckfphc32.exe
        268⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Ccmgiaig.exe
        
        C:\Windows\system32\Ccmgiaig.exe
        269⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Cfldelik.exe
        
        C:\Windows\system32\Cfldelik.exe
        270⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Cjgpfk32.exe
        
        C:\Windows\system32\Cjgpfk32.exe
        271⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Cmflbf32.exe
        
        C:\Windows\system32\Cmflbf32.exe
        272⤵
        Drops file in System32 directory
        
        PID:7944
        
        C:\Windows\SysWOW64\Cfnqklgh.exe
        
        C:\Windows\system32\Cfnqklgh.exe
        273⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Cimmggfl.exe
        
        C:\Windows\system32\Cimmggfl.exe
        274⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Ckkiccep.exe
        
        C:\Windows\system32\Ckkiccep.exe
        275⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Ccbadp32.exe
        
        C:\Windows\system32\Ccbadp32.exe
        276⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Cioilg32.exe
        
        C:\Windows\system32\Cioilg32.exe
        277⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Coiaiakf.exe
        
        C:\Windows\system32\Coiaiakf.exe
        278⤵
        Drops file in System32 directory
        
        PID:8396
        
        C:\Windows\SysWOW64\Cbgnemjj.exe
        
        C:\Windows\system32\Cbgnemjj.exe
        279⤵
        Modifies registry class
        
        PID:8440
        
        C:\Windows\SysWOW64\Cjnffjkl.exe
        
        C:\Windows\system32\Cjnffjkl.exe
        280⤵
        Modifies registry class
        
        PID:8488
        
        C:\Windows\SysWOW64\Coknoaic.exe
        
        C:\Windows\system32\Coknoaic.exe
        281⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Dfefkkqp.exe
        
        C:\Windows\system32\Dfefkkqp.exe
        282⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Dmoohe32.exe
        
        C:\Windows\system32\Dmoohe32.exe
        283⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Dcigeooj.exe
        
        C:\Windows\system32\Dcigeooj.exe
        284⤵
        Drops file in System32 directory
        
        PID:8684
        
        C:\Windows\SysWOW64\Dfgcakon.exe
        
        C:\Windows\system32\Dfgcakon.exe
        285⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Difpmfna.exe
        
        C:\Windows\system32\Difpmfna.exe
        286⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Dkdliame.exe
        
        C:\Windows\system32\Dkdliame.exe
        287⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Dbndfl32.exe
        
        C:\Windows\system32\Dbndfl32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8852
        
        C:\Windows\SysWOW64\Djelgied.exe
        
        C:\Windows\system32\Djelgied.exe
        289⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\Dmdhcddh.exe
        
        C:\Windows\system32\Dmdhcddh.exe
        290⤵
        Drops file in System32 directory
        
        PID:8936
        
        C:\Windows\SysWOW64\Dpbdopck.exe
        
        C:\Windows\system32\Dpbdopck.exe
        291⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Dmfeidbe.exe
        
        C:\Windows\system32\Dmfeidbe.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9032
        
        C:\Windows\SysWOW64\Dimenegi.exe
        
        C:\Windows\system32\Dimenegi.exe
        293⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Ecbjkngo.exe
        
        C:\Windows\system32\Ecbjkngo.exe
        294⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Elnoopdj.exe
        
        C:\Windows\system32\Elnoopdj.exe
        295⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Ebhglj32.exe
        
        C:\Windows\system32\Ebhglj32.exe
        296⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Efccmidp.exe
        
        C:\Windows\system32\Efccmidp.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8228
        
        C:\Windows\SysWOW64\Elpkep32.exe
        
        C:\Windows\system32\Elpkep32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8296
        
        C:\Windows\SysWOW64\Efepbi32.exe
        
        C:\Windows\system32\Efepbi32.exe
        299⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Emphocjj.exe
        
        C:\Windows\system32\Emphocjj.exe
        300⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Epndknin.exe
        
        C:\Windows\system32\Epndknin.exe
        301⤵
        System Location Discovery: System Language Discovery
        
        PID:8484
        
        C:\Windows\SysWOW64\Eleepoob.exe
        
        C:\Windows\system32\Eleepoob.exe
        302⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Efjimhnh.exe
        
        C:\Windows\system32\Efjimhnh.exe
        303⤵
        Drops file in System32 directory
        
        PID:8612
        
        C:\Windows\SysWOW64\Fcniglmb.exe
        
        C:\Windows\system32\Fcniglmb.exe
        304⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Fpejlmcf.exe
        
        C:\Windows\system32\Fpejlmcf.exe
        305⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Fmikeaap.exe
        
        C:\Windows\system32\Fmikeaap.exe
        306⤵
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Fjmkoeqi.exe
        
        C:\Windows\system32\Fjmkoeqi.exe
        307⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Flngfn32.exe
        
        C:\Windows\system32\Flngfn32.exe
        308⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Fjohde32.exe
        
        C:\Windows\system32\Fjohde32.exe
        309⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Fplpll32.exe
        
        C:\Windows\system32\Fplpll32.exe
        310⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Fideeaco.exe
        
        C:\Windows\system32\Fideeaco.exe
        311⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Glcaambb.exe
        
        C:\Windows\system32\Glcaambb.exe
        312⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9152
        
        C:\Windows\SysWOW64\Gpnmbl32.exe
        
        C:\Windows\system32\Gpnmbl32.exe
        313⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Gbmingjo.exe
        
        C:\Windows\system32\Gbmingjo.exe
        314⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Gpqjglii.exe
        
        C:\Windows\system32\Gpqjglii.exe
        315⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Giinpa32.exe
        
        C:\Windows\system32\Giinpa32.exe
        316⤵
        System Location Discovery: System Language Discovery
        
        PID:8508
        
        C:\Windows\SysWOW64\Gmdjapgb.exe
        
        C:\Windows\system32\Gmdjapgb.exe
        317⤵
        Modifies registry class
        
        PID:8616
        
        C:\Windows\SysWOW64\Gkhkjd32.exe
        
        C:\Windows\system32\Gkhkjd32.exe
        318⤵
        Drops file in System32 directory
        
        PID:8732
        
        C:\Windows\SysWOW64\Gingkqkd.exe
        
        C:\Windows\system32\Gingkqkd.exe
        319⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Gdcliikj.exe
        
        C:\Windows\system32\Gdcliikj.exe
        320⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8884
        
        C:\Windows\SysWOW64\Hmlpaoaj.exe
        
        C:\Windows\system32\Hmlpaoaj.exe
        321⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Hpjmnjqn.exe
        
        C:\Windows\system32\Hpjmnjqn.exe
        322⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\Hgdejd32.exe
        
        C:\Windows\system32\Hgdejd32.exe
        323⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Hdhedh32.exe
        
        C:\Windows\system32\Hdhedh32.exe
        324⤵
        Drops file in System32 directory
        
        PID:8320
        
        C:\Windows\SysWOW64\Hmpjmn32.exe
        
        C:\Windows\system32\Hmpjmn32.exe
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:8480
        
        C:\Windows\SysWOW64\Hlcjhkdp.exe
        
        C:\Windows\system32\Hlcjhkdp.exe
        326⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Hdjbiheb.exe
        
        C:\Windows\system32\Hdjbiheb.exe
        327⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Hlegnjbm.exe
        
        C:\Windows\system32\Hlegnjbm.exe
        328⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Hlhccj32.exe
        
        C:\Windows\system32\Hlhccj32.exe
        329⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Hildmn32.exe
        
        C:\Windows\system32\Hildmn32.exe
        330⤵
        Modifies registry class
        
        PID:8280
        
        C:\Windows\SysWOW64\Ipflihfq.exe
        
        C:\Windows\system32\Ipflihfq.exe
        331⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Idcepgmg.exe
        
        C:\Windows\system32\Idcepgmg.exe
        332⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Idfaefkd.exe
        
        C:\Windows\system32\Idfaefkd.exe
        333⤵
        Drops file in System32 directory
        
        PID:8968
        
        C:\Windows\SysWOW64\Ijcjmmil.exe
        
        C:\Windows\system32\Ijcjmmil.exe
        334⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Iggjga32.exe
        
        C:\Windows\system32\Iggjga32.exe
        335⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8576
        
        C:\Windows\SysWOW64\Inqbclob.exe
        
        C:\Windows\system32\Inqbclob.exe
        336⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Ipoopgnf.exe
        
        C:\Windows\system32\Ipoopgnf.exe
        337⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9028
        
        C:\Windows\SysWOW64\Jncoikmp.exe
        
        C:\Windows\system32\Jncoikmp.exe
        338⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Jlhljhbg.exe
        
        C:\Windows\system32\Jlhljhbg.exe
        339⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9148
        
        C:\Windows\SysWOW64\Jnhidk32.exe
        
        C:\Windows\system32\Jnhidk32.exe
        340⤵
        Drops file in System32 directory
        
        PID:9124
        
        C:\Windows\SysWOW64\Jgpmmp32.exe
        
        C:\Windows\system32\Jgpmmp32.exe
        341⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        342⤵
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Jqknkedi.exe
        
        C:\Windows\system32\Jqknkedi.exe
        343⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\Kjepjkhf.exe
        
        C:\Windows\system32\Kjepjkhf.exe
        344⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\Kmdlffhj.exe
        
        C:\Windows\system32\Kmdlffhj.exe
        345⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\Kdmqmc32.exe
        
        C:\Windows\system32\Kdmqmc32.exe
        346⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        347⤵
        Drops file in System32 directory
        
        PID:9416
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        348⤵
        Modifies registry class
        
        PID:9472
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        349⤵
        Modifies registry class
        
        PID:9524
        
        C:\Windows\SysWOW64\Ljaoeini.exe
        
        C:\Windows\system32\Ljaoeini.exe
        350⤵
        Drops file in System32 directory
        
        PID:9568
        
        C:\Windows\SysWOW64\Lcjcnoej.exe
        
        C:\Windows\system32\Lcjcnoej.exe
        351⤵
        Drops file in System32 directory
        
        PID:9612
        
        C:\Windows\SysWOW64\Lqpamb32.exe
        
        C:\Windows\system32\Lqpamb32.exe
        352⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\Lndagg32.exe
        
        C:\Windows\system32\Lndagg32.exe
        353⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9700
        
        C:\Windows\SysWOW64\Mnfnlf32.exe
        
        C:\Windows\system32\Mnfnlf32.exe
        354⤵
        System Location Discovery: System Language Discovery
        
        PID:9744
        
        C:\Windows\SysWOW64\Mgobel32.exe
        
        C:\Windows\system32\Mgobel32.exe
        355⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9788
        
        C:\Windows\SysWOW64\Mcecjmkl.exe
        
        C:\Windows\system32\Mcecjmkl.exe
        356⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        357⤵
        System Location Discovery: System Language Discovery
        
        PID:9872
        
        C:\Windows\SysWOW64\Mnmdme32.exe
        
        C:\Windows\system32\Mnmdme32.exe
        358⤵
        System Location Discovery: System Language Discovery
        
        PID:9916
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        359⤵
        Modifies registry class
        
        PID:9960
        
        C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        360⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\Nclikl32.exe
        
        C:\Windows\system32\Nclikl32.exe
        361⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\Nnbnhedj.exe
        
        C:\Windows\system32\Nnbnhedj.exe
        362⤵
        Drops file in System32 directory
        
        PID:10096
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        363⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:10140
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        364⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        365⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10224
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        366⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Nagpeo32.exe
        
        C:\Windows\system32\Nagpeo32.exe
        367⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9312
        
        C:\Windows\SysWOW64\Najmjokc.exe
        
        C:\Windows\system32\Najmjokc.exe
        368⤵
        Modifies registry class
        
        PID:9364
        
        C:\Windows\SysWOW64\Oloahhki.exe
        
        C:\Windows\system32\Oloahhki.exe
        369⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\Onpjichj.exe
        
        C:\Windows\system32\Onpjichj.exe
        370⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\Oanfen32.exe
        
        C:\Windows\system32\Oanfen32.exe
        371⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9600
        
        C:\Windows\SysWOW64\Odmbaj32.exe
        
        C:\Windows\system32\Odmbaj32.exe
        372⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\Oldjcg32.exe
        
        C:\Windows\system32\Oldjcg32.exe
        373⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\Omgcpokp.exe
        
        C:\Windows\system32\Omgcpokp.exe
        374⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\Odalmibl.exe
        
        C:\Windows\system32\Odalmibl.exe
        375⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Pdfehh32.exe
        
        C:\Windows\system32\Pdfehh32.exe
        376⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\Plmmif32.exe
        
        C:\Windows\system32\Plmmif32.exe
        377⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Pefabkej.exe
        
        C:\Windows\system32\Pefabkej.exe
        378⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        379⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\Phigif32.exe
        
        C:\Windows\system32\Phigif32.exe
        380⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        381⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\Qemhbj32.exe
        
        C:\Windows\system32\Qemhbj32.exe
        382⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Qdbdcg32.exe
        
        C:\Windows\system32\Qdbdcg32.exe
        383⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Qklmpalf.exe
        
        C:\Windows\system32\Qklmpalf.exe
        384⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        385⤵
        Drops file in System32 directory
        
        PID:9756
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        386⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        387⤵
        System Location Discovery: System Language Discovery
        
        PID:9996
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        388⤵
        Drops file in System32 directory
        
        PID:10084
        
        C:\Windows\SysWOW64\Aonoao32.exe
        
        C:\Windows\system32\Aonoao32.exe
        389⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10192
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        390⤵
        Modifies registry class
        
        PID:9324
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        391⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        392⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        393⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        394⤵
        Drops file in System32 directory
        
        PID:9988
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        395⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        396⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        397⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        398⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        399⤵
        Modifies registry class
        
        PID:10212
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        400⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        401⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        402⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        403⤵
        Modifies registry class
        
        PID:10124
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        404⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        405⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        406⤵
        System Location Discovery: System Language Discovery
        
        PID:10272
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        407⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        408⤵
        System Location Discovery: System Language Discovery
        
        PID:10364
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        409⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        410⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        411⤵
        Drops file in System32 directory
        
        PID:10496
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        412⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        413⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        414⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        415⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        416⤵
        Modifies registry class
        
        PID:10716
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        417⤵
        System Location Discovery: System Language Discovery
        
        PID:10760
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        418⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        419⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        420⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        421⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        422⤵
        
        PID:10984
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        423⤵
        Drops file in System32 directory
        
        PID:11028
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        424⤵
        Drops file in System32 directory
        
        PID:11072
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        425⤵
        System Location Discovery: System Language Discovery
        
        PID:11116
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        426⤵
        System Location Discovery: System Language Discovery
        
        PID:11160
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        427⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        428⤵
        
        PID:11248
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        429⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        430⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        431⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        432⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        433⤵
        Drops file in System32 directory
        
        PID:10568
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        434⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        435⤵
        System Location Discovery: System Language Discovery
        
        PID:10704
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        436⤵
        Modifies registry class
        
        PID:10768
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        437⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        438⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        439⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        440⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        441⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        442⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        443⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        444⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        445⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        446⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10580
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        447⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        448⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        449⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        450⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        451⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        452⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        453⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        454⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        455⤵
        System Location Discovery: System Language Discovery
        
        PID:10712
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        456⤵
        System Location Discovery: System Language Discovery
        
        PID:10868
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        457⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        458⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        459⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        460⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        461⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        462⤵
        System Location Discovery: System Language Discovery
        
        PID:10260
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        463⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        464⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        465⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        466⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        467⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:10664
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        468⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        469⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        470⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        471⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        472⤵
        Drops file in System32 directory
        
        PID:11432
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        473⤵
        Drops file in System32 directory
        
        PID:11476
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        474⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        475⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:11572
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        476⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        477⤵
        
        PID:11684
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        478⤵
        Modifies registry class
        
        PID:11744
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        479⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        480⤵
        Drops file in System32 directory
        
        PID:11832
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        481⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        482⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        483⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        484⤵
        System Location Discovery: System Language Discovery
        
        PID:12028
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        485⤵
        Modifies registry class
        
        PID:12072
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        486⤵
        
        PID:12124
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        487⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12172
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        488⤵
        Modifies registry class
        
        PID:12220
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        489⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:12256
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        490⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        491⤵
        Modifies registry class
        
        PID:11328
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        492⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        493⤵
        
        PID:11452
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        494⤵
        Drops file in System32 directory
        
        PID:11516
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        495⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:11580
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        496⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        497⤵
        System Location Discovery: System Language Discovery
        
        PID:11672
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        498⤵
        
        PID:11668
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        499⤵
        System Location Discovery: System Language Discovery
        
        PID:11800
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        500⤵
        
        PID:11860
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        501⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        502⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        503⤵
        Modifies registry class
        
        PID:12064
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        504⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        505⤵
        System Location Discovery: System Language Discovery
        
        PID:12188
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        506⤵
        
        PID:12040
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        507⤵
        
        PID:12264
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        508⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        509⤵
        Modifies registry class
        
        PID:11336
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        510⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        511⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2980
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        512⤵
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        513⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        514⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        515⤵
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        516⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2184
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        517⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        518⤵
        Modifies registry class
        
        PID:12020
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        519⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:12060
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        520⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        521⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        522⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        523⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        524⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        525⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        526⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        527⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        528⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        529⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        530⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11628
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        531⤵
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        532⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        533⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        534⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        535⤵
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        536⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        537⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        538⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        539⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        540⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11968
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        541⤵
        Drops file in System32 directory
        
        PID:12248
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        542⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        543⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        544⤵
        
        PID:932
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        545⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        546⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4912
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        547⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        548⤵
        
        PID:756
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        549⤵
        
        PID:348
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        550⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        551⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2804
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        552⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        553⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        554⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4540
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        555⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        556⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        557⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        558⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        559⤵
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        560⤵
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        561⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        562⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        563⤵
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        564⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        565⤵
        
        PID:964
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        566⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        567⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 420
        568⤵
        Program crash
        
        PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4332 -ip 4332
1⤵
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
128KB

MD5
d32f294c4318e68a4926d02f15a9e5fc

SHA1
c3af4d243e631ee56c3ff31cb288ac10d84c23ca

SHA256
50c53c8769d6772560f69a8fe6efcc13e2eeebe6c53e5d4bb8cbdd67bb8ddcb6

SHA512
6bb446aeadb53e7a3f1be3bd40010a0e51f2331492cfa2d2862bdd436310f091259da84334037e6e67b246a259e45e6b4b7647a735102708d25dee5d582c219f

Download Submit
C:\Windows\SysWOW64\Aaldccip.exe

Filesize
128KB

MD5
3b43657edd0ead152fd8ea0b41a32997

SHA1
39c266462b198aca40c09a5381ff3003c607a1c5

SHA256
9f205c07938a76923431ca5602bbe97306e6aefb2f34962cf829ceb1fb38cfda

SHA512
ad24eff429e70d107276d3168f13acfdcae19ae0d70b3a3674951c8295eeba5140184ad3bacf66acaaa9fbf3f79a4bcfb19eb37246eae7f424375673ff3db6bb

Download Submit
C:\Windows\SysWOW64\Afnnnd32.exe

Filesize
64KB

MD5
dfc3955715b093d7f861a14a4e01678c

SHA1
10ae0d8436333feb9d62c8d8f4068dc00b0d9925

SHA256
fe60fabf27b497ce31d50b8fe7e34a54055831f0f8cb8c8869c2d459c7e737d7

SHA512
dec3d2fd50c0714daa413eae5725b4b91b3677d842db5d9353b706d81669096d2ac2ef30efe51f40b4a2a52c798e762cc3fcc72807a835ad120a83da2a1e1d53

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
128KB

MD5
1382355c021e6d62277e690543cc755e

SHA1
3954773b791e3e02bba628d40d287a672b09cf84

SHA256
ab20cda61b46a177a0e478cbbc158e4ab96cc85e15a287adca5f7bc888bfbf13

SHA512
62a60ea193b17ce49ee56a23854a562234c8d9e98b270e7ca6b3c3f94fc416d40a9c88ec06a090b76255737e294e48a27b58a97189ea6ae6b23d9426fdafb996

Download Submit
C:\Windows\SysWOW64\Ahjgjj32.exe

Filesize
128KB

MD5
8c457244f5d64a87d02d5dcdcb1d241c

SHA1
0b2cb5b534a2b5b7863045b7f82a795b84c0cb6b

SHA256
50f898a97c3c2ea5ddb0d6dea165b3ab331f415723bd0d2758f1e3e6533de8fb

SHA512
67ddcfeb0bbe2a20b097c2ac538575412f885b1745baaa365ff39cad7dd5f7051a4c51e3e5b06849e5e27884e2cd02ae0ad31c8623b56d5cd908011d8583d3b8

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
128KB

MD5
7cfd07fe3b84d1f2ba253dbbe11f5502

SHA1
6f937beefb135b6312b9e67edbc9c526141b84b3

SHA256
c14ea5b2cd844d72e6f01beecaff1d8a446b8cc3360b898feb2e1ed0de931594

SHA512
9ec5cab7ea940711d630eb3f3ceda81027718461eec5323775bb0165c6b34d975f79c96675853524bc6346e84dc03c21ad3dfb008bf0bebebf591426cc61bdfc

Download Submit
C:\Windows\SysWOW64\Akcjkfij.exe

Filesize
128KB

MD5
e31901e60397c91059fccff3ae84f216

SHA1
a27482df457f3aa162faa97ae27b8b81013a0bc2

SHA256
49080a0bd88ad1ceee5fd2812318950fdf6ed74afc2f441773ef858def48c3cf

SHA512
4468dd0c7c508e7077245b98b9497f7234fdd9fd347b5b715c8319f8c7aecbb125d29fe5b03685d6a7ce971763de446600bbcae3b58f84d72bf767680ee86579

Download Submit
C:\Windows\SysWOW64\Aknifq32.exe

Filesize
128KB

MD5
50fc6a7080de0d8cb8e91a0d47da53a8

SHA1
0148c89ad2bdbff7b61bdbe3db9682a54ed78603

SHA256
cb5249332ed5bc892b3771225e1058be6ee027a0c2906d619a0f6a3beea39451

SHA512
39b6dce7dee50b2ddd5cf3eac8aa1a856a7ca8dae3060c95e00135d9fe867b2abd11d068a3dd0e0449f34ef44e0687101d09011f0939c173877ce08ffb004a60

Download Submit
C:\Windows\SysWOW64\Anobgl32.exe

Filesize
128KB

MD5
80ecae1ea38bc2f76b6f9c707188c1d8

SHA1
8e07eb54f9259088969a8d9f171b44108213d81a

SHA256
cf2c771d2cf2a5e529941b0245fa39dc7f434a8a6fa4ef6b5d2c504d1fc874dd

SHA512
0cffc7239f8f87caa2de4571741d9d31bd509011466177e7f633c6755ce9a77ccab3ebc74c1c799444b7c3e7d4a4b25ee980ca51acf90c4875e8db1c3cb9c8da

Download Submit
C:\Windows\SysWOW64\Aqmlknnd.exe

Filesize
128KB

MD5
6720c99b255706c615e89658cc1d6575

SHA1
377ce60414687032a05b33f8d62a8850a52ad96b

SHA256
28abde727c4a379327b9a28b4882f8116755078cce713738c4a2f28c1a7c0901

SHA512
1a855a2b6db68317785e4d13bdb3deae340d3bd32108da6c730045373eda26f86eea60a0985b16f7ce97f7e3a81bc5d8d02fdd69f8f0fc8e7e9587cf6da3fa0c

Download Submit
C:\Windows\SysWOW64\Aqoiqn32.exe

Filesize
128KB

MD5
cecb9cc3eacdfe70d2e5415b9c972d5f

SHA1
bcfcc8e407cc860535ba917e74ad1885905461d9

SHA256
3966b6f9eea55195c34162d740e3f022f11e03b6aec44c4b33873d4c5007f014

SHA512
2c135ff0b5c65ed30f86fa7acf736d1f4b5febd779fb01a7c3b40c743b9d86b1f32f93c386dba25c9346626f7d8106607e254052c85df70173284f88cc552ebf

Download Submit
C:\Windows\SysWOW64\Bebjdgmj.exe

Filesize
128KB

MD5
ee8458d5d7292985b20e9ac0a4636951

SHA1
955da0c3fd8e8e9e2590bf8dbb60293d575ab42e

SHA256
a227be0f160141e776424b070cfa1c19ed26a223f0bb8abd07df34b6d2efad12

SHA512
b14c3a031316084b83520a08d0bf32cbe388fa177b394e444a64d881dd4e2b81fc8d3b6c101eac50c2a2c0048e2cfa5faa722cf0285e7809d7c66390a26c802d

Download Submit
C:\Windows\SysWOW64\Bemqih32.exe

Filesize
128KB

MD5
831553d508587ba84898a80a8751714d

SHA1
fe7846d5ecc58b8f52929ca7ac41fd4a51ffea77

SHA256
b4039d958080c41af4a4718347144f35dcda333a5d58905a6dd61488b61fab0a

SHA512
66efa2556fd48a96de0dcf207f7322796ca7254b7a2d037645624730f5d0d9487994d22bcf9f6972886745a3586e6db59bc9bc753d363fcc2ef0e328c0ff8da0

Download Submit
C:\Windows\SysWOW64\Biogppeg.exe

Filesize
128KB

MD5
8c4e9b6d0b73e032f90aa757bfa938d6

SHA1
820306bce217cf1b0cc745dabd0fd3abb44c8e13

SHA256
6e46240f1ad32353b24e9b8076cf9c2343a00d3b2530be4371a7f5a11ea3f518

SHA512
c89536aff204531e5117731f8ff2bb4c057729588a0107b25f91ac01d014a1dd4c37f45bee067038d8d414ff2525604eafbb52acff2d7efb6ab3dfe7c074052f

Download Submit
C:\Windows\SysWOW64\Bopocbcq.exe

Filesize
128KB

MD5
07730f98b5b024147913ab5ec7832aa9

SHA1
73ac3aea4a36cd8951773f031637865eb7100416

SHA256
6bc4906bc7065eff822b76d3664de3d22cd884f009852effd7bc29a9746cbf66

SHA512
d70fc1535ace0ee38fb5601401e631e781751f40e2e16ebc421b65de576a693551ac9e3fdf8e9d533ee3162a365f6571d651977e99d7f2907b3cf518e4f6d75a

Download Submit
C:\Windows\SysWOW64\Bqmeal32.exe

Filesize
128KB

MD5
67ccd86c983ee2c5d28b55d22abce9ab

SHA1
e3bef1f59e6ae04bf76ab4c58849baba14b1501b

SHA256
43f526e3cab05d915acec3b575538e9ed67ff7d52f4ee156eb0a66632c436ad2

SHA512
f11d8c3edb2c88944dc08b6a6c6404fb6165844184a6d705497ef529780462738fb116c97a22ac1922bf1e013abe7c96696d3e9a55daac97324decbb9ecaa16e

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
128KB

MD5
8bcacf9bb55c79f5fcf0260df4f3d06d

SHA1
4f2f897c44d0be1010adda8b68af2b57a1f9273d

SHA256
b20f79ec456cedc24510e9013de352186eb775b50b800bc6a6b265aa4a26b70b

SHA512
b5f5eb47904b4b2c95de3bd3d58ba53627221d96348964cdacbd0a03fdc85be98c83b5da854cbbe44caffe48565bd00655574a42ed3dc0e75d350ed106eb90f8

Download Submit
C:\Windows\SysWOW64\Cfbcke32.exe

Filesize
128KB

MD5
c7ff752365c53392f094c600397f22e4

SHA1
92acc5dd2294677c0047887a8cafc19bbd8ce1d4

SHA256
a953c246d37bb106df974f40c1bd5c4c0e50b65b1dd4f7741cdcf4ce11db438d

SHA512
fb123d010f377ff95cf89773b42903ee6c5bb3a5ff295dcc0d73760ef123943ab42a5c1293511c4935560cf089962607a3595aca89a6123b04d194f327a80e28

Download Submit
C:\Windows\SysWOW64\Cnahdi32.exe

Filesize
128KB

MD5
da9f7a302277fb87fc240e47421494da

SHA1
bd3ce7c58f79e061f4233e523a2d130840e8a551

SHA256
931c3047dfeee809a436a7f30fc9a66c4872d1605db36b0bc837271515bc4599

SHA512
14526fcee453408bf7a9960fd90db2fde43085c5584529f35bf087f5b831eb1a3eb9c610fc080b6bde830e536ebf128ca6096eba82ce6f6f6cc7dcf30d09f4f3

Download Submit
C:\Windows\SysWOW64\Cocacl32.exe

Filesize
128KB

MD5
c750eac920a9c5a83fe390f3e9b1245e

SHA1
ae44c2f0ce6229bbe1bcd303a9c4bf6c7a82a58a

SHA256
b737450eb3c6ca59a63f230ee8a9072c4eab9754d50094823542d53bcb1a094e

SHA512
9d4e279a6551788f5bdd3fe36d2560a5a6933b5b500d4c6229036c2dbdc2c67b67196bc989a9cec746de7421c67eb75da80a105400f61bc488b81e016af615e4

Download Submit
C:\Windows\SysWOW64\Coknoaic.exe

Filesize
128KB

MD5
a756b886391e71a8e02ee020881b4909

SHA1
57e545c7d28dd3c6816adafd4ed0f84a6b198129

SHA256
77bccb4a81476e737a37a69275ed5ebdead5cda9414ea4dde71dc264e5cd0de3

SHA512
0b357e422eefa0825a1e2cbfaaf8963fccad444c3a64dd2feec1ab90c0cc6948ee586f31e9dc8ded42f9c7ca9e40e913452c01cd0c99370757fae7b6d4d43de6

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
128KB

MD5
e42dfb97c6fd9da33b64ca93a902ba68

SHA1
220538383070b9124b6c86f968957d45209f600b

SHA256
bf488af8df2ba55fa0cdba777b8944148adf1920c1a2297d4015a885b0811aed

SHA512
fc2f91c125afba8c37a1cf51e85931b53919eea0905d083c16c89a50daf5663ef0b96b1bff789d837dfa7b505a5b04f64e10392eb171a9bb96fdf56e9e39e96d

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
128KB

MD5
8f3216d030a585df1fc9195a78250a9e

SHA1
b7ffd7064ab9f47b09cba27c6f01f4d7ded9cc8e

SHA256
98426728c97ee0f79fdc59d7a0fc9acc60740c01b694c1d71c8b77fb3cb3a290

SHA512
7b0eb2e10ee0f1f5a2e60f4278145d789ce0da7b91b56bc5adf8e8023e69a5ea4df324302633e42243a9b923e236556e88d63f6bce8010aecb05a964525bf0a2

Download Submit
C:\Windows\SysWOW64\Dbndfl32.exe

Filesize
128KB

MD5
cdeb6e367778d454fc796c2d48379b5e

SHA1
4f65910b53132614da6b5b8bbbf638bb6e4c7e3a

SHA256
51dabf0dca4c9763e98a84667adda5e8b850a32b1847d8d7bf52db15c5267ce8

SHA512
76003f9d65d80df8e12fee5c49bc3a348d121b55beaccae4e64f658322f88792bbf0b4999fe57a98c3a9ed807ae577bd553381593f3d4a59a18a989a7a92ffe3

Download Submit
C:\Windows\SysWOW64\Ddligq32.exe

Filesize
128KB

MD5
3e5a813b5ff706ddbd33e65a82c99b40

SHA1
4001b745c47228638d9a4822b9f0fb029bb6e05e

SHA256
5a38c8749e0a62c00a6c421903439af61acfbf321044c4d914bc4364b8617990

SHA512
d5f81d182e924014fd4c31b3a94c7c2c743a814e6214a3287bf06a791179666d9606b4adef0d4a15e9c11ed3035c3ed9937bce55ae4e0104c0a84c07500ba052

Download Submit
C:\Windows\SysWOW64\Diicml32.exe

Filesize
128KB

MD5
603b963327db5a004e82e0d954224acb

SHA1
5650cf94c91d4c61f4132fa8b34c10e14214ce7e

SHA256
6fa81b7a7bab71860dda996ffc57b5e6ac521cebe88ddd775aab2a63f729265c

SHA512
14a65a3480546a40c0252980a33e2db064d9dea283b636e10bc0e3c5e6e356c65d29c71994f1f34c9277717fa88bc32629ebe255544ceb11a7afb9ffae19aacd

Download Submit
C:\Windows\SysWOW64\Dimenegi.exe

Filesize
128KB

MD5
93bacf7a4fe6d970376f4585854761b5

SHA1
fbddded3d457bca9bffbcb66fae54c7e58544054

SHA256
de7ca60e764386802ce57bb704bf7d53c960b551ce919f0199e4fc0c20d77d59

SHA512
0a7bc3e5ad0af22a550e83806816f0425106d88aaa489b312f9dd1c2a0aff802817b9064a26e980932560b3eb0ce97a069046b80a2d3d919c02906ddd929f8a2

Download Submit
C:\Windows\SysWOW64\Efepbi32.exe

Filesize
128KB

MD5
73a5b446fc7f665f79ecb8d8c4585b1b

SHA1
4a773b6a74c644cff82def6fe5f1c992be6e7f18

SHA256
79c06231e59b89b7ac73d4dfd3f06d8120f7f2f8d1323d75ed23bbb0bded3a42

SHA512
4fec14cb7b96d33322af0749647a2bcc6ecfcdbf8e65339d1d23474fba9c134b8b54a51d64eb9704407a8fa3c8581657387f55c885f237829787e598b0bf4952

Download Submit
C:\Windows\SysWOW64\Efjbcakl.exe

Filesize
128KB

MD5
fa23d8ba8d7093362cc6595f1d44cbdc

SHA1
467039a344b7b5d6afbc75fc8e20cbabc2a19f23

SHA256
460ca7e25dd4264cbf8b021b57037d710faafb58b68952fd3adfa042d7e6256a

SHA512
691d97bd08dfb8371785ea20eb3fd0ba65bbf4f1ad2d0a47c416cde3c47727ab304b08bc621585a1605d0cc11a9e064f9b0aa6f7b84e8db46fec497f55eff7c4

Download Submit
C:\Windows\SysWOW64\Ekkkoj32.exe

Filesize
128KB

MD5
7ba4ec023d983c2cd66fc86c0912ae46

SHA1
7bd639d716d7b39144f7d4d9f248a8ed234d90e6

SHA256
84fd7e97cfa3581fadeac32e3748e6628e3812aec5986c13fec110b2d940219b

SHA512
51e3578fb565acf20a781f54f5937d01754a8f21195eb1937794367cc327f10c785de8aec963d4be4875f13d528990f89a37806da625406a7320356ecf531c9f

Download Submit
C:\Windows\SysWOW64\Epndknin.exe

Filesize
128KB

MD5
df02295c1ed3313742bbcbc7f76b2d30

SHA1
051141d116399945822381cf99975d8738b45cbb

SHA256
a1617ba98160f82c6cefcb5253c7d20de3b59677d80a36d98e4bbf4ab66b1bbe

SHA512
f8d5264ff1e7bfabbcfdd43d6bb8ddc60c0cb0a06f43c74f579d9a9667022f712b874371777ae487726d3df82c555cf90b35419cfce76aac2427a6eb76e23e3b

Download Submit
C:\Windows\SysWOW64\Fagjfflb.exe

Filesize
128KB

MD5
18d4f393532c598046b09f582aab074a

SHA1
6f1381ad48098b5b67b10cfea4709bc0d5425401

SHA256
2f229051aeb2cb0e480007bad682a1f392073210fe75a376d2c028e417328b3b

SHA512
cd56adadf97cea4a0393396e092e828dd9447467b573a3e122f20871cb623bd0a7e2e67c09a3e428cfd0cb86d77ffacf20c2058e81c38de79aa56fa521a0db9d

Download Submit
C:\Windows\SysWOW64\Fcniglmb.exe

Filesize
128KB

MD5
a5a605fdccf804bb51d8b3925e608dde

SHA1
75c127783f354fc1af1a19bc80bb16f2e5c334bf

SHA256
fe1903f8df001e363008ebf60c447dbe385213f76f2eacab2ef008047e2b76d6

SHA512
9587f80a48513d274ed7cb64882437dc675e2f41db9d4b9d0f6c7cd940cb11df1315395e3aa7f2a504cf7537390fe3d516b6c1fecb6613e5a958bcb9fe4e4ca0

Download Submit
C:\Windows\SysWOW64\Fielph32.exe

Filesize
128KB

MD5
85f076468ef106336dce13af6a882929

SHA1
12bcf5ff3fdbd70aecc775689f94a967931db90c

SHA256
d843f2bdfd6ced6792233ba42917ed8919eb94a574e76cd1876a6bc782217a04

SHA512
0f4e48d4924cc8d625ca69ec1a332995acb67821dc54cfd13077d928b441372b5ee46ed2235b3c760c7e91eb2413adf2879da8e66f1ee678e4df6b26ecd72455

Download Submit
C:\Windows\SysWOW64\Fineoi32.exe

Filesize
128KB

MD5
b1a6f2ff6f3722649c911a30fa55783d

SHA1
d644f96f1a4fc1faa9f68943c029f14f858428fe

SHA256
43c5924278fa689a2660abbf6dddd3383821c30766aa5513f84289444fd6c142

SHA512
ccaedae0ece0bb211906f6e182bb0ad7db135f4621c2b0d1385a5234cf638714109f64164782bd455f3d16062f9a50c40777f10d3b9516b5ddffec0d1ed75162

Download Submit
C:\Windows\SysWOW64\Fjohde32.exe

Filesize
128KB

MD5
9856c749f83e34cffa76becf3e733aca

SHA1
a5a8de074db27397fc26dee0e159574e5a8891f1

SHA256
35090eba6f653ed647edb1b0e2714baaf0fdb7727f47a79f67a7a6d91bd18112

SHA512
e2f40c82cb4cb659c8632d9c484731b6827f4ada74d6083b625391627bb75a93fab26a7a4a90e162ff0af962677d5207bd8824c2adf86f594ec1ecbbb7d41361

Download Submit
C:\Windows\SysWOW64\Fmikeaap.exe

Filesize
128KB

MD5
27b0e4cc78cf99472b7d758f306ca8b0

SHA1
c7fb07f12ea45e67fa064ce0133eb4eb3721c127

SHA256
5ae3428eee1950b9af77528624df3230e6dc8dae28a7ce1b0b46787751820218

SHA512
0267beb3772bb9ed6d4cf8c151c45ba25e0b217fc7e721bc969d831fd3a7488989a6057762c5acb09e5f4cae282678f7573007a168a2eb785c8c889067999e9a

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
128KB

MD5
9ce446b81ef0e7ec27d505d2db530c50

SHA1
2549601e325616974001634cae23f21b4ab5a463

SHA256
ec6b068e82fc5ee9af10d86c9a446b26a53bc267920d35499b27a31e650ba5ff

SHA512
8da210cbb6eae61fe4f92fccd3fcec5dcacc26cb772f6d1cb88c75f3bef620c9fe372d0184fea56607043fcf440caf8c4ce6a32d571a0a62aca40de7a9c34115

Download Submit
C:\Windows\SysWOW64\Gaefgd32.exe

Filesize
128KB

MD5
e72da447833de45e3aaead8b527bfe11

SHA1
7466bfab6707178ba1699d6cfaf5b2333e974b11

SHA256
a67ed418b5f5c7c13b7a7eaa1431e152a88280c62d3175cc2b5f5725a1008953

SHA512
90b1e700c200f638445dc8e7293691d6a02649ce7daa3170582163b62f71f86aece6e0742e6cfdff9acb538eaa1d7c3442b66524c155ac005307a674804ef910

Download Submit
C:\Windows\SysWOW64\Gdcliikj.exe

Filesize
128KB

MD5
72314a69ba8f6e115d41b6b63b79eef5

SHA1
353e4aa7605b10c7191a800aad94eec7a9473751

SHA256
19d352a3238fa64aa0d84aad250b0bebfda1879d7f875011c005d41355062fcb

SHA512
8eed5cee3dfce1206461bc82b641999a352cd694e9f874e843bab12bae65c6933d92caec2bb901a9f1711cd538354a0896a6bd8a2837eab730e8720db524f352

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe

Filesize
128KB

MD5
3f9dc52c0cb892791d7d656f622852d6

SHA1
2c188330b15cae49d6e657a432d1da1339985805

SHA256
70436f7168e4e135f4b87b6e45bcefc724d7524448f9e30d4fc219bd400837eb

SHA512
2f10e72eb2effd6508f9db1bf17c5100eeeb84f7c84bd2d96faf4dbe856e9c1e133fd826e9ec4fd63eacbd67b206984c5c8bf78b9197ca13d7cee98ddb72f60c

Download Submit
C:\Windows\SysWOW64\Glgcbf32.exe

Filesize
128KB

MD5
ff76967e13660204cef1cd5c0a989d0b

SHA1
730236ff003596810023a4b9276f7375d137a7d8

SHA256
3eb79c86fcf1842b7bf92881349a08e0d28bd245e0c2be37bb6d0e88bdfb4831

SHA512
e62339af47fcc7e422cd7ac203aaa362526b7bbb83b5ab7c3922eb919f215ca28517f7ea58476f69da719630b7d39219dc9990697deee654b4ab735bf69d4cd0

Download Submit
C:\Windows\SysWOW64\Gmimai32.exe

Filesize
128KB

MD5
6642500d7c8e55f99ca5bf365b1ef679

SHA1
2ba02c887a7798057b8f0a008a977b93b0c07acf

SHA256
601b9f5e4a025d88393f293ed4ec9161c7e23b61ee002780aca86f075ed738e4

SHA512
f3167fe9eac0ea1ea4439be9ff6ce6c9b2e7dc4a153a7dde8b18be9f37c532e13c9a9a54e52d8bc040c8f9c7b44ed91f73bdb08ba6ed2e57dc15630f0d061c72

Download Submit
C:\Windows\SysWOW64\Hajpbckl.exe

Filesize
128KB

MD5
ae57149117124678107b0987d1d952a4

SHA1
a585227da8a47c75e6f4dd05de674c66886d078c

SHA256
b391a3f5ca57dbbe4bcb4b1ddda5d8044843b5dcd3d4db472d362c3684c0b7e9

SHA512
6c0516d83d5eb6e47ab46ba522c645f4712781299fb98aaf357e8627eb668ecb260b5024018ae42f1ef83fe6b23b4872ed4310e172477810c5eb607777c8a3b2

Download Submit
C:\Windows\SysWOW64\Hdmein32.exe

Filesize
128KB

MD5
f187b6d51e1c2e8dc06e9faf8a86ebc4

SHA1
33420163cf8331dbfa17451ce9a2d9cbcca58a77

SHA256
37ccae0f6c787972b7bab99f62507dc7624ca6f6b8fb1097ce09cf076402b43b

SHA512
6ae10d11c79ee3030edd19f84d5d9067e3b32ddd6a9bea16036eccfe67b1c98da6bfc17967052020fbcf76292d44eb8d69f92fd63074a219bf421f5449ac5e09

Download Submit
C:\Windows\SysWOW64\Hgdejd32.exe

Filesize
128KB

MD5
3424e3751e824246cd1c146c817293b8

SHA1
493beed01803df4b4394ed708ee836daa34b0b0b

SHA256
8b35e757d7c613419628df206ef3c05d3c31381a136fd5f64637daf6fc58eafd

SHA512
c183a0de5a4e48ed37bb798140cec546a494587e76c7a12bb505cbea54fe53ab96e6674e38a3bd0bca1121a558b6f1abcb49867841c0ba261668ba8b6285dee4

Download Submit
C:\Windows\SysWOW64\Hhknpmma.exe

Filesize
128KB

MD5
64d4dbc0e843f0bff3c9bcdf0b822f26

SHA1
8e5d3c2f6a8fd44620cb04f0c580d848e20355f7

SHA256
55b67ef13dc21251d40144cdc3c76399e3a73817dc2f6c744e00027e07c332bb

SHA512
e95c54d9565cd62e5dfffbccaf842795e00fad672c78f1a9364e9b8183a450bd7a6a27add04a02ffe406e4b9a8814b7a7e28c3f46a4a81537d9e5e9985e95c67

Download Submit
C:\Windows\SysWOW64\Hkeaqi32.exe

Filesize
128KB

MD5
1d2d4e2a5c57c0c17dd1daed1b4d7d09

SHA1
5c0732e25e8fece608d1cbc9d8c33bb9ddd17232

SHA256
78b80b7c147778fb65ab5ede724df2ad7f207b9b8a9c2f8d279a818528371dd3

SHA512
a3f0389f4fda831443fad24221bfe482494bae67a21494fe9fabcbcca4dc17f82d2c5124471f7359bc4c8ae9b77aa94498e6d459da0823782340cf66b6b3bffc

Download Submit
C:\Windows\SysWOW64\Hlhccj32.exe

Filesize
128KB

MD5
2c9f2af1c79549a5e8c1f28a8303a7fa

SHA1
cfbfd7b5524a52cb6321a5481ed1fdea2f6e4637

SHA256
355d3a4501bd2c10d1f4986ab8d64291610dbd00d1a01f6af9a4db800885d959

SHA512
2d92aa2a70d713d9b2ce70d7750545c0b6ff90458f51025e1b9d6d39b969d47c774c6aca7608024f0499c3dea10cd4b434e9235ff2599cd894753508707bcd09

Download Submit
C:\Windows\SysWOW64\Hmdlmg32.exe

Filesize
128KB

MD5
5c67472cc4403997ab29ab86679b5c88

SHA1
85d18a6d40e2b67a65a62d81247cacb0875a42b1

SHA256
137d3f894acf39497bf1aabebfa96cfd4ef608060f0eac040ef864830cdb54b8

SHA512
2178eefefb350e3c17350488878fda380a1571dc1f51d7ad886ae6e27e21515270f5767d4739401e42342787bb8b425782052a07128ae27cd9f88ca06f4b2073

Download Submit
C:\Windows\SysWOW64\Idcepgmg.exe

Filesize
128KB

MD5
d8cca83f00ee64669460f1746c5b44c8

SHA1
735860ed116d1bf39eccac8ed84f74b8902b36b7

SHA256
853137e7d581bc160b2bdf311fbcc5d5043acfc80dc2e39b9bbe0ffda37f3d7c

SHA512
2fa9399f25e2db10f0983c960160e830a3510b43d1170e6c15b71cf3e2df0eda8557706bbb69c85890aff37518e3191845e6bc63db313374dc9291ee98ef86dc

Download Submit
C:\Windows\SysWOW64\Iggjga32.exe

Filesize
128KB

MD5
f89ec2da3d4d5fb39ccefd58f5198c37

SHA1
cb9a756400f62df73522f53ca2f7055353863d38

SHA256
25a896d594d89b6e1162cb83324eb124ff09e24d5c6c4cea6e85694e37a68a30

SHA512
c753d81916325237a02ed0bb8f282bd87392029745f434e739a9ce5a2d884942d01adc23fcdf4d086379de2fa52247e84af6b6b9ec9c105df2c345eb96ea189d

Download Submit
C:\Windows\SysWOW64\Ijadbdoj.exe

Filesize
128KB

MD5
3e8066e95ab58e8e7cb2e2d5599f45ad

SHA1
bc492512d246e4bf9134a1d180c8e279aaa254fe

SHA256
a32c413a820dcf6c0eb5a2b71ab99edb85362b30797fac70475f2f036eb76a8c

SHA512
f7fcca46a43cc5a5093f12c68b100713766bbb60131c3eaed4726edc1d86b6671097c9d801559f203c95354840a0d8366efb656a2bbb86bb69406ebef3666fbc

Download Submit
C:\Windows\SysWOW64\Ijhjcchb.exe

Filesize
128KB

MD5
5c1b5c4b9553cd5e01fe1c7994dbff94

SHA1
dbde3b893f67441168801b26d62f835cf2ac20d5

SHA256
c7b41d912a9d976cc5312ba85842a817096b456a287242204aa134dfd39aae93

SHA512
1f822125646f91578305fd954ced9365ae0222a8a10979ed8893b7c0fb678d72243cd5c8a9b8047104773ea69bf657b5c1a13c5135f018bba65f13b08f26c552

Download Submit
C:\Windows\SysWOW64\Iklgah32.exe

Filesize
128KB

MD5
f7a9edc790723f796707694d13c9174b

SHA1
a72a03045132ab2efb1933b5a0c5ea6fe25e7214

SHA256
15f977c836cbd945995814dfbcab66a2d7264c1be3ce7334d9d07989934b57cd

SHA512
d95da0f2101f7a3cf203b520d5307da1d8491784c864b49008ac0237cc8e98d9913977e5438e195bbd5bd2ebba018ca92d6525be50ca2bb5d60a447da8707a20

Download Submit
C:\Windows\SysWOW64\Ipmcpl32.dll

Filesize
7KB

MD5
9dc6304a2fa4b30fb20cf4cc1d187e90

SHA1
19540f3741b98b38b8bc781e486b3712ca22be97

SHA256
bd62f8d14adaaf94d99e426df424b2188ba73b927c077abaed7d40668e9cd9ef

SHA512
1124f1df85a39c9f28642923ce8b5d38832b99d51bf48beccbe7af96c60ca1309f439811538b384902666f85963526c44ba8a4c30005dda965c6e959e612d679

Download Submit
C:\Windows\SysWOW64\Jglklggl.exe

Filesize
128KB

MD5
2ca66bcf46e22955f2e81333022639fc

SHA1
130c64dec26def06efdfbac7b96afc6593b68c9e

SHA256
562acbbc4841a829ff269c599931b611cb0384f0153667014dd9dd0cd1c3e312

SHA512
8e426e4fe6eeb2a617614a4bebc863178971e1745e53b28b1c6099528e9367c79fd4a48a8a09bc781a1a94c6b44d93a751add46a53f3ba66f4f0facb5754a728

Download Submit
C:\Windows\SysWOW64\Jkjcbe32.exe

Filesize
128KB

MD5
1d48721b41272513da8188f62d42f0e0

SHA1
1f0019facab2e095d7ee60578e6cbb55c2b9ae8a

SHA256
ebbb290bb3ba47f3fcf9ab5b142d00c3cf9acc439b2acab98fa37357c9c27bfa

SHA512
951e8df7dcff44815dd2ec349b918d194b28db60f964c49d57af437d8616a8572b147ba8336e24dfba96dc92998e6d7f6dceeac0df257e095bbcba2c104fbcc9

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
128KB

MD5
af5d81f93e49e83b0a4690a152ad80c0

SHA1
467b2d28e00a587f83d8c38fb6622c63f681e837

SHA256
3d9c0438eb97137d7c44900c281a9ab88ea8cdb677085578a4db7524792170a0

SHA512
81424ae0e0b644189c9faad1361f30005848afe00dcdd85154b2989fd2777b3588eff4ac1fe5ff869779b4e449f5856c6df9aa8165c52364e48fa18738e5069f

Download Submit
C:\Windows\SysWOW64\Jqlefl32.exe

Filesize
128KB

MD5
809379202003fad443dd822fe9782057

SHA1
ec615c6fe0ee8377204fd3de05126b091ec624f0

SHA256
93f80018488ccb0a62f717f4cece6722aa6266f43a82fe4507e09fad94b1751b

SHA512
5a502600442d6227b02084e2ec9c8b3b3273ef24de361d45dd9f23df61c0c4672bb75d95fbe132409dc42eae5ec6d52b9ebfad20518d0b7e2365f56356899f99

Download Submit
C:\Windows\SysWOW64\Kckqbj32.exe

Filesize
128KB

MD5
24e1ab8e9fb7245af1cd414328ccb2b4

SHA1
ff3be91f6ddc5b10f08736a926d379cd70c5f78d

SHA256
47320deb10371d303a78aeed724605ddd75c9ca191170817539026284b2814e6

SHA512
c657564e77f87be60931a700adab817f7f29b300a7d92ce4099425c75ce3af7c4c336df8257db563247a5366894e5edad1f2e662eb33f1e81db614c67c3e9c64

Download Submit
C:\Windows\SysWOW64\Kgamnded.exe

Filesize
128KB

MD5
c4f4c0602d82f8042cbab967b1227e6c

SHA1
81c73ad9e0633089947bf7c151c87af702711e14

SHA256
95ee33ece6caacecd3b696f6cbda04cf435387041ab895a3a0c4df8d42db68be

SHA512
4c220faaea39fb0d12d4659be80d81ef9def90686070574e2274f932209838ac0ec3984f533b204a3ab39de7bdbdc88cdf587fd721a06e81aa8d128517f9d954

Download Submit
C:\Windows\SysWOW64\Kiggbhda.exe

Filesize
128KB

MD5
02455735085c17960301c9c29283f924

SHA1
cf64bff4791416a5cd53127bbaf0a302bc7383ab

SHA256
202004caa3ffac8532c253f952c884ff1ea4f7b5aa83c0cf61db666e6c368efe

SHA512
b421cac478c36976bcb94de7c97936f4e514091c1c3dd9106254352e5f29b83645692430761c05f8d972ac8d9378734ec5db0ce397f5b0b1d910e5099195f5ce

Download Submit
C:\Windows\SysWOW64\Knflpoqf.exe

Filesize
128KB

MD5
404445558884aa3bd2e57464a0b987ec

SHA1
079416bda92c193f97fbeaed64c1f1c0e87d80c4

SHA256
42f2117dbc941114d73d17b70ac71fb88ea57789d89e4fcd5c438006f0e8301f

SHA512
3676a31dfc3a73a5ac32477f87e541bbdbc66fee8c771199373a1ecfc8a4bd01a1fab3644bce3e4ebcd258715f8312ce93facbbe97081404e29f47d7ade3d70f

Download Submit
C:\Windows\SysWOW64\Lacdmh32.exe

Filesize
128KB

MD5
dfd4e6d6f5541e45527177c005a59a5d

SHA1
2400e6b418916d2a9778d3ddf6408b0acc1a3047

SHA256
ac5eaac41f301e537a77f218f3efc2de006c26a1cbf6e37ac662a417886265d2

SHA512
3612b621d4ea10620e55e188beb2b6ed4dbc66872ffddba8ade41b2599845db6feb7126cd9ca6c802792ff9d9fb1595ecc3a332b3f85e1d27b0d82f55347fe37

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe

Filesize
128KB

MD5
64b8dd13ee775cfeba104394c0242f09

SHA1
81392ff04f7f8e35dab70ce4b0091067540ba046

SHA256
ab1148ada702551841d6a8fa8b19f4168a286b2ac21d02008744dcce87fed962

SHA512
780fe894ac90e29f240107cbe2e35b36db357002cf239d22b4061fa9a7f5452fc70c834de8f2cc3a04961aa68db70d0f2a21cc29938f1c777fc48d218b187354

Download Submit
C:\Windows\SysWOW64\Lgqfdnah.exe

Filesize
128KB

MD5
282297ab31f67038574bcc7df5256f1e

SHA1
e6347b28a74a8b5e68daeb1ad75e8ac3146d4c00

SHA256
fec6a21596cea32a9504888cceba4a65bc1ca20afae4ae3859e53945d8823a6c

SHA512
287874ccf5f7c5cdcb4a7060ad758e5eb70af2f651ebdf0555bd92622df15bed13479a1921ffa534efaf04862d483d734d7363af0b93851f6adad4f568da7135

Download Submit
C:\Windows\SysWOW64\Ljqhkckn.exe

Filesize
128KB

MD5
d7aabd495c0a06eaacecd44dd11f90ef

SHA1
369a7d9224f020a7aec6272b07a93e1e70ca4aa4

SHA256
9ea096c52d1c8c3b71dc8049a1a223f5fda18dcb861e89bfca2ac60e3354289e

SHA512
6a91e0ee3a3c8e828a212cbc5bf1f7f46e55cd3b68bb143671a9ab6846c9c665d514927874a2f28ca8dccd860ef78eb953f03df5f5e1bd35c057b2ee922c44b0

Download Submit
C:\Windows\SysWOW64\Lnpofnhk.exe

Filesize
128KB

MD5
463623f123df7b718b2fc55822bdf2b1

SHA1
65ebe63be14c25ddaea63d93b10183c7303a774c

SHA256
1b14ea0238124c03a7d4fc0c4c794612dd27e74234cd71070623d7dda16459c4

SHA512
56e0a3600d4676536f7ab83db1525a6a8f5db280d01d0ec6cc36b50addc83f3413972ec9be31adff678fddc27f16ba1f45172f82c486f04a4c2fdb0d85eea7a0

Download Submit
C:\Windows\SysWOW64\Mfcmmp32.exe

Filesize
128KB

MD5
76ce87564e1f275f00251bdd75109f76

SHA1
6c3050fb35b5562f3c4f86ef35b4d9534e49a0b9

SHA256
e439bd2cfa0e5004d46cb4b6977aed27a8b81df893a82a15ed8bcddeba034b65

SHA512
386cae43219cc93b24da87db0f2ac541a9a1b001b2413f918b9a0e766afaced7a96b477e56d4e04f2ad191da7b5e4f2081d79c9ae9fb0de8b8e3f26555e97207

Download Submit
C:\Windows\SysWOW64\Mfhfhong.exe

Filesize
128KB

MD5
4760dcd5b561e3e571830c6d685d4d30

SHA1
7bb61e2bb984a4ebc6ec243764eee570f413aeec

SHA256
2d278c4ca1ec99d96c650c8e9ac52c85b316805ed42379d244479f94b058a745

SHA512
3064c06addb43221ed87ab6321a0d7086c3b4de4388f8423db022827699d6226282890d81b01aa684aa930e068cebd3d0dd379848e5950b6c98b221e9b71fb80

Download Submit
C:\Windows\SysWOW64\Midfokpm.exe

Filesize
128KB

MD5
9ca360a0950e21f7f9039fd6b8202fcd

SHA1
89a79a97da97f9d75717002008a5f368e3978028

SHA256
db6e9ecb1e93b91323a8a7e24d07184e08604f4b5cae73a0ba24cc9b7af92841

SHA512
f74721cafec77e5cd969978965befda2e766378f90551ac91aa1ec1cbabba4d579b8033a7b4fb186b0cb50ea3b47f259e2137d044017928bb2e3ccd71f42a2c6

Download Submit
C:\Windows\SysWOW64\Mjdebfnd.exe

Filesize
128KB

MD5
94e85467e813012dec0a3328eb9ebee2

SHA1
1d618bd1ace3cf813fa65f0489009a3f0561c9fd

SHA256
13dcd0868d17a85fad337e02c76677ea171cee4f8bf9a6a15b319eb5e26980b3

SHA512
b7c8b7cc7a79326b421737b5618641276b1dd34a796d643d0d50ef0354e27a43c1984fec521c97fa575d7e9f9a436e3be04f475254e8896f8245e1a59b6b770a

Download Submit
C:\Windows\SysWOW64\Mlpokp32.exe

Filesize
128KB

MD5
3c0960566ccd5abe53f5afae3e155989

SHA1
3e42a5ee670702b26b64d9603d4fa0d9ac8a6c73

SHA256
95c88e45fec4519a664f844cf3047109ebcdd05a390c768a058e48e2967360d3

SHA512
ceb2cfeda094e7600497d73cd64fa7aea63fc94393dbf06af6f1fb27edf07491d1d58d3601c4b8c41636d21ffae617d81c5b8479b9c4bf28a96f8d70d56443a7

Download Submit
C:\Windows\SysWOW64\Mmnhcb32.exe

Filesize
128KB

MD5
b94efdd5b72bbd66cc0114b62adb9262

SHA1
d2dd1631aeccd97ddb4c4830f636a35edcbf4c80

SHA256
0b7489c5595d507e3b8b7bdbc6df2f75753b45e96fa912464bd64e5e0b93ae24

SHA512
58799ca4aacd99291bb6d232eeaaa7ebfba5c956d807d4b25b0a53c250c210bc5d79b0067a1fc4a276cdb94f6339d61404f3610d5c573b84f0dea2b2a372dd5c

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
128KB

MD5
f51795c0dcf5dce5240d09261fdd0d91

SHA1
e9b54606c02854a231b6b73aac7e4fc49871c4cf

SHA256
d6244c5b704a4e48bb5e9700628711324e7417748d69943e36b843ae2fa69635

SHA512
b8c28c6755045488b3627937eb0d4c1c8fab81fe3f9bf6577ed9b666657f477ef5de7664e178746aa721404b02f046add64032c32b19ac5b7f93d53d23231e9b

Download Submit
C:\Windows\SysWOW64\Mockmala.exe

Filesize
128KB

MD5
438ab30564dab2023bf206b6e87f15f1

SHA1
e6080893974575aecf906b37be8f0879153aec03

SHA256
9574a81e7a5c82999ed20e7f2c41c5cf3feaca4798645f25c1022fee90ab72d4

SHA512
226e883deb02343025b649542b3f770e992ec64be5d127d2300edea406c2c75082485fa0235e3adaeb01c97e527e43131b40a878e51639371174b28d416cf6b0

Download Submit
C:\Windows\SysWOW64\Monjjgkb.exe

Filesize
128KB

MD5
74e3919b1ce98c85e6908eee7ea89499

SHA1
cfed25e7587b703b068ae938be2fc7075bf0c2bc

SHA256
e7d107e54a3bd43b4669141814ab588b82878a963649d038992f95d05d021bc0

SHA512
2d7dab1d73f4bca5f84cacce55bc4a1e285f4863e704284da81b4c4cf6d4d6bc61b22e5a1ca5b72455793aeef46881775332fab76452f516396a2c09296c7fa3

Download Submit
C:\Windows\SysWOW64\Mplafeil.exe

Filesize
128KB

MD5
ccccdb08e4ac876edc784921236852f4

SHA1
f3ecaeaae93e86f7eece3c069193906bf32b1359

SHA256
59c8eb8199c5c673ee54b732c6f8b3dec2efb0b825308e3003d3ef2645977bd1

SHA512
e444986dd3cd7e8a22728cac28c9750a895483bcb01254324855b7d17fd600626ca3071cfc69d100907a9e9d532e383c81cb06b7d274d2221ceba60f1133f4b0

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
128KB

MD5
817a6364fca402313338b3e0715d8461

SHA1
c70db50c6d0da26b0637ae0676503e721f3bf5f8

SHA256
68d94bc7cb7c2966776bdbb3b979de0e88eac96fccee175bf5c95af0b67ae5ab

SHA512
5a3282030256eae39b7c18586507038cba03ad17841dde415e0aaa5a4ef43c392a9716a3d555e0e93e8ddaa242cfd29a0c6709bc3cee5ddb7887ce755476ecb1

Download Submit
C:\Windows\SysWOW64\Najmjokc.exe

Filesize
128KB

MD5
25aa7687ec6d439823a1cbdd01175e19

SHA1
2d0c997afe59ee8c4e49c279139bcdcb8bd78b14

SHA256
bbb3c104ff6ad87f2009a7b12d8907204e726a541e78818c7d61f351d8e3a58f

SHA512
c3090556dc3d1d4ad8c1a1faf67c4b58390fb1646af7966adc0a4abe3e4e2649f757950b05136117509420a77d64d5abf93754114a948921d2cc9ec1c42e67ba

Download Submit
C:\Windows\SysWOW64\Nbadcpbh.exe

Filesize
128KB

MD5
5be76d24fe42f1a337ec047365eda5e7

SHA1
bfa4d4d8bd87a575c893ce6e3a078bb3a59b860a

SHA256
cbdcb1ea99c9ca42b2616662b9f85f34dbbae11d2f98c128e1b58377ab78cf35

SHA512
f16e25ec6ed07236239ee09fadcf977c6f90dbd4b415f6feb62af4bf5ed2b160f2016e3a47cdb4ff68922852470c0e5294daab36342f407cf4ed4790510530e9

Download Submit
C:\Windows\SysWOW64\Nchjdo32.exe

Filesize
128KB

MD5
257890dfe7dd048d2600b43885e521de

SHA1
1f2554cb94122f7b63900e08bcc8c3decebb8c21

SHA256
f8d6749879621187d34c76871aeae98601156db77cce8ac37eb1fcfa12041bbc

SHA512
60536be2e8aaf09e223ac3455a53e78c98b2309fa1a25486d021a595b565a2d6b29091306405049e138990f5c06d72e12821c267258711173b3ec4bae4170854

Download Submit
C:\Windows\SysWOW64\Nclikl32.exe

Filesize
128KB

MD5
6fdecfb594605f53360674902bf0f655

SHA1
bf173e4a219516ddaebbbed69f41e1c96a34c84f

SHA256
571ee43b408a2129ea0dbf2ef437a0d4af00545299b932cfd28fc9541722033f

SHA512
a1d5b4704e2681e984425242b96bf7c589f22a67ab88903d8f2fabf5faaf156993ec84d9aebd0180f3b4ddd81e706316b9964465360ff28dbcac098e3fc96a7c

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
128KB

MD5
58effd6b813c5f67df21111069318c79

SHA1
e031a4a7d25d1e5aa24e0393980a950b2ed51425

SHA256
18cfa9e06c10376eda6719ced0861b830cfa69a4cfd4c4d082e75142af3eb32e

SHA512
81fd4caaf0f4c0c272e0184f0b3b9638a7cf13d75b846e818369eedb1091bce2c9fab952cbcabfdd3976aa70fbb3ade026b6b29ae73d7d305161971b85b302fa

Download Submit
C:\Windows\SysWOW64\Nebmekoi.exe

Filesize
128KB

MD5
c0650ef9d1817567d3d077d525ed7aec

SHA1
d6f3cc89cd1f2689cd832365c428409dba7f2dc3

SHA256
a1ec21e3fd207e1f194f8ee581cde0caefe50d479958043d20620a1cf33a8256

SHA512
1416c69290580697009a1e776ca754851f9e379077cd2da178b1d417fd7510e11c941fd85bf1354a5125986e3372d2bab5831c4479c6881e9adc86d7d9765de7

Download Submit
C:\Windows\SysWOW64\Ngaionfl.exe

Filesize
128KB

MD5
491f61b19bca3fc90642c64095f7b1b6

SHA1
c4757083c51fa362545cb00fd84f0bcefa00707d

SHA256
3cc189a9a81979b172390a7e1457b670c48a1de2ed1507a6d06167d51b45a2c0

SHA512
7557df6887740472afced8966342c57558675820c499974a160cd7280baaac341bd3e79f83d7f76436362262db4a75b4f5c87214b7f33c77fd8daa36f3d8a3a0

Download Submit
C:\Windows\SysWOW64\Nhlpfgbb.exe

Filesize
128KB

MD5
a7054d380ba9d4ca4577a54401d7e990

SHA1
686163f9fdcff00fbacd2d867b7b5dfafb2f4099

SHA256
aff1fc0045f2223328513a81e31012a9e506caf50ba6f802afa5021b12dcf7b7

SHA512
ad5d4b05b7669cb5f09b2aa2df66ef39e09fd15ded9b073a74182551453051bcaed600a9fe3be76c74983bb79b0a4f7c7636caea7efea43c2faaad0e569bffea

Download Submit
C:\Windows\SysWOW64\Nhnlkfpp.exe

Filesize
128KB

MD5
b9d6ef153e73268d858ef28ebe9633a6

SHA1
89ade1002a7942a53a749ccd457fdd0118152f10

SHA256
68d09c9c45dab6280cd5379b583db0a159eb88507e2d8a37864aeb5f4ededbf8

SHA512
149992a2b174944e322ff7f1edca34bfca4585519d4f28420aee9c2d128eee6b2ef85f268336fb558f5538cc9f39bd01fc9f418f79e546f75a79ab151b5341b1

Download Submit
C:\Windows\SysWOW64\Nipekiep.exe

Filesize
128KB

MD5
2895359a73cd58e3a2df974d268d4537

SHA1
dc753f29cc433a034226d57b0f6c50ab7dd6f509

SHA256
2ea59843ea5c138fe9de32cc345512999a9a2b0c8d99207b2b9e2a80157868b9

SHA512
06b2edcd1a8c5fc92f5f52b6b22906ebb5c62e4ba0edecd624409980d02f8e4a06bd79aebf52f70929dfaebae720a186a4c55dc2dcd4e0972f6a44ff77e9a60a

Download Submit
C:\Windows\SysWOW64\Nklbmllg.exe

Filesize
128KB

MD5
af8281e115578847af1a2e4ec3edbf1f

SHA1
afe5e62740853f6b341c5dfa880d4dd911857471

SHA256
f643d007f90040c3d3c233a1214018d9d618838d43e74d9f398e55df8a93cd69

SHA512
8e09bce471564417ab8ec0338179322fe41d2c1b35d2842803c5d62d00b634bdbe616207bcbfbe6b9b3e531d05202101dc289402ba162bb51a496b91985837ad

Download Submit
C:\Windows\SysWOW64\Nndjndbh.exe

Filesize
128KB

MD5
3e63e19ef32266973540e3a583b58aaa

SHA1
16283f1017a0af6ad1c878aafc7ae7f24704c06b

SHA256
3bc4ade8c31b4f633d8443fd1324f3e2f89a384df35f693ce9ed06c2f861ddef

SHA512
791543fd0cfd64887e884757439de20a74c662e9bdb8eb9e5686c61608af99b0aea8f90f940de189a10348c2f44ed365d39bcafdac6634ca3a1e0b9081db1150

Download Submit
C:\Windows\SysWOW64\Nohehq32.exe

Filesize
128KB

MD5
e92ea9766314f74ede32bc81f831bf7c

SHA1
33441a6ed2bf6068706564d34f93ba22a5c17834

SHA256
fef292e586dd9b995e3f5af1153fdc2372bdaedd821bc6f873a92e06bb8e60f7

SHA512
dce301c6498c2bf02ee1e529def64c60ffe8b6b12e9ae5a4af346a20548e0e3aac4fac5e59462245bf9d85fd591724e1b53d8e99dee9b80bb470e52bc3bf0e0a

Download Submit
C:\Windows\SysWOW64\Nplkmckj.exe

Filesize
128KB

MD5
fdd49de1fcd81712f9c2411f261f16e9

SHA1
446972a648ed75e8f1a42b7664fa3fdce3d9ba57

SHA256
a1f27b1a04a6b581d8d4788dedeb18282122a261503a55ce3d7e24230462981b

SHA512
1c5611695caf60842f4bc5e974929def00f3d1ba63bd60202d99e70d1e906e512411970b45e9beb34a83b62dc5e1adc811798c81d9a33e63df74288147eab6ac

Download Submit
C:\Windows\SysWOW64\Ocopdn32.exe

Filesize
128KB

MD5
394c32f21cd0b38541604a0068f1c293

SHA1
70dbe2b60ffd1a835756f7ebab45a6f9f6a79520

SHA256
509903480a107adc92d274cb8484cb5788f0372483bf53fc38d1ff34b0e7f0e2

SHA512
501aa15c1e2f45db756435930ffada8c840e11fae92779b29bd4f9e74d6f1a0d7768232c15e343f8048fa8013941693df903cf2cfa28910f3e4f1901af6d71ec

Download Submit
C:\Windows\SysWOW64\Ogmijllo.exe

Filesize
128KB

MD5
e0396d3dac98d91880d0d1323288ec46

SHA1
98f7edc9066e710a47e25c4fc9f21c3496083229

SHA256
2afc0505e2a6dcf3cb39916b8803164bcbcc9bd70462ff0f5a0199db9ecd46ba

SHA512
e40d9fc7e9902e799d569dceec91ea4219da973fb213a2df744c71be698ab1b2d002b6524ee7a63115a68d0af66679886f4862dff1e8ca9ffb507a0848ad3c54

Download Submit
C:\Windows\SysWOW64\Ogpepl32.exe

Filesize
128KB

MD5
86d4e32bdd5581aa4a42550698a44761

SHA1
4d8a07e7a4f7f91a70c4e9047cb853f23340bee8

SHA256
63782f338759766c1b2265bfcb3fb535e2e08460f67a751718842809e4100ef3

SHA512
4c791a9b88cce967b940b084e05da68fc61ddecdc630a175883d7068233a013000e1c53ed976506e328180c2c7f14841f55861ae1c1bd335f6832934011bbc16

Download Submit
C:\Windows\SysWOW64\Ohgoaehe.exe

Filesize
128KB

MD5
6478a809ad5aec7f8f5ba2e8226a8be7

SHA1
563d0913c47d02909eef3ff03bc2059bd418b2e2

SHA256
0335a1b0cc75c623d49062ca545ab843cc9301b2138bfac204cb2ef65e46fd5a

SHA512
cc93802a57048594ba0f0a6f1eda6067608f92d5e3abd506f320a0bcc604361cb6d57e3074d72324a8a004cf8fca15c571cbb21e3f36dd7305d9019d62bb5377

Download Submit
C:\Windows\SysWOW64\Ohqbhdpj.exe

Filesize
128KB

MD5
519ec60418b928cb28a34f93a1f3c8b1

SHA1
5060b71f89ef0cf95b712c6ccc080f68b203cacc

SHA256
21cec5ee4125662d43799eb7e952fba3a6b2b47d5e5732304a69d5c9e7b80770

SHA512
207cdb51508edc07f72c34fe89c63254b7a3e19922d9358a9fbcd8e8cdd0df8c177f7898bde2b7f160d7b722d01e9b5b5a1528142122e032ba7cf6a9068078d1

Download Submit
C:\Windows\SysWOW64\Oigllh32.exe

Filesize
128KB

MD5
298ef494de28a0db65f0ffd24cf8f9fe

SHA1
7dd9afa96900af87fd000c3d2df07f87c675d38d

SHA256
ccc10aea48e5908b34acdc4997f5461d7f9e7d5cd04a66cac9af4b3697867492

SHA512
67b24c764a38b7f2faad7a716434598e8d61b47a3a95a841496c508030a47a60f250b8d49eef3ebe5c774200cdcaca097ecbb7cfa7e2d875c811ddbc1872cc9e

Download Submit
C:\Windows\SysWOW64\Oiihahme.exe

Filesize
128KB

MD5
a536cc235223d8f9106c387837877519

SHA1
7d6d220373c13b3a5dec3a2cd9958ddee73a9341

SHA256
1eebc1194beeb248c616ed105265dc7cb0bfb4dd7e9953cf6c6d6744552216a0

SHA512
4d301b0a9ce2522abc70bcdff2079ef6d977de5fce8ec8876bdc89e7930b58760d3efa96544795a1a842a9fbef145768778561d9fc68e2b84675ca15baa1bec7

Download Submit
C:\Windows\SysWOW64\Olbdhn32.exe

Filesize
128KB

MD5
b323c7688f093a17ab981d4302d68250

SHA1
91d6a1fc603d1d4bce225315b660304674fd92f7

SHA256
4778fe1c2e5db87a21ee047bc048eb9ed87df8a9b1fa463f636e41063c71bdaa

SHA512
5501546f130972584054480f36b545cfe9bb8c54cc1c0c85ab15e31acf7db1a829bacfcf824631cadcc0fcbabdbbc17fc61370bb7ade07a9a68ea2646e84dbc7

Download Submit
C:\Windows\SysWOW64\Oldjcg32.exe

Filesize
128KB

MD5
480469bc319104f46592bc4e9deb30b7

SHA1
579fac55afdc1699b81b72a9ecbe0614e7e2f048

SHA256
8c1f7e883a321c17b0a5f6d24e0e1949e480864c25ad440b76e4d732e68cb3ff

SHA512
3ebe5b55699ae1dbe6a04fca2c8206b921e954449fa2628c6c63222365bf4b787b97ebffeab15ef526eef65f23c6967f1db558291ed253085c2901ea6149b724

Download Submit
C:\Windows\SysWOW64\Oljaccjf.exe

Filesize
128KB

MD5
6f40351c686625ea7e03e118f8a5c30c

SHA1
38d5c11be2159f4e257355d486e6350c32bed2ea

SHA256
c7bae2437e3eb61f791ea0a3e54512223374153aea6aa98426321ee03a46a904

SHA512
ab6776e35defa3b21199306121c9aa5b34f28267760a1864fad270c02b8906c2d49c80da09ec6508f8640f675f57273fedb29ecf7cdac1d5a1885a0d101cfe54

Download Submit
C:\Windows\SysWOW64\Ooagno32.exe

Filesize
128KB

MD5
c6bc9c4df7c6bd874e82b8e483350061

SHA1
b3147308d40220911b791bb8a7a11cb7180e2350

SHA256
f765172693ca2e982df0b90d820573f773d96ed4b402c33ac1313943a303a2c8

SHA512
1424b1365989924003e7ae7ba1c9fae33ec92e47e14ce33662e39db2fd54fd14363ddda97250de02ea58ebc44b1def0b1f3a09a2035d9533ef0eb5c98576db70

Download Submit
C:\Windows\SysWOW64\Ophjiaql.exe

Filesize
128KB

MD5
a468cff6e8db6ef6b1064298ae6550d9

SHA1
bb3e32b16231b5f0bd4aa2ab2bdb0141b42b3f57

SHA256
bcf4ab96f4c7110a6091428a5bdf2c94dbcbdd1a07d273869deabe2e1145f2ef

SHA512
c36c86b67d5ff114eb39326b59b6e671a146b9601304f6eef71ae4a5c41a94d54b900e9aeddbfc64eabaaae7b62cb15525b2ce49a032c3693c54da19856fa447

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
128KB

MD5
d43ab4ce8d0432768bff585c154eb418

SHA1
43d1058b58742b8bf03e897054faf8d81cf991c2

SHA256
212224da3b902271181c95fd38cf3df5e6b7ded293fff0079932466406de372c

SHA512
347ba159ff00faf858ba877da8d2eddbb521d7768976dcbd881670a0262a12f177229c44f27f69979e284c961b293d6be63b2c0dfca9455325b7d543396d1099

Download Submit
C:\Windows\SysWOW64\Pcicklnn.exe

Filesize
128KB

MD5
03dd19f82bdfd05dd61f147f175d72da

SHA1
4d47ec6a6c63e44faf7ff389552dd185e3681d39

SHA256
5a33c8306c25897e1a7b462553b2ad7913e2e02c36986d06a00f04923b0549de

SHA512
1f618b81c3b6c238ad83255eb3ec4d6530cdc4bdfd8b7e8af7ba27313137ccfbfc737c6c71aeb97b113b3489022e49cf52f6590a06382c833e3591a98330b855

Download Submit
C:\Windows\SysWOW64\Pefabkej.exe

Filesize
128KB

MD5
36a6ae7d1c79f29adc4597d5af906ab4

SHA1
2d873d3d5135009cebdf2f845c25feee1a2db144

SHA256
75337f1e7636e4385ef835beeabc7f4ca55b9cb63f09d532b9d0e363308ea054

SHA512
7b59431bd5e48fa3990f9c68907c1cae852fe6c1886c8703f1dd3730b5127ed9061587a4497f19aee234ef47b954b7a55e71fd92a2af03b0fc1037cff9821321

Download Submit
C:\Windows\SysWOW64\Pgkelj32.exe

Filesize
128KB

MD5
c0ab1551a4ccacfd57a026902065d248

SHA1
538be2c88db9d569e48e5ff0c8582cc0f4a2d377

SHA256
8a6f848eba56fc3ad9564d885934a1f9d15db4211fac9cd622f729327b27fe44

SHA512
3f7e68ac08f28933ae2af0aa648193b5302b471f96050a58af329f26c9c4a45c9235c0e37bb5e37ee2f536d9f3026a63bcaee160a7b16b983b1ea48afd955887

Download Submit
C:\Windows\SysWOW64\Phjenbhp.exe

Filesize
128KB

MD5
a780dbe66dee6574241e3928b90a80c5

SHA1
945d6d455c8e4abd1b15734ec4de9413fd63e8fb

SHA256
0a3aeecfc20fb0c0854ea043391cd38e04798203d6a10d08f8b85c0f7cb072a9

SHA512
562f2a0ab164d0dd1d5a0550ec1ac044f2c703c1ae1f6a3f2bc378034ccc12137feb856c20f119ebf16473346f7c8073e9c4f9c356be1c280872a30328eb7c42

Download Submit
C:\Windows\SysWOW64\Pjehmfch.exe

Filesize
128KB

MD5
edea23abca7d0652c21f5344521c412e

SHA1
ba4f0392adab166711f8715a3906f5174c175fce

SHA256
31d53ae4b8892d6dbf3d6d7e08821dae7478f726d1be8210c7c43389040fb19c

SHA512
a1e1336aa4299229c0f4e457c8da0f437588097a1b03fe66fe2b8f202dc2b278dc348f465bf5aa22025d031a5f4ac3cd0427492ceb74381e7e0e07fa3a1672ff

Download Submit
C:\Windows\SysWOW64\Pkogiikb.exe

Filesize
128KB

MD5
2f25adb207baa61df27317139cb97f2e

SHA1
5f434067e82c9c2890b44cfe8d8ff03bd0dae325

SHA256
b62b96118d3cc4094f9e0037c4b6e3373d4813f8f4fbd6bee532db6dff6596f0

SHA512
4c5cc8a881f29e4ffa03b849301c63e9a4afcfb537e64f472c6e6e1533a6590b0344bbb1833a98ad361f5ece3deccab3ad92afd26ffc8160b13785e11f2d0173

Download Submit
C:\Windows\SysWOW64\Plagcbdn.exe

Filesize
128KB

MD5
2eccb0759e8ee8ab1dd4f056b6f1fea7

SHA1
abb2f7cc6d90b638bb08fc203934313b3fdbe72e

SHA256
ea0f5cc086a6e57d1cefae14bc9414f29c42c079f5acdcd1552666827b53ae2b

SHA512
635a462460b794d5f90b201bd25279f9168360c2442a950e5fad109eca9ef8fed3bfb507ed2831b025ffbef60345ca97ec6bb9f6bfd47c7b45e20ad90c7bfa50

Download Submit
C:\Windows\SysWOW64\Poaqemao.exe

Filesize
128KB

MD5
a5a73a4ce229eb9f61e399dce69e750c

SHA1
e0eb0e2db3549cfc9598d0789e17551dc45444d1

SHA256
1b39dbf55e692b18219f9453cd3bcfbe1c3684cf098a8539ccc89aa139894489

SHA512
205eb6fbee59d8145dacb1b840d77de1e53ed49bf493218f35d0eb979d9d071923fc500ad3075b25c15c9748fd9e092a613d27a70f7c9bd1b6c8582031b32e4b

Download Submit
C:\Windows\SysWOW64\Ppjgoaoj.exe

Filesize
128KB

MD5
f6680780f9ecbde782bce46880e9efb2

SHA1
7f7cadd5c615f0898d454f04d6b28761708b26e9

SHA256
be2b33645c6830a8a01979eb24a080aafa10ed8dc078003238a561e1b4412cef

SHA512
70db9018f350a69f3e08bee1d4c78be998463b1495bbd551874a42d9a2cd283d6e481de688d27ebfe72557f6841e4bf081c511f390f7ce416e8edc2827438705

Download Submit
C:\Windows\SysWOW64\Pqcjepfo.exe

Filesize
128KB

MD5
aa373c13c8c36c713453541ebfc5b9c9

SHA1
4e8ec5952121353842a6eb6e3669e5d11800140c

SHA256
9190c85ee191b6430dba096a4583dc9d3b9b7657d94437118649911be3f2f342

SHA512
e4c1640310c085f44fc228959acf4e59908c1b7c2a92c04b420659a8c88d85f12a7e474cee3568264afd0444747ad6d73cf55e37fd2f71b231f911137e0f76e4

Download Submit
C:\Windows\SysWOW64\Qlmgopjq.exe

Filesize
128KB

MD5
914d26f6f33c8e5d272521f40aa696f7

SHA1
014b04c8fcc96fb3344aaa64014ee60a199818b3

SHA256
e2f35102adc295339afa470ee9cbb140c884dbdfd6c8ca342a8cd6c6eae42c5d

SHA512
d7f18ac5b13521593d9a440f408f87063104f1d0d529d63d7ed02b1123a1291d3e2f77f707a9f470cbcc8560ad9c711f5ab6bbf3cad630eb0af7ec01d2313f26

Download Submit
memory/380-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/516-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/668-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/756-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/868-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/932-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1004-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1088-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1140-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1324-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1412-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1488-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1488-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1840-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1844-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2060-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2060-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2112-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2180-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2276-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2276-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2440-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-584-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3096-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3096-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3168-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3168-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3256-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3324-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3436-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3448-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3692-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4112-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4128-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4140-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4228-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4304-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4304-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4556-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4576-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4616-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4696-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4880-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4984-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads