berbew | 1e600850c9c470d2acb8b8d7ec3e05d3897bb90547e653577da9650407b78efe

Analysis

max time kernel
103s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e600850c9c470d2acb8b8d7ec3e05d3897bb90547e653577da9650407b78efeN.exe
Size

296KB
MD5

2211a43e7b4042b18a1ae6bd40d87050
SHA1

ccc9683d33ccb19efe26f048e330e17250036853
SHA256

1e600850c9c470d2acb8b8d7ec3e05d3897bb90547e653577da9650407b78efe
SHA512

db8cc8ca95e71f5a266af31c82b8c8b1af5f8df092be96d808d915b4bf9b3324373b71f37740fbda6cf1cad8ab330bb32dc640816f53514aaeaf00718694e94f
SSDEEP

3072:k234y2cLFFVy2NmDH2yKtWyrwkEpBuBARA1+6NhZ6P0c9fpxg6pg:k84y2cLFFfmKx/gUDNPKG6g

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnlkedai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Halhfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojiqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fndpmndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofegni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnbakghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkfadkgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeelnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enhpao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kolabf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Domdjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidnkkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmkigh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbpajgmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbfgkffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chnbbqpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpkibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igdgglfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqgmmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnhoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggkqgaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npepkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhfpbpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aefjii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Komhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnldla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggfglb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bllbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioolkncg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kflide32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddkbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibeoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmfnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmdcfidg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmomo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flfkkhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iibccgep.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3412	Ahbjoe32.exe
4564	Aefjii32.exe
4540	Anaomkdb.exe
2640	Aehgnied.exe
3356	Adkgje32.exe
900	Alelqb32.exe
3544	Bdpaeehj.exe
1924	Badanigc.exe
4488	Bdbnjdfg.exe
60	Bebjdgmj.exe
4964	Bllbaa32.exe
3956	Bdgged32.exe
4720	Bakgoh32.exe
2992	Bheplb32.exe
4028	Ckclhn32.exe
2156	Camddhoi.exe
4372	Cbpajgmf.exe
2508	Cocacl32.exe
1788	Chlflabp.exe
2740	Cbdjeg32.exe
3620	Chnbbqpn.exe
2112	Cbfgkffn.exe
1956	Chqogq32.exe
3056	Dkokcl32.exe
1068	Domdjj32.exe
4296	Dheibpje.exe
1084	Dnbakghm.exe
1456	Dkfadkgf.exe
4700	Dmennnni.exe
4912	Dfnbgc32.exe
3224	Eecphp32.exe
1328	Eeelnp32.exe
4480	Ennqfenp.exe
880	Emoadlfo.exe
1612	Eejeiocj.exe
448	Ebnfbcbc.exe
3896	Felbnn32.exe
748	Flfkkhid.exe
4796	Fijkdmhn.exe
8	Fbbpmb32.exe
4456	Fpgpgfmh.exe
4552	Ffqhcq32.exe
1548	Fpimlfke.exe
4220	Fiaael32.exe
5056	Fpkibf32.exe
2224	Gidnkkpc.exe
3580	Gblbca32.exe
2536	Gppcmeem.exe
3656	Gfjkjo32.exe
2628	Gmdcfidg.exe
4200	Gnepna32.exe
2108	Glipgf32.exe
4920	Gimqajgh.exe
2960	Hmkigh32.exe
224	Hefnkkkj.exe
636	Hidgai32.exe
2080	Hblkjo32.exe
2728	Hlepcdoa.exe
1540	Hbohpn32.exe
2276	Hlglidlo.exe
2696	Ifmqfm32.exe
4508	Iliinc32.exe
4408	Ibcaknbi.exe
1176	Iinjhh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Impliekg.exe	Ioolkncg.exe
File opened for modification	C:\Windows\SysWOW64\Lnldla32.exe	Lgbloglj.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bgbpaipl.exe
File opened for modification	C:\Windows\SysWOW64\Cbdjeg32.exe	Chlflabp.exe
File created	C:\Windows\SysWOW64\Ibfnqmpf.exe	Illfdc32.exe
File opened for modification	C:\Windows\SysWOW64\Jiiicf32.exe	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Klfaapbl.exe	Kflide32.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Eeelnp32.exe	Eecphp32.exe
File opened for modification	C:\Windows\SysWOW64\Ioolkncg.exe	Iplkpa32.exe
File opened for modification	C:\Windows\SysWOW64\Kpnjah32.exe	Keifdpif.exe
File created	C:\Windows\SysWOW64\Abdkep32.dll	Eeelnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Iogopi32.exe	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Himfiblh.dll	Ipdndloi.exe
File opened for modification	C:\Windows\SysWOW64\Ngjkfd32.exe	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Pjmmpa32.dll	Halhfe32.exe
File opened for modification	C:\Windows\SysWOW64\Ibfnqmpf.exe	Illfdc32.exe
File created	C:\Windows\SysWOW64\Ggmmlamj.exe	Gacepg32.exe
File opened for modification	C:\Windows\SysWOW64\Mhoahh32.exe	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Hlglidlo.exe	Hbohpn32.exe
File created	C:\Windows\SysWOW64\Nopfpgip.exe	Mjcngpjh.exe
File opened for modification	C:\Windows\SysWOW64\Emoadlfo.exe	Ennqfenp.exe
File created	C:\Windows\SysWOW64\Ilkoim32.exe	Iimcma32.exe
File created	C:\Windows\SysWOW64\Kcmfnd32.exe	Kpnjah32.exe
File created	C:\Windows\SysWOW64\Mhldbh32.exe	Mjidgkog.exe
File opened for modification	C:\Windows\SysWOW64\Jghpbk32.exe	Impliekg.exe
File created	C:\Windows\SysWOW64\Npiiffqe.exe	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Ahfmjddg.dll	Kpccmhdg.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Ocdnln32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnbgc32.exe	Dmennnni.exe
File created	C:\Windows\SysWOW64\Hefnkkkj.exe	Hmkigh32.exe
File created	C:\Windows\SysWOW64\Hmkqgckn.dll	Ljnlecmp.exe
File created	C:\Windows\SysWOW64\Lcimdh32.exe	Lnldla32.exe
File opened for modification	C:\Windows\SysWOW64\Qmeigg32.exe	Qfkqjmdg.exe
File opened for modification	C:\Windows\SysWOW64\Pmmlla32.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Qnbidcgp.dll	Apaadpng.exe
File created	C:\Windows\SysWOW64\Dahkpm32.dll	Iamamcop.exe
File created	C:\Windows\SysWOW64\Ockdmmoj.exe	Omalpc32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnenlka.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Gppcmeem.exe	Gblbca32.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Mjlalkmd.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Ilnjmilq.dll	Mbgeqmjp.exe
File created	C:\Windows\SysWOW64\Ojnfihmo.exe	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Pbbmemif.dll	Bakgoh32.exe
File created	C:\Windows\SysWOW64\Fdahdiml.dll	Ibfnqmpf.exe
File created	C:\Windows\SysWOW64\Jobfelii.dll	Jngbjd32.exe
File opened for modification	C:\Windows\SysWOW64\Pmnbfhal.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Ppadalgj.dll	Klpakj32.exe
File created	C:\Windows\SysWOW64\Eeeaodnk.dll	Ledepn32.exe
File opened for modification	C:\Windows\SysWOW64\Bllbaa32.exe	Bebjdgmj.exe
File opened for modification	C:\Windows\SysWOW64\Ifmqfm32.exe	Hlglidlo.exe
File created	C:\Windows\SysWOW64\Cikamapb.dll	Hblkjo32.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Pmnbfhal.exe
File created	C:\Windows\SysWOW64\Nkgdfb32.dll	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Ajdggc32.dll	Hbgkei32.exe
File opened for modification	C:\Windows\SysWOW64\Iiopca32.exe	Iahgad32.exe
File created	C:\Windows\SysWOW64\Jpaekqhh.exe	Jiglnf32.exe
File opened for modification	C:\Windows\SysWOW64\Johnamkm.exe	Jngbjd32.exe
File opened for modification	C:\Windows\SysWOW64\Kflide32.exe	Koaagkcb.exe
File opened for modification	C:\Windows\SysWOW64\Npepkf32.exe	Njhgbp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10048	9916	WerFault.exe	456

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iafkld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iondqhpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlikkkhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llqjbhdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkgje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Felbnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fiaael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqojclne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmkigh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iinjhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmkdcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eghkjdoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihmfco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilphdlqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ennqfenp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npepkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofkgcobj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdieb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhfpbpdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hihibbjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Legben32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojemig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Geanfelc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Johnamkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqmmmmph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgmmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glipgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbohpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imkbnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggfglb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lchfib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdnln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ommceclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbala32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flfkkhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hblkjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhbqbae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmqnobn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fohfbpgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iacngdgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmennnni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jghpbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nopfpgip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibeoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hecjke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcmfnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmmoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eejeiocj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpkibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebifmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmfkhmdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgloefco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll"	Moipoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilphdlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljhbbae.dll"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocacl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll"	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnfhilh.dll"	Hlmchoan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpemq32.dll"	Joekag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbaa32.dll"	Legben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiiicf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnlkedai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehbnigjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fndpmndl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lindkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibfnqmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll"	Jghpbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aooold32.dll"	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiacog32.dll"	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihcbd32.dll"	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egened32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jemfhacc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeifdjo.dll"	Fohfbpgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adkgje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckclhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffqhcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifmqfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehpadhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebkbbmqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Johnamkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Komhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll"	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbmonhi.dll"	Fkhpfbce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlppno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll"	Kibeoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjpkd32.dll"	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himfiblh.dll"	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfccogfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3412	3788	1e600850c9c470d2acb8b8d7ec3e05d3897bb90547e653577da9650407b78efeN.exe	84
PID 3788 wrote to memory of 3412	3788	1e600850c9c470d2acb8b8d7ec3e05d3897bb90547e653577da9650407b78efeN.exe	84
PID 3788 wrote to memory of 3412	3788	1e600850c9c470d2acb8b8d7ec3e05d3897bb90547e653577da9650407b78efeN.exe	84
PID 3412 wrote to memory of 4564	3412	Ahbjoe32.exe	85
PID 3412 wrote to memory of 4564	3412	Ahbjoe32.exe	85
PID 3412 wrote to memory of 4564	3412	Ahbjoe32.exe	85
PID 4564 wrote to memory of 4540	4564	Aefjii32.exe	86
PID 4564 wrote to memory of 4540	4564	Aefjii32.exe	86
PID 4564 wrote to memory of 4540	4564	Aefjii32.exe	86
PID 4540 wrote to memory of 2640	4540	Anaomkdb.exe	87
PID 4540 wrote to memory of 2640	4540	Anaomkdb.exe	87
PID 4540 wrote to memory of 2640	4540	Anaomkdb.exe	87
PID 2640 wrote to memory of 3356	2640	Aehgnied.exe	88
PID 2640 wrote to memory of 3356	2640	Aehgnied.exe	88
PID 2640 wrote to memory of 3356	2640	Aehgnied.exe	88
PID 3356 wrote to memory of 900	3356	Adkgje32.exe	89
PID 3356 wrote to memory of 900	3356	Adkgje32.exe	89
PID 3356 wrote to memory of 900	3356	Adkgje32.exe	89
PID 900 wrote to memory of 3544	900	Alelqb32.exe	90
PID 900 wrote to memory of 3544	900	Alelqb32.exe	90
PID 900 wrote to memory of 3544	900	Alelqb32.exe	90
PID 3544 wrote to memory of 1924	3544	Bdpaeehj.exe	91
PID 3544 wrote to memory of 1924	3544	Bdpaeehj.exe	91
PID 3544 wrote to memory of 1924	3544	Bdpaeehj.exe	91
PID 1924 wrote to memory of 4488	1924	Badanigc.exe	92
PID 1924 wrote to memory of 4488	1924	Badanigc.exe	92
PID 1924 wrote to memory of 4488	1924	Badanigc.exe	92
PID 4488 wrote to memory of 60	4488	Bdbnjdfg.exe	93
PID 4488 wrote to memory of 60	4488	Bdbnjdfg.exe	93
PID 4488 wrote to memory of 60	4488	Bdbnjdfg.exe	93
PID 60 wrote to memory of 4964	60	Bebjdgmj.exe	94
PID 60 wrote to memory of 4964	60	Bebjdgmj.exe	94
PID 60 wrote to memory of 4964	60	Bebjdgmj.exe	94
PID 4964 wrote to memory of 3956	4964	Bllbaa32.exe	95
PID 4964 wrote to memory of 3956	4964	Bllbaa32.exe	95
PID 4964 wrote to memory of 3956	4964	Bllbaa32.exe	95
PID 3956 wrote to memory of 4720	3956	Bdgged32.exe	96
PID 3956 wrote to memory of 4720	3956	Bdgged32.exe	96
PID 3956 wrote to memory of 4720	3956	Bdgged32.exe	96
PID 4720 wrote to memory of 2992	4720	Bakgoh32.exe	97
PID 4720 wrote to memory of 2992	4720	Bakgoh32.exe	97
PID 4720 wrote to memory of 2992	4720	Bakgoh32.exe	97
PID 2992 wrote to memory of 4028	2992	Bheplb32.exe	98
PID 2992 wrote to memory of 4028	2992	Bheplb32.exe	98
PID 2992 wrote to memory of 4028	2992	Bheplb32.exe	98
PID 4028 wrote to memory of 2156	4028	Ckclhn32.exe	99
PID 4028 wrote to memory of 2156	4028	Ckclhn32.exe	99
PID 4028 wrote to memory of 2156	4028	Ckclhn32.exe	99
PID 2156 wrote to memory of 4372	2156	Camddhoi.exe	100
PID 2156 wrote to memory of 4372	2156	Camddhoi.exe	100
PID 2156 wrote to memory of 4372	2156	Camddhoi.exe	100
PID 4372 wrote to memory of 2508	4372	Cbpajgmf.exe	101
PID 4372 wrote to memory of 2508	4372	Cbpajgmf.exe	101
PID 4372 wrote to memory of 2508	4372	Cbpajgmf.exe	101
PID 2508 wrote to memory of 1788	2508	Cocacl32.exe	102
PID 2508 wrote to memory of 1788	2508	Cocacl32.exe	102
PID 2508 wrote to memory of 1788	2508	Cocacl32.exe	102
PID 1788 wrote to memory of 2740	1788	Chlflabp.exe	103
PID 1788 wrote to memory of 2740	1788	Chlflabp.exe	103
PID 1788 wrote to memory of 2740	1788	Chlflabp.exe	103
PID 2740 wrote to memory of 3620	2740	Cbdjeg32.exe	104
PID 2740 wrote to memory of 3620	2740	Cbdjeg32.exe	104
PID 2740 wrote to memory of 3620	2740	Cbdjeg32.exe	104
PID 3620 wrote to memory of 2112	3620	Chnbbqpn.exe	105

C:\Users\Admin\AppData\Local\Temp\1e600850c9c470d2acb8b8d7ec3e05d3897bb90547e653577da9650407b78efeN.exe
"C:\Users\Admin\AppData\Local\Temp\1e600850c9c470d2acb8b8d7ec3e05d3897bb90547e653577da9650407b78efeN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\Ahbjoe32.exe
  C:\Windows\system32\Ahbjoe32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\Aefjii32.exe
    C:\Windows\system32\Aefjii32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\Anaomkdb.exe
      C:\Windows\system32\Anaomkdb.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\SysWOW64\Aehgnied.exe
        
        C:\Windows\system32\Aehgnied.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Bdpaeehj.exe
        
        C:\Windows\system32\Bdpaeehj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        24⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        25⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        27⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        31⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        35⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        37⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        40⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        41⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        42⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        49⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        50⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        52⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        54⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        56⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        57⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        59⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        63⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        64⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3016
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3476
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        73⤵
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        76⤵
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        77⤵
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        78⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        79⤵
        Drops file in System32 directory
        
        PID:264
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        81⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        82⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        85⤵
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        86⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        87⤵
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        88⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        90⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1692
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        92⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        93⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        94⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        95⤵
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        96⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        97⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:208
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1716
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        102⤵
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        103⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        105⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        108⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        109⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        110⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        111⤵
        
        PID:772
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        113⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        114⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        115⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        116⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        117⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        118⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        120⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        122⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        125⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        129⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        130⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        131⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        132⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        133⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        134⤵
        
        PID:660
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        136⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        137⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        138⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        140⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        141⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        144⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        145⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        146⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        148⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        150⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        151⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        152⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        155⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        158⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        159⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        160⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        161⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        163⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        164⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        166⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        167⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        168⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        169⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6624
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        172⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        173⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        174⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6864
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        176⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        177⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        178⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        179⤵
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        180⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        181⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7152
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        182⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        183⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:6320
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        185⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        187⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        188⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6632
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        190⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        191⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:6836
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:6904
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:6984
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        195⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        196⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        198⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        199⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        200⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        201⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        202⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6932
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        204⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        205⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        206⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6692
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        209⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        210⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        211⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        214⤵
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        215⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        216⤵
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        218⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        219⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        220⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        222⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        223⤵
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        224⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        225⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        226⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        227⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        228⤵
        Modifies registry class
        
        PID:7364
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        229⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7404
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        230⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        231⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        232⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7624
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        235⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        236⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7756
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7800
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        239⤵
        Modifies registry class
        
        PID:7844
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        240⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        241⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        242⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:8020
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        244⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        245⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:8152
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        247⤵
        Modifies registry class
        
        PID:7172
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        248⤵
        Drops file in System32 directory
        
        PID:7244
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        249⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        250⤵
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7468
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7528
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        253⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        254⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        255⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        256⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        257⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7876
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        258⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        259⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8016
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        260⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:7196
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        262⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        263⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:7576
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        265⤵
        Drops file in System32 directory
        
        PID:7788
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        266⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        267⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        268⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        269⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        270⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        271⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        272⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        273⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7828
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:7208
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        275⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7784
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        276⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        277⤵
        Modifies registry class
        
        PID:7900
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        278⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        279⤵
        Modifies registry class
        
        PID:7688
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        280⤵
        Modifies registry class
        
        PID:8148
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:8224
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        282⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        283⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        284⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8404
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8448
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        287⤵
        Drops file in System32 directory
        
        PID:8492
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        288⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        289⤵
        Drops file in System32 directory
        
        PID:8576
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        290⤵
        Drops file in System32 directory
        
        PID:8620
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        291⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8664
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        292⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        293⤵
        Modifies registry class
        
        PID:8756
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8800
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        295⤵
        Drops file in System32 directory
        
        PID:8844
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        296⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        297⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        298⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        299⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        300⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        301⤵
        Modifies registry class
        
        PID:9108
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        302⤵
        Drops file in System32 directory
        
        PID:9152
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        303⤵
        Modifies registry class
        
        PID:9196
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        304⤵
        System Location Discovery: System Language Discovery
        
        PID:8232
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        305⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8308
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        306⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8372
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        307⤵
        Modifies registry class
        
        PID:8456
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8524
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8516
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        310⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        311⤵
        Modifies registry class
        
        PID:8732
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        312⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        313⤵
        Drops file in System32 directory
        
        PID:8832
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        314⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        315⤵
        Drops file in System32 directory
        
        PID:8992
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        316⤵
        Drops file in System32 directory
        
        PID:9060
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        317⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        318⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9204
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        319⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        320⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8396
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        321⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        322⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8616
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        323⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        324⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        325⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        326⤵
        Modifies registry class
        
        PID:9052
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        327⤵
        Modifies registry class
        
        PID:9160
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        328⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        329⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        330⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        331⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8820
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        332⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        333⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        334⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        335⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        336⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        337⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8720
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        338⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        339⤵
        System Location Discovery: System Language Discovery
        
        PID:8280
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        340⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        341⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        342⤵
        Modifies registry class
        
        PID:9040
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        343⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9076
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        345⤵
        System Location Discovery: System Language Discovery
        
        PID:8568
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        346⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        347⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8444
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        348⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        349⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        350⤵
        System Location Discovery: System Language Discovery
        
        PID:9344
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        351⤵
        Modifies registry class
        
        PID:9388
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        352⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        353⤵
        System Location Discovery: System Language Discovery
        
        PID:9476
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        354⤵
        Modifies registry class
        
        PID:9520
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        355⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        356⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        357⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9648
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        358⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        359⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        360⤵
        Drops file in System32 directory
        
        PID:9784
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        361⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        362⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        363⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9916 -s 232
        364⤵
        Program crash
        
        PID:10048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 9916 -ip 9916
1⤵
PID:9980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkgje32.exe

Filesize
296KB

MD5
bc93afc755e5977dfffbfa3488b3f3e8

SHA1
f891bba5a06f20e9dbcc95aef93730aa99b55424

SHA256
32cd064b1af91711daca3cd9e662becb0ae5a0f29ea8fb30aa078de45392dbf3

SHA512
ade53bd194979f7d688f996055575213441807fae0c1980ad27ec2b82ab6e44447bb991490df272bc107f2ff384d1eb503498182e7416425f1c9305f577a5dc1

Download Submit
C:\Windows\SysWOW64\Aefjii32.exe

Filesize
296KB

MD5
21f31c4618c177e9f7542406bbb4a4d8

SHA1
cbf3acb2c28639b6e5bc612c4e3485fa2ddeea68

SHA256
3dd3b6f9d54471853c11da397abc39c08008c2025740fbfef459ebbe4d051fa5

SHA512
e435c082fe8b6c6764beed82439a7c9ceaaea2ee1d994a544d3e90bd1b92294fc71ea9751ca728cebfbbbd834641f66d9992a9a946facfbae20d4cf5a194fc3e

Download Submit
C:\Windows\SysWOW64\Aehgnied.exe

Filesize
296KB

MD5
8ebda130665a8df77f8ddd1ab75ff6ae

SHA1
7a38026a7e6ef4ab2963092d298e51e396205b57

SHA256
a093e2b6e90d42c319f5fa93dadab6e5802378873fb65c7f7c34bcd70e97d748

SHA512
672bc3d322a0e176e04013c89748c2b74a92fb52808235e1fe358b7aa78692e368969c45d4ac52f788639f2c5d6c59e4dd5a179fa4360800d5f1cbbdfd66a3e7

Download Submit
C:\Windows\SysWOW64\Ahbjoe32.exe

Filesize
296KB

MD5
069046544bd63e14c7469ee551a437c6

SHA1
620e137fbefafe92354d982432ec368d4cd13ede

SHA256
8dcd762ba222e1cea1590ec7198422a6b817ba02ba442a40a91a6409e43c7975

SHA512
f518e13f254c3f810a36ff4d95f4bbc612fe19ab46ac89c0b1bad14637da6edecddea103adf25d5cb3d55b61d8e1aa3c6430beaa051f440eecc825dc49e02a42

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
296KB

MD5
6d705c008429d63e099140f55387dcac

SHA1
bccffb89d3e15240b77c22bea08601c777fdfc12

SHA256
2980dd003c270baacc5f35f723b1cbe5ddcb728f5596aa99cde878427ac7ce49

SHA512
cfdfe1c19e6afb2957ff20405e7f6ae49cf58a3de96b17c4a885ee5738bf8438e921048866cd4b4f6b5a8f6cfc89ce508f7032bc69e46151c70fe918ce5f953a

Download Submit
C:\Windows\SysWOW64\Alelqb32.exe

Filesize
296KB

MD5
8885c5dfae1095085e4fb8dac1d3ab4c

SHA1
8eb24727f7737fedd35d80daa405db514b8e301c

SHA256
894db4f7c776535182a3ac08758ce0dfa929f9950b23bd297d9b2b082040a4ba

SHA512
5f47f54835733e07aff6b9b279a413c3e573ff6a9b1a1788fbee19f1d6d70180a0fb7f0183de9bdd7b4a7021b02e3d012e17d23a90e4c2635e76a1031c733cb9

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
296KB

MD5
263de265979a88843a63bbf0597eac5f

SHA1
1bbf2d59dd81ae2f31508c44c16fa101903282b9

SHA256
4245df88e960ef24f3e54667ccece8b6d8fc0923b0d628d7eff8ea1ff495c7fa

SHA512
cc9539040aff94b3d962b817d34f35a0ac0f64112db6c08fd00a4ae259a7fa0470f3f3e26d132f04c488fef91ce02131401fea7754efd7fa3857a91f425371ee

Download Submit
C:\Windows\SysWOW64\Anaomkdb.exe

Filesize
296KB

MD5
3e1004e43fb0de4a6eafd9e23a644eb0

SHA1
79f96afb7549cae94eaded87e3d304b11f5cceea

SHA256
bf46349eb6123b4be32f572d3beba125b299bc6d1131e818380da5be099c89ca

SHA512
459a891a91b4b7cd5235e011781bb4f4c9113c554eaa809f67ce9fe2f9111fdbeedaf15437fa93854615f106917ab21fe0b5da15826353e9dacd43d3a568e2f2

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
296KB

MD5
4d05d479274c6d6967cd297cbbdf4a8f

SHA1
f1f3e146a237e26f333fd0e192e7c62351d72f71

SHA256
5959fe2611f034621d16863a36f1cccb567b58618d12f123e905e2c69b15c52d

SHA512
b1d35703eec76cf349b6503c26a381641fe7fb8efe8ee2de4100a2811f404375ee80e416b226fee74b68392c6760e37d2f21c3e6fb47edd9afa542d1f64f6999

Download Submit
C:\Windows\SysWOW64\Badanigc.exe

Filesize
296KB

MD5
15631e5a913a71caabfb9058addec2f3

SHA1
b53c1f831abc890a10ed70cadd3bc36ccb5d542d

SHA256
cd9f8adeef559984764619a3e251c27036df4fb774c6e599d15cd41e977fb454

SHA512
2022fed3fff6626302d43c394e9553f527196c255f1a8da9fe98063650be16e90f7e81981ee84e6341ce2596f9fff1cc6c10e44987f1c25ec778503fac3e03f0

Download Submit
C:\Windows\SysWOW64\Bakgoh32.exe

Filesize
296KB

MD5
f050195b1cd3b0fe0f3c065988356b3e

SHA1
6f7c83b78c5d8cbf6d384b3ba5fb6ef5bc2dc9ef

SHA256
9cb9b33651f41cbc1b5ee62b4f1e308b14cffd609f0717ff893570cfbcadb3e3

SHA512
1db69e33b160954663f26f1bad97bdaf559b947783a767796da5a221719136c2747d93cbf4700443fea1b2b82627f5bc90867610f39a8a91342964825230c936

Download Submit
C:\Windows\SysWOW64\Bdbnjdfg.exe

Filesize
296KB

MD5
5714c3407f256b97edd74ef3b7d1e192

SHA1
dc42a1ff5de5b94922b3ba7734f9410dbe543202

SHA256
5a0ac7aa71e6de4a612ad32a4b9c7e32ef46b0b302fb1967e23196abb8885776

SHA512
b862947e9440231d0a897cb45647ff21334727144a02526430edaf74c043a03f3c863052ff1cce609b4296aade05148442bf3ef31ba0934a7bc04faa39beb20c

Download Submit
C:\Windows\SysWOW64\Bdgged32.exe

Filesize
296KB

MD5
ad8509b02aa7f2bdea6d398acd1346a3

SHA1
d7156894fb7978b453b545ab593f0f71dde027fe

SHA256
c785bb722963df3aea080a2f02e5a6d673eefa799b5d15d3251b7180b3d66429

SHA512
ee12c703a981ac7d1faf8bcdf5b34bce13714bfaf07f6a695de36944d28e7280e59a0b146dffafb76e43ec2ade50865c25fb25511dc61774074f4517f43a0970

Download Submit
C:\Windows\SysWOW64\Bdpaeehj.exe

Filesize
296KB

MD5
3bd5c58d2536507bdf51d1ff6036033b

SHA1
9845fc7d8648ee054a6c1ed968fbf6db65b26e76

SHA256
7d8e65c6b15efb1b748ff1e6c160305531e0633e19ad72fcd65676aaf6e60693

SHA512
098b105774c742a752bb26ea7049ff8ac9eb7a9e86c862570d882351ee84c0d1e0e41623beb2cd8fde647132d87a4157bf413505b743f41a6aa5928fe6c675ee

Download Submit
C:\Windows\SysWOW64\Bebjdgmj.exe

Filesize
296KB

MD5
865e27641a18be02a30ba05f4608c7cf

SHA1
6b4f8e9664bf6ba456c9a4ed127bfa54e929b9a1

SHA256
412efb786dc4bfdaaefaaa002d7aca14c505f4919e239819b14fc1ada123dab2

SHA512
bc338c1562eed7d51e401de0481e8a7baeb240da89b6cce2b164a7a0535a91c92cdb7b914612087a995790c61690cbf2e8cb2b8f4b2277c00806d1f660c1e005

Download Submit
C:\Windows\SysWOW64\Bheplb32.exe

Filesize
296KB

MD5
ff1c0c854e4c8db99483b1781dba7b27

SHA1
2362cab239a767422dd972322a7c89dca3457d94

SHA256
61578d8b0f4f85c9f8aadc87b124e4cf69893b182ab7d2b7056e248be6cd28cb

SHA512
40d6c73cefe0e4583b3729cdd3c0d625b38d0c4facd4710428249041dd103a615501edf00ea1357d6b627d7719d9e12b243b98c4ecd0ec9c64fdc1e35632238c

Download Submit
C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
296KB

MD5
fb847084490c6626316cd32338724f1b

SHA1
5d8777e111e6d5432a42b29e17cb663a2a7f0c2f

SHA256
7d91b1caadbb4734a34b699061cedf0c3767cb1b0d322aaa9ff983e413102b8e

SHA512
6e396e014d7e1dff7fb2fbef3c17ac6325efa1eedd7ae1fe954fcdc55e033a183f1a6dea509cc58dfcf884dfd68615e29d3007f1ad53aef237e8c0e25aa7f1fa

Download Submit
C:\Windows\SysWOW64\Bllbaa32.exe

Filesize
296KB

MD5
30823fceefcb7555f4d6d8647e8fa32a

SHA1
22446bae1095fedf47579d5fe4e21612980da816

SHA256
a4843deee2bdb3c0485a24ae225ad3bbe47d08244916142cfee158a4a5e89b34

SHA512
1ebd661e2224b1cfdc71f41c50a154edf053ae87eb654ef241cd6c804eb23fd493370c5c6f6800bae8160a12523aa08c04d81034f19df3b74d36fc7a3c768458

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
296KB

MD5
0b3a7c9bda331b2f5aefd919e4e6b5be

SHA1
cb94da8be8019c8f5214e32e495e1f11dddb386c

SHA256
6aae4d2a88ef7b389c0358fd25e7ccb47c5be263c44807dd49bd51bf577c3a4f

SHA512
b6b408ee157173b19f7c25727444c1f2907249ea86f166f731a470be4bf00d4cf29a15ed66c8a7e5ef8de922a71e4b4ad478cc4de871220647b9607ab51309f2

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
296KB

MD5
98d3782dd26125d46df8f4ef1b90747b

SHA1
2d5c943014e68bb0b0137f9be58a3b53b18b6a0f

SHA256
70df7c59627087f399b267cde30671630ca1cc292a8200d6ac52a05deb08709b

SHA512
80a822bbbdd6935adfc1541e402a5e5b8bb53954c4f637ad8cbb5cb03186129777904f3302e1e5e058636386bd05564222eb1f743b1c849ea4f30cc2fb387464

Download Submit
C:\Windows\SysWOW64\Camddhoi.exe

Filesize
296KB

MD5
26892097ecb747d5c55e87464ed494bc

SHA1
56c99a8afe6c4047880c1a1ea248327aa7c50fd1

SHA256
682618635d37aea38b406ef647ad59ddcb0f2f13c369b2d543e699efde876901

SHA512
a6ef1c9d630ec2c9550a798945b65e85edd43c0ec2e9c034ca94ac0b86c35ee79f6a02dd6d86088d17d9796b4e81137b0c4470fcd39de227ebf4180cf52bc013

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
296KB

MD5
f879e8ef8a5e1e2ff127e32e220c2bf4

SHA1
c79dd6fdcec791e5fe14e763108013f2ea39d1eb

SHA256
c65edfc74ef8fc09f5ddcc83f88958703471512f8fe0eae958eb89068bf6ee91

SHA512
56e3b455d941c85639a6863337cb6dca43cdc6c8e275399c1cfd5486b99ef7a3c68b8f6f3fc66baa735a9ec44040f948b6e9becaca51b5aea10e1e4d43d51c06

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
296KB

MD5
b3a3742668f1f27c3a50ae6718002ccc

SHA1
9be83cc37422285109558ffebe2f9fee6034026c

SHA256
56bd94948017cfb5d03aa8db629081de4985f64a33e9a33418e169ee9543fdb9

SHA512
8a1ef69c7728e19e6b139524e917784b893dc951cc0e02ba771b51b3db44f8ceca9e0d32fa9e52275e30de430f636c908569d741b25c210d8dfde5e39c0c16e5

Download Submit
C:\Windows\SysWOW64\Cbpajgmf.exe

Filesize
296KB

MD5
700d430090f5c86ae348bb6c3c72436e

SHA1
be532e205f5a3e93437ed9788f4637db457bf67d

SHA256
b8aa73035f7c11f5543ce9286149d7db7f2ed7e9fc78f6fbd68fa39efa37c50f

SHA512
7afe224c20863e20ca348f07c5cc6e42d379b4f5bff4fc99b06e90fd608630d166c3e5b69c3b31cb8787f55ceca31a6adb178734a274b65e84b9d0f9e6ba2b44

Download Submit
C:\Windows\SysWOW64\Chlflabp.exe

Filesize
296KB

MD5
cebaf8325c4e5d5b94b414d4a205740a

SHA1
4393c4eb8459bce4f088bde227f5ac27256fe24d

SHA256
0b564c7b435e6b3fe8e883decf4c26de0ac2be17ff782a57a3a73a9ba5d4a9c4

SHA512
59c8237fed8b532be493420477979ae8e937b103436725e674abcfc144b6a9ac15e7e7d3d7c519e1b53e99aa18de840888bac2bf88101ec6581855223fac7167

Download Submit
C:\Windows\SysWOW64\Chnbbqpn.exe

Filesize
296KB

MD5
8cca6c0a78451a114cf6a2970e4fc080

SHA1
33ec7ab69590368d8b19210386620fca79dd9d7b

SHA256
336816dfa452c6879369273c12d0f7ef953f2288e08d145cdf9bfbd7ab46f058

SHA512
21ff4c5d9dbbb01751af8dc77f03e59d91e470673133b0e26d71c1e31c4939bc9bd9cfa323d1302834d87b88e68e826a014e0f874dfb9a2411b3e0139a2c20f7

Download Submit
C:\Windows\SysWOW64\Chqogq32.exe

Filesize
296KB

MD5
5ad7e31beb925e0974d74acc1f7b2df8

SHA1
161086dcc5d444348cf92ad3741a8682f24bb7f0

SHA256
cdc289fe459c63599e5e3a45311030bc7a621506729fd37e23418aa7563736bd

SHA512
c64d710d3c90bb754a208700d08dd18ec4d986ac52e1de4b7311e80c4a719a9386de8ab79ce2ebedf6606e44ca343a0d27df3ce6f0f4259b4caeaeb50b3c271f

Download Submit
C:\Windows\SysWOW64\Ckclhn32.exe

Filesize
296KB

MD5
afff1b9bce9d4a1db95f86fb8b7c62ea

SHA1
9a21780b98ccf8f00fff2134e1d6fd9c06444583

SHA256
170b316dbcb902a3c6e81db049793c3dbb11b01445ef8b15634dcbfd6688b5ac

SHA512
e5bb26a26e6bca3842833c8fccb57164548be72ebd5d22deaf6abb299807ca29750f70cf9eab8a607a760b6e12c1c68aa226d01f4587787625b4bc94fdd21896

Download Submit
C:\Windows\SysWOW64\Cocacl32.exe

Filesize
296KB

MD5
2ab45f56adc5144f53da64679d91a00a

SHA1
cb985f435b60a9b4d390a1590335250459204c27

SHA256
1dbc0d7ab3a9f871073f9e373cfb01b37c330d552d76d7e8164229e7e2f53c3a

SHA512
56b7b3a80509d1d468d2fa8c0a2de4df580ba0a744882934044a6a82e8a87200eead03d262f56ae98928a9884af098298356ffa32759732aaeffeaebaa883d40

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
296KB

MD5
817586286e32bde5800d25db03b43ebd

SHA1
63b004b8d796682accda474323a9fdbabef4372a

SHA256
22c457b42d338f84076772e43c2c21e8d0022141fb34a84562f521ac1534e25a

SHA512
21d2b9c3ea8edd2de131fd78c712ebebfff1e7a8c5d922ba395ce4445ba1d993cc8ec88dda08659e3d9fc0d836bda620f31a776d58d9750f53ab1f16ec1f664b

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
296KB

MD5
fd84c3ca2e14e03d77db1848f33d7398

SHA1
7e0be7edcb29fa6f5041cc9e3e50775c66ba3e47

SHA256
98c0534cbd9a53f8000268eef4d84c06184d2de9590f352cce7196e5909366f6

SHA512
8c864727b89ef9cd82edc14d30d1409ee0a86e6efc3464d03c3ae3e9fd2695b0e66cf13a548f7dc8b8502cc92b38867f0803a915cd5a6409140e5dfa93fd77b2

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
296KB

MD5
71e1dc9f70d0b45b24b3c32c7d06df27

SHA1
6bd9359f0239b2b06645f14ba76f54a43d8180f0

SHA256
f5e9ac2e7e656dbee6e218f951f9a229b40217b96c8b4e9e55ebb7a05ff455ce

SHA512
98c589b36d48a89914616568048aaecb8b9c8505763fc61fdbf1089583605d77e7be3dcf6320c7c14001b21a9ce1678f41a38280d9651cbf2bc259d302f8b8e8

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe

Filesize
296KB

MD5
12f17e11151e397f9823c427d1276897

SHA1
7c67a6aab3a71bf2b84d03efd91a6f6686239ced

SHA256
df01514a33ffc53beecc8ca62185d0e4f5db53535ca5efe392ed9dcb66e104d0

SHA512
35838bb3df4ec67337c89515d103210b9f7c2b1ef5dbc45ad95f54087945b20bea912f1d9e24fd5e9e7d8312bc4ef88dc05d80194aa79b3a3e0028c4d81e2421

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
296KB

MD5
a59ef81e227bbb8f1531fb98d2f52e3c

SHA1
196ff9b4c833a4b78e67f6eceb27682c79eff368

SHA256
d81c2b5d40b24ba51c9eea80a3db1b43fbfd5a8a0f170923c1abbb58f636c0d9

SHA512
bda7f02ad696267aa96421b1d7f65ba79d2b2937f84a143101e88bd5114543368ffe788cbdbc8b6a225bdd2cd4fe64f9358a4e21d2dbb26946d328aa769a527e

Download Submit
C:\Windows\SysWOW64\Dkokcl32.exe

Filesize
296KB

MD5
5df646da5d61d02eead4869d1e65b543

SHA1
5f883402abb519b1749cbac2ce221a3f09f1e842

SHA256
e986de0e9863e229a03b4d8e848f85dc7b4f4fcf5f721e9b2bc7bb227ce42ac8

SHA512
9114bc508e2203da9d8e97194b033ef34dd60dac75c4e8d0a3e82af805ee3b77a47ea08216c62e01114ab8fb4cf78f4099f03ace9b38ecf388f572c7c3e19e07

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
296KB

MD5
c58c0d208590056251d372ccc355691d

SHA1
bc1721423adf29a394346f4f1a618e12abcea357

SHA256
c4236bfe6841823cd5aeb0c8a35315fcac142c5176c341f6afaacf00ec689e12

SHA512
e59b8d025f2d7d876f321d4efc5509298253c914898a562be1c0f61c69c1c3ac320131d05d70385a8d79cf94d81669348bc9adac32366ed9f3393c8d9142b117

Download Submit
C:\Windows\SysWOW64\Dnbakghm.exe

Filesize
296KB

MD5
8adacb3e51a9c996c5719ddb901463ff

SHA1
77b346c0f1844626f1ca7bb54f46db54c0f45eb3

SHA256
32a1755c94ffb623a517e151469e375a2e0cab62c08e301d52772edaea75e1f4

SHA512
5720094a01b2d950ed2ea38637389144bfb732108202637d74a7bb384b14a79b488ca8aad93faa1357e3cd7ddf421f5086754083a2579600ca0a493267ad52d1

Download Submit
C:\Windows\SysWOW64\Domdjj32.exe

Filesize
296KB

MD5
2ca9cc2905c608b6dcfdee5783877f3a

SHA1
d43c5d27f6bf504fd71ceda9413098b76426e22a

SHA256
62e83fefd36ad6a82045a638cb061172bff63b23b41ea9b29dae1c2119b9873e

SHA512
a5bc2d0a41308356ab47b544d38b8b87a3e956b994b07a5673f8606e464bd633de88b74807c97c736d1d52008c8533c56ff4b19f633c814ada17209d3823d436

Download Submit
C:\Windows\SysWOW64\Ebkbbmqj.exe

Filesize
296KB

MD5
c438c2dacce08f2e775b0740d463c57d

SHA1
6a37187e8fec63e2de6bbf938ec42be700465db5

SHA256
40cab035c552b514079d08e431bc8c47d812069eff086e2aa3ea9683c8a88352

SHA512
9ec1f6aa5ad81d220adb5d361dee8339fac5c559ec894fd2f4a09c89e99f11a1c172a8e4010ff78cdb00de4056f5925707d84b1588271cfaed3d973b6e70c8f2

Download Submit
C:\Windows\SysWOW64\Eecphp32.exe

Filesize
296KB

MD5
eac9c15d2bc7ac55ccf16fcf70047ece

SHA1
d554dc11e0007a6001999485e08f494aaabbe3a4

SHA256
20d808aebefcf39b398eff269f736c4c6497f610315798e315efe0ce0ef4237e

SHA512
8b3582024044ab1e9c22be5053900aa0d358b6c35c528bffb2505cefc69a853eeeec94351b3fba8a39693e9c8338673e828ee9172cd38d8e1902fa891d8c08e0

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
296KB

MD5
1039b3c4383dd0311eaac0ad10b77017

SHA1
77aa51dc2c192a4de759a6e71bca4ca7aae020e9

SHA256
629d494a568efeb087d109ef5f5c9f122fb2af61a2c9ed6cad9f95644d5d5423

SHA512
f0f8134961b232c26a32b5c014ed06a05a8ee5db1e4905f21feb6c7fd0e76cae0275c62ea9832a9045b6e736664fc4e1e294bb667f6b7bf48b55bcde61d18006

Download Submit
C:\Windows\SysWOW64\Ehpadhll.exe

Filesize
296KB

MD5
19a92ac92801c5c4ead6ee087f7884b7

SHA1
3408c26148d9bf846b381a97bd0413ef947b595e

SHA256
472f555637e440e3f3f80c82873b665b2b05383fc4204584b790d0b5b18085b0

SHA512
d5a33e2a6ede3d184538fbb8a7fdf260fb49a1e1e810262eb2bafb1bf3b614aa8656235a71e947f15c17e4bf650122fdeca3bb9a5b62d2f0fa1cff40589b6d89

Download Submit
C:\Windows\SysWOW64\Eklajcmc.exe

Filesize
296KB

MD5
768d9474aae4954736c0a06c02d4b71d

SHA1
fbcabb9389090ab6753dbcf86c3fcc5779486eb3

SHA256
8c7ecbe290cfb884ef295ab325e26f963b0ba7ddc0d709081d00a1ca684bb9c8

SHA512
ae58a887598bbe7a766ddccfb9217b3d79cd39a94032d603a8e5fba1cebe2e20f2635a3d838f04ccde2b29447e2ddffc2755711f0d674d7ab900e566eb602481

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
296KB

MD5
88bebc4be7f5d37f93306f10bb5e7927

SHA1
53d69024db32ed66a137fa68e12a7b8b99f99148

SHA256
442c5acf77d8db7301aa8656f149280fdff7b5c3adef1c7f4a7b20edb7657a21

SHA512
14afd35665171f7f127fc7dbe71b7164636bb810e6baf3b846a5f89ab92cb0f1cb494ac365c88d6183c1c423b4fe268e9566b6b21d29dd6f1f5ded41d7a3aa7b

Download Submit
C:\Windows\SysWOW64\Fbbicl32.exe

Filesize
296KB

MD5
b8cfff209cac1b330088091af8ea93b5

SHA1
931bd1b1a18c8c6480fe287018fcafcc982f4ef9

SHA256
98ccf9e1d151efecb0879ed1009c02e76230a20cb718c35c9acf2a024b1670bb

SHA512
05a2269e97e7440dbf14b3ef5f9028ca2ab4e7f0342c032a92cc6f649206435b48e946fd2fbc3308b419f7c0fc386291bf25f2d0eaa34ae78d020a8b9e0d4c67

Download Submit
C:\Windows\SysWOW64\Ffchaq32.dll

Filesize
7KB

MD5
b9d91c807d982db4aaef2fdf6cb47778

SHA1
1a11838c23ea8ac4aba790ded968840d34202e9f

SHA256
e8a2f72122b5bb9b47587e340febbdad02fb21e991b60ec206a4a3b2b99b7ead

SHA512
3ff6fb921253286afe7db84be106b7daaa9f66c44741891f81809d020bf48b8450dccb31885fcd22af1ed0f8f809def5acb91dde66bb5f7b2c86854cd9574c38

Download Submit
C:\Windows\SysWOW64\Fiqjke32.exe

Filesize
296KB

MD5
1c95531fd4ede0e4cff89d768cf3e43b

SHA1
94ab759196b61924e297d793b54121fb42a81af8

SHA256
857bde75fbe97f390d0f3853f6a1f00b546eeb78c08b584290044de0707f7dfb

SHA512
66c2f66ae35a6e8c4c132b56ac3429db566f458c1bfbfeee6aaaebe52346661f9afadf337d08ee1f62a24e5628f2ec7cdd7a759fffc428a86d8da407091ba68e

Download Submit
C:\Windows\SysWOW64\Flfkkhid.exe

Filesize
296KB

MD5
48b4e8a30abcf54d4edf8b5b9d435e71

SHA1
203e235bebab37562f9a5e19f9d3680a32625be6

SHA256
b3ec6bd0a9bd3694bab65dd17691b9181e701cde8ec46ecebd8fb776a2c725a2

SHA512
20e138a45213acb90f518c58d3d368f7952f46e7bc414af472ae0bc15af9164a7ebc8fc82ea07ca0b7704557d673831a23ebb4a6aeb72952766cab13fa58b919

Download Submit
C:\Windows\SysWOW64\Fndpmndl.exe

Filesize
296KB

MD5
3691c5ea6588d1073750558bb2da9cbb

SHA1
c1348a4c325324289fd8eab485893a71031a46f3

SHA256
fba3b80ef0ae9ea17e49527ffabf1112c7648e9eaf85b7369b95a57b14a065a6

SHA512
431056c1c0e6b03885985301af53656f421bd2820dfb4ed862bb7e7f9ff66cbef0fbf5834e0bff13a86e40768dcdc1eb9c629a9c8b96561641fef8007ddb6b01

Download Submit
C:\Windows\SysWOW64\Fniihmpf.exe

Filesize
296KB

MD5
ffe9c36bc6f772cf81509157d10298c0

SHA1
1e03b6e880516d8fbe611f85096622a91c9de397

SHA256
b6f8df8b33edacc2e1b1f84c69a959370e7da1bec6b0f9028b95fef8ce1c31bf

SHA512
c911a0af6c3fe742abe7a63a8ad94296f435cba7b761d9bc7a63310ce6ee1b5de97d11ea755dcfd7be292d9104e796f78bdb9cb601c1b12b30bbdc4007a0b0ce

Download Submit
C:\Windows\SysWOW64\Fqppci32.exe

Filesize
296KB

MD5
40675348fe0b2538331e0cbca94dbbb2

SHA1
33000c6e67d5678b281cdbc2d76a78121529e455

SHA256
6c6fa84423b82173a6d57d784ce20cd2fe24205571e2906f6b5cf123f4df3320

SHA512
437e7ec4d3e125ea1647de346fa8cd932d221d53582f1869ac97578d1fc60bb6c054f4f530df8518d0c6c74166e4b730850d42b5598c1d059f730c0c177a9198

Download Submit
C:\Windows\SysWOW64\Gejhef32.exe

Filesize
296KB

MD5
f702826fce3db7e0e07ba1d00e57fe8f

SHA1
b09a898a4c8be00202f4f84d2488d8968f30d9f2

SHA256
5ed8df11348ecabb8d8b27a31700f5af0dfc43f12da6fdf9aaee453db909dbc2

SHA512
8d80d76d32f5af91b0d95c9cdfc4e66c4ed9c5a486a0c81c663c37f5f10c667ff0f27d42daa807d071e0ac57229f6de24c46160dd436f3dc08fe2ec12cfe2638

Download Submit
C:\Windows\SysWOW64\Ggkqgaol.exe

Filesize
296KB

MD5
18062e70dd0a82dfc2816e778e95c833

SHA1
8e2834573fa16edf03f99f84b1018d862b74b2fc

SHA256
ddfc9ccee76f9b0bbf14fc1378c332f974a1a75d8042569be8e04f39005be276

SHA512
b5989a4bc7105c1706e96e6ba986e5cb9a7f0eac5eb6ef07b03cf0130db0001a20d0ec1a33d7abf2d1ca6465c9e2b934a1cf991f15d10df5122ac310bf11984a

Download Submit
C:\Windows\SysWOW64\Ggmmlamj.exe

Filesize
296KB

MD5
8d6013208fb9052a0cef0379acdf6bc3

SHA1
bdf01d61d8caa87ad74f0ed5641a9a67336c0a28

SHA256
87145583125c8ea1bf0b35034fb1de0937941ef7eb7f9d4b5defc6ef44fa7d67

SHA512
73a4e9dcb31b3849e84798caa3ba20086cfe3fcc144af3bb8a251143b2023aad8dc43fd60eed995aad2bd2c053d40f45ed57e8c4c773a5428fbf0634bad20d47

Download Submit
C:\Windows\SysWOW64\Gimqajgh.exe

Filesize
296KB

MD5
39208c6d770c6e8cc655064ebd3354c6

SHA1
caf180e159daf1b13ad2f55d12a5cec280544b5c

SHA256
747ffd29effac754e86e02873291afe6ff942ed30751bbbf7cb0030f087bfbef

SHA512
5d240c107c943c331b1ac2bf265414acf36f778bfc8869bf00974acb64ab3216e93e5da3d64ffdc19239341a13bb4f3bcc83a1ff3698e3a52df1054541396227

Download Submit
C:\Windows\SysWOW64\Halhfe32.exe

Filesize
296KB

MD5
b902919eb31ea9872958b4e0f559d0ce

SHA1
3cba58296d8de85c801185dabf1b89eac12a8bd8

SHA256
1348cf3cc0c61e73301b51c7e7eee46964596ae19bc0a9acb73a86089bc1685d

SHA512
5b9a7c733d73f38367f51032c63ac59c1f3a0d1dde4591a8531b23eb19b2bf7fc6c5129b915588009137f2138811772406494a02c7e385fce9d28a791ccc415d

Download Submit
C:\Windows\SysWOW64\Hecjke32.exe

Filesize
296KB

MD5
37963f2fd596046591fe32e1fb175160

SHA1
27326ed74dca891edf50a2d7b357ff69e24d0bc0

SHA256
63a7a7c745ac688167955fbee33be871a7368ef138bb703b4651b0d937c95c43

SHA512
f9ec5f0319d750e5bb1f739ed4ccc883d392d95b5a9cf4f47b7ca6940c459029abbe7b5693bbaff933b266b8da9a84abbe6f123dba3c41bf4650c9b084bf972f

Download Submit
C:\Windows\SysWOW64\Hejqldci.exe

Filesize
296KB

MD5
ad297275b7d5ef47a9b36f11968ebb88

SHA1
497910743513d7515c11b6c824d0703f73b78b4a

SHA256
ead47a1f0621d12b663c234f5e0e3aab3d0b8a99c4dece9055324c2ca43ce159

SHA512
4e804335c0e7363d90eea2c41d8abcf972ad5c792788e1931d246ea043d675923e8d7794c3551b805a291c4e5bc2339b0d6c3683d8b79b1b83a2b583e8c0d712

Download Submit
C:\Windows\SysWOW64\Hiacacpg.exe

Filesize
296KB

MD5
9cb134e08ec78c89701cf68a2c91003e

SHA1
0072dc9c4694f9c747fd99b38c5fa17c37117e1d

SHA256
7f8f2e5312ef9b9dd629897daa44934c65ae3ce8f1d978bfbd5bf7b336e12f1f

SHA512
7145a0570a95834b84d0270c6dcf06e3f994986036816dc4d5feb15a8c38199ff137a631e2d820e1dc5b1523ca82c43b5f66bf913f1d634a9dbbe61617eedee3

Download Submit
C:\Windows\SysWOW64\Hlepcdoa.exe

Filesize
64KB

MD5
184ed84682f34fbc818dd35e6514f4bf

SHA1
15d3755e0d03193087376ea8f56b668914205471

SHA256
0bc3ca70d946daa73773f7a24de19354f293744d3ad69e2157a775b060da37b9

SHA512
c2642c65d429f9e2c241d1eb4d37b08ba3140d7ce05a04b6b9318f1ba516965758119a11f9006cac7d8700ed6a307fc0dd6ef45d6928ccdaf0db70b193860e61

Download Submit
C:\Windows\SysWOW64\Hlglidlo.exe

Filesize
296KB

MD5
8f1db6fd3612b43ddee05b79e58fc13b

SHA1
6612aa73325a94633a32bb6faca34b7657387df2

SHA256
6c2fcf6ed4f0a53857573c72666e876006b613b0035d4818f57071d704b3a6a0

SHA512
66df4e717809d8fe35ff1c9380436e6a5627199086c88dada9206191f5fb59d2f3aa5638f1be9b0938a589d33b03321ab563f9366f8a48b3cf976adfd1cdb799

Download Submit
C:\Windows\SysWOW64\Ihbponja.exe

Filesize
296KB

MD5
d10298b44efbd8d35e51f05369b287b6

SHA1
253aace7adaa2c03d8220838016339070405546f

SHA256
5ddeb7fbce1b7e75eab817bf71bc9eed22fef62c9eb8ebbec68606248c7d1761

SHA512
3cc9a5a75dbe0b057db9598c35ba847799bd4753b8db93acc2b337cba74580c5e34413a90b0aaff37f0382ad5b99e808d1a4bd9ba70838761d5295d23cfeea35

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe

Filesize
296KB

MD5
138bc6a92134ddf17b265bb4c937293d

SHA1
69a54980cfa49775a5ae554b0def6d6aff56fa35

SHA256
b8f43f9969d00d05336a5922582d6815ab0f25702a4153d0dc68ef772a56b1b4

SHA512
377a82afdc92bc607087790d1a5c49f955f3c7497fde4b318080d9130a969c72055f36dbf152cdb55bde6a4b9136a66af5859fed7d2191e5b2d20e97f68b5564

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
296KB

MD5
12de87585b7dac315be584a77d481680

SHA1
9940d5fd42ce8ac25d27ecc5f254d5807df3e473

SHA256
d7dd31d1cd634f33513243863d65724bc7fcc10bbc3a5ed1916def33a9ebcf46

SHA512
426af733c2fcdf634e21802c1f33d05f9b5771fa0f71bcfa13adcbd9779f7f6bd3b4a3b0d825b68eb70110f7e99b73b7c31eeffd40d3cfaa24ecf1723b873b4a

Download Submit
C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
296KB

MD5
e285604e393c57274d2a858f45dc232e

SHA1
28436fb5a600f4c4748666bee9e9494298bc5745

SHA256
db1217c98bba6ccdabd3eb01ee4d0f3e73e63c2940e55c3a278a2018348afdd6

SHA512
4e317927a79851efc27160bbe6dba06b62b49b0b34334e918093caea74735971f80a3daddc063df0545b4165d451e7734210fde4674733c5222fdc7555909995

Download Submit
C:\Windows\SysWOW64\Jemfhacc.exe

Filesize
296KB

MD5
e8185a04cf2b5b3b863f52bedc3cf4b0

SHA1
5595f088e78c186bbffe7994032ef7dac7568e80

SHA256
2e6884ecd36527a79a7770602f0fbf5e8e2ef615e8c142649daa23e94ec0fcdb

SHA512
48f831f4e702d06dd1cceab84b995b48e54cda197812c94e7b96e16d0ac99640e4125bbee3a5d30394e72fcf22c6442439fdb0ab81f9276ad7c08c3a8bcd1314

Download Submit
C:\Windows\SysWOW64\Jghpbk32.exe

Filesize
296KB

MD5
e31cd5eb51b312c5a8b6f8e439697cc6

SHA1
c882cc28ae74b90ae10fda4b878991bd5493a14e

SHA256
3c70d91cfe5674e04297f81e67615ff856b276e5a5592a399a3261f7798afcd2

SHA512
4034d2e8d31d6c1155091456a7626f1f85c5a0744c380b6f07d0ff9375883af6ca99e22429c1d0cdb4e9c35457a6f1ee603693e2b7b806c18c50d6037453f1e9

Download Submit
C:\Windows\SysWOW64\Jlbejloe.exe

Filesize
296KB

MD5
50030894a23bf3c50db6b40c230fafa2

SHA1
42ca68cc9a4dc76ec71c4528bddd4e21c1c8a0dd

SHA256
f7c683c1ae19dfcd90e458be65f2bc0394df0bf995c3ee238b2a8b31149ca3e9

SHA512
21a4310173deacddf201b150c3cfdaf11a5df6cdc264ada98b2fab7174bd718280fc12111e834e3b827923ae4807b3881845326cfaea8fb0105d38114d7d7458

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
296KB

MD5
103178377e51ef6d23ff5d467ae82f61

SHA1
47f0c34e7215979978ae62b08338d5f4a2694427

SHA256
914b125d20bdf34c32cfdafb38291655b5a38dddc11b67d5fb975ec4e40f681e

SHA512
a6ebf57928ac18db8aa94c0fe69a741d9d444f938421ac903c45f89f8bc43e76c1b4bf079decba9825b475f56a473f8f4828c47db00e7fc6bc6666706a036fc3

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
296KB

MD5
2e241d7cbd289e7b6fbdd4aba4c9924c

SHA1
85b61f652dc8d2228493f7e9db40a9cea224abf6

SHA256
f70157f67eeaa96cb65ecc05fe38cd58f1b4efcf8252a0d5fc8f2a2f008a20f8

SHA512
d5d25987628f406067cfee0f6a85023594986f21f688673ad09a43ddcb905df628b10ee7e97b105c27e65a10d4fcb24f939c89089c2eddc0a991faac40b37cc6

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
296KB

MD5
5b0d6adcd204ef4062ff8a711c36759b

SHA1
b271efec05df6e444ccc97811f35c9c5356ddca0

SHA256
03a7258a4d3979d950415a54b14e0aacb864a8a739407a044e7042124e45052d

SHA512
d1e659811838e2c2543613571d5f787c08a2be4a40d9433ef7a4644eec6e0ee10c76c5625cde634233dace4c2261d8119217c9a42b5f19ed9665cf017eb80216

Download Submit
C:\Windows\SysWOW64\Kibeoo32.exe

Filesize
296KB

MD5
2f9073709df0f9c4d16a3e027a980802

SHA1
1ca76dce70f7b20ae7afd7c4ac42dca91429258d

SHA256
4d1181ed2576074564a978be45eb0f6700579a56face7ad2294fece35256c93e

SHA512
a649f47f324b97968bc08ae38d61b47d08e61478f18fecc23b474bfa95944c021a5433c62913dc7143e5e3f57b99a370d2e12fe6a690f76883712d084a8f347e

Download Submit
C:\Windows\SysWOW64\Knenkbio.exe

Filesize
296KB

MD5
50fed4752584b3359e542f58ec53f0f5

SHA1
119aa2c063af1f5b3fcd1eb15bfa7ee5f976cfa9

SHA256
bccd83edbf950fe47099889c0dceb3f2496fd714bc100e6a38f569f3f95abffd

SHA512
5a7e3c1e7f48bf95b5712b1d3a923ea21cf22a9146efc65b5df737ceb32bb4b8e4cf4dd5649c54c3cbfdd89f8adb1316e67a3dafd9cc2cd8f227bd19da155a72

Download Submit
C:\Windows\SysWOW64\Koaagkcb.exe

Filesize
296KB

MD5
b580efa46a7743f2c0d2d66cb3ba66e9

SHA1
2f2d8765e7476b6eb7de6ca59249e98d98b97aa4

SHA256
c9567c354a50c687b46901a39e80c7da3c25eefb5779874990250edf1254304e

SHA512
fadbef9dd3f41682fd47407c43380f39c1e7fb678a1350681be87b5f1742c56accc99edb3844f024eb9fac0c6c536629c4d82ea7776e8fddf4b2eddd66fae101

Download Submit
C:\Windows\SysWOW64\Koodbl32.exe

Filesize
296KB

MD5
c86041281c97f53e896764809fc49149

SHA1
58e4feaf07aef28b63d1f3ba726719c9ff0c5bbd

SHA256
f38729bc667ac3aa1b97d59e3c55b9b917132893006018c2507804ae7ed196bf

SHA512
59589ebc86246490e05b29cc36a57939a4e124bc6d422d9af926be1f8321c6cbcb9f1cd4737009981fa021fbf48df00ad1282eefb8aca4582ae74622d343d7e1

Download Submit
C:\Windows\SysWOW64\Kpccmhdg.exe

Filesize
296KB

MD5
b02ac5e963df973b8a82600e9832c6eb

SHA1
e2d8e78b02b94ba499701102cdbf256543b84b4c

SHA256
f3a19446b56582b4554f9e23050a99c5ca37fe2dd8774358fcb2ba9499dcf4b1

SHA512
1ac4712bca63d5486228b17aaa0fe692eb3060e386fea3f0afa7cc2a85ca635e0721cb47c2e067f1460c01145c725b49f3b8cbc45bf52e3474e2bbd17e8a4335

Download Submit
C:\Windows\SysWOW64\Kpnjah32.exe

Filesize
296KB

MD5
6184d2bfe25faec5d77cfa2f20c3d2cd

SHA1
6b7b7476659d28985a584db3d7b3ccb479a5bdf9

SHA256
ff3c770e92a03fa1f427566376b160f36154b24c708bd15b124be5c24be34c28

SHA512
af88606b3cdd0e3aeb936a1807f0948a418788f293f7402203a54a935218edab7c0335e41539b2af658cddd4b99bc01e3e172f233dc5f86bb1c3efdd691d85bb

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
296KB

MD5
64dea62f1103cdba9a85206e4f715f30

SHA1
2570b563d20bea00f112c3b9f8b35c87ce468337

SHA256
e3d1fbc2e8c5fb81c14db89551c2c4df520d8b69b0ba19cab66ac679125b1cc7

SHA512
4853e09c05bcc2db16d476c57da69cc8e7d4285ead2f1a1aafaee81615f71b65387d06c17da8594202d33ee413af881bfe1c7e9a4af9c26977a225a388cfad0a

Download Submit
C:\Windows\SysWOW64\Lgibpf32.exe

Filesize
296KB

MD5
92d16bcd0ba12e1a497cd4b1dad6a384

SHA1
5a4dea811f0e5da7c2ab095d24c2d26b9b9e96e3

SHA256
42c32a91db09caaf05ea016084f2ef4b2006505135c8944d7338fdfb4cc0c92b

SHA512
409162edf94af2671c33fda3a6167df261d229035afffe28706583dd81fbbb1fa6caaa04636574f9dafe5d85fcb5deee9a9bf48485b8c017910310ee3c8768da

Download Submit
C:\Windows\SysWOW64\Lindkm32.exe

Filesize
296KB

MD5
956b46360fea20ebf53bb650040c0731

SHA1
651cd7b16e739679f6f91c0279010012d2d6f9e1

SHA256
0904c441b99996f8e8dde98fc752ac168961e7a3e3c50648885cd5ae73c97e9e

SHA512
5d9ed77c2cc2abfe6666a035874e9d055f6dd415c05ddb93d3f0113887cebd97eee6bb2e0f60db50664437c7758877c601e4571020ff9a25159a4a708412a8ce

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
296KB

MD5
fc92352dd560360cc829e5e648a9f188

SHA1
f74a8b9ee843f000157406d41db8a3967befabd6

SHA256
08e44e297fe535ec47372cea549e6d55858d739bb192938ce8597e2d0af61072

SHA512
f4e63bdc4e4835c33633d1252b877d52a32a22ff7f66e3fb9fc044d0a4f862e5a54ea7b8724b36e1c0ac2d26773e5861595e63a34ce1fcacea758a2a7764535b

Download Submit
C:\Windows\SysWOW64\Loofnccf.exe

Filesize
296KB

MD5
0bb94cc933da1f90c5d663e464afd073

SHA1
34dc4d4423cbbc21c13693c8e918999e80a347ca

SHA256
cf2c82e0895816c896a581e2acaed970206e926d59359e0e17d17860dee2a40b

SHA512
bcc4e8ce688702927edbdbe5942f149683961aabecc47e3dc547e930ded3969c1519aa20d48f0d51cf3242881530954f7cfd4e7a5af073b5ce635bea82999835

Download Submit
C:\Windows\SysWOW64\Lpfgmnfp.exe

Filesize
296KB

MD5
6e91080cc36e6b67553740956057018b

SHA1
fb937a72909224d4f833877b954a6b828bca4ce8

SHA256
3e8dd8552cd79d3ade7cc3cc06cd231057619402d69f38d5402b4e594f27da86

SHA512
0aab82d0ec6c070d16a8e44ab22e3b6e88c0576b2cc0bede86de64bf5768a4de771b7675591bcee22136b3dfe6c7c257070760721bc83d13bb041c40fbdf4744

Download Submit
C:\Windows\SysWOW64\Mbgeqmjp.exe

Filesize
296KB

MD5
d629fa556b0c411932c874feb87db133

SHA1
82f030e3bcf664e05848f938e1412b2f2492e717

SHA256
0dd842a402e8ab3ea26c5de522093e8c28125b3a67594653a6ad618e307359e2

SHA512
1fcf264dd027ef90ca0e6221e785049f7cbf13242f281904d4eac1f450a74af0b0bfe6086ccea4bca57a9a98e08c131e64bb8aa3c9187ea3aad336d86ae56401

Download Submit
C:\Windows\SysWOW64\Mjcngpjh.exe

Filesize
296KB

MD5
6dabad888b34a3f993f24fa0ebdb0696

SHA1
4834b29aa887fa1eebd5ee30e4d1baecbdad48bc

SHA256
7356fb6f7ccb33d0e317322649bdbce0b14c395de0e8212fe12ac17f071a560c

SHA512
68f65065ef410d486ed86653ecb456f05d65493e355c98de395d5f26ee57b421fe678f237188ff962a6733be08c19ea23ecec8840358bf256949909e5337e1f8

Download Submit
C:\Windows\SysWOW64\Mjlalkmd.exe

Filesize
296KB

MD5
bc2eda80c48a694a006f85270b704397

SHA1
9aaf8f3910df80dfef8d4814a96fa5d228206981

SHA256
8dacb6d91cd350a196263f0e96745960d27bf3f4d3c51ccd7c5905acf9616ffd

SHA512
89f90ce328827caf367d487afc4eb7693f96d202df41ca15cdb97b99addaa9bbfbf49a0af04968d5d2e49110726bc3ad00f19241e101e49edb613b88cef116bc

Download Submit
C:\Windows\SysWOW64\Mmfkhmdi.exe

Filesize
296KB

MD5
d9355d7eb0f8b1da7b65c75a0ed1bfb8

SHA1
cfdfec84677d886687ecf0df3ddfd26cb118be00

SHA256
eb965361de82b1111a40524eeb4b7915eb15a5f1eb182a53064467b1937a9e2b

SHA512
7ebad1771d3055579cd4181831b63bebfad6c48066e5b3bb0a875218d847bb5328a3116ec16ccc250635c342acfb96d8e6cd763738879ad5adac7726a4031b6b

Download Submit
C:\Windows\SysWOW64\Modpib32.exe

Filesize
296KB

MD5
c8e379d9ede5519850080fd067c52e63

SHA1
b23354f482b0f6b51cf2464a1dfdd1d336c43cbb

SHA256
851cf8e79d23e9c2e69858b233546a40cd2e5e2d0b47ff42037304939923d402

SHA512
e47e096d0c215f7ccc01aaba712dd36ca20a0f590258bdad0526937b4bb955b6afa2e2a7d1545dfd79f5c1c88040997b57ba239d21b20b00cff0d94d5e3863db

Download Submit
C:\Windows\SysWOW64\Mqjbddpl.exe

Filesize
296KB

MD5
74bc7417144e06181b7f2db3dfe4554a

SHA1
3a7346a5acdf5777b17347c44118fbbfbae36fcb

SHA256
753c922e1ba9dc5d50e1b8be7da9b561b742d37065a9ae9695a50f1a21afa36c

SHA512
b11fabaaee95ec41d02978f60b47af30ce910a9651a536da3f7469915f5b0e73a4bf9a8d864698d670d40b8d3ea614f729c6bc52cb77edf7670002e76f1aa983

Download Submit
C:\Windows\SysWOW64\Nbphglbe.exe

Filesize
296KB

MD5
1e0784fdb2a9869d7e30aa8c9f2ffd2e

SHA1
a3bf0948f2dc2817ac55afb03714604d71518c09

SHA256
f8b1794bb78c64528e360617878f6bca8130950af250e19d950a7fb6d60125a7

SHA512
20725859465719bc731b968eac29aeb738bb9b17f6d74c50aa3849a2b2e817262d54ebe9ae2d8d0b0a1305dcff7a08d865c52909e99a4e3c0f394b9cb80d36ea

Download Submit
C:\Windows\SysWOW64\Nfnamjhk.exe

Filesize
296KB

MD5
b777a8cc8f1a315bcc15cd227bb8598b

SHA1
9106acf5f852edbbdb4f05dfe4580ff950ddac38

SHA256
437bd3a9abdc568da726afb9387290f35313907412aefe6c7a328d24aa9a0057

SHA512
76011da6e81b45fc52c0128a38198ebbb35fb4ef706f333d88358c342939936fed4fa89fe7f6157345f80cd9037cee73d0efa1be7b0be6a0553611776b2a62ed

Download Submit
C:\Windows\SysWOW64\Nfqnbjfi.exe

Filesize
296KB

MD5
59c74833c2a0d17300a754b8f6aefb47

SHA1
32c1035278a0ee4d19c743ae9fe101ab2abc8bc8

SHA256
f5fe98d48c4a0465bbb00798176217e4f18c183e550fb33cab7c4400fc98f3c6

SHA512
1de07f9d22e2226c3b77b1ec8b9494e11f37fae52ce513c2e4a38aeeb6a05ea758e629c8d9252e1cf82f59392e57bf2792bc75ea74e3e5554b7b35e66aa505c3

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
296KB

MD5
92ed83b5ece4db967ffa32c0fe07a45e

SHA1
f9e5eae1688ceb98c86e6f78827f149abf103d42

SHA256
d5fd527119e0244131d3c6a18ece2e353ac38f098e1d0cabaefd87ba2ee3c931

SHA512
d9dfdf5368ac2724bf1b94e9bfcdbd26079e1af11724d6e0cd30ea1ea35f90a96667de1a418245b6db80e9221d501cd242f5fb6dcab860ce5ded058fc53d3bfc

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
296KB

MD5
1457ab3a1fc8ea6742d676d2ce45399d

SHA1
163c4c8d596732281139c0617924c07964613c13

SHA256
5144a32b6211a97b24f37b54949b4844245ca55c1b656883c1dff6d1d2b1ca6f

SHA512
f9bfb431abf3e023bc972d3c6655b2a7da90023139f67f0f080635ab64f37dc4520ca82d4d03ae2585bced6fb86847c9682ec51ded1ef2efcbeaf86ac831c2e4

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
296KB

MD5
23d31c43b5d9ab53c5e0d72547611686

SHA1
c8d82755ebf10e19fc87a2bc5771f2aaf16a8d90

SHA256
79568ddabca4b3d75b75c754fb1a4823e2ff9bc390c5c9d08a99cfee5a051c40

SHA512
35a095c24c8da9615bded9aecb956a34e8cd8655961fa950bdb82cb3c1598cc58176817ad8ee058cd0d3e9a53eeb9dc32e6316c69982ce58510cde6f2ace642d

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
296KB

MD5
ab0b10689b212c0d67ca0cc7a261ee12

SHA1
004cee6ab6a8dd8e9b88649bd1310768d08d93ce

SHA256
df4dacaac068f1bde4b1a9fa708b9d9ebf2f9e09c3cfc6ecbdc37437156689cb

SHA512
36bdf95128ae593e58f64e4737a67239eaabaacd1e82404aad99c220611fd3dc79ee8d5510ec3ccfe4eaea7f7b7d6bb8dcc1f1f9aca778aba906188421506bc7

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
296KB

MD5
500378704c584bc8d7f996d43ac0ef15

SHA1
48a4a3f13939c352eb915762aa3f40b19fe1be25

SHA256
9e914b8ec0b763b209bb91b95b6fdca2d586d51a628ab99d2dd8056a1489a9b3

SHA512
ec3363f6bdfd4bda1974670dab30492058014026b8b98e3f209ff9baaae64691dfd2e215aa94e84a8642060d350dd014d12a9eb21a66b6b5a4e0df18e672d610

Download Submit
C:\Windows\SysWOW64\Ojnfihmo.exe

Filesize
296KB

MD5
53f023da1af879eebf45879502c1aed4

SHA1
0532b8366e0cff4daf7cc6b0a0cc1c2d04f5abcd

SHA256
e97bad6bc53904b468d01b0889c7ce19e9cdd66f463b4da0b0a96056e8686440

SHA512
eb1bf7dfad765899f28c9940f2239d6d3da8af6cfd3d77a02e8ea9cb5d3542c896a65379c7d1fff00d9bcfda362b403c6e4515a90a7dccd6a4792a976afab949

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
296KB

MD5
82dcd3a3f8f64c44d1a591205a60554c

SHA1
bbf214091cb99711583826d1b24d9a7a9e4e5a50

SHA256
6b62fbf52b0b102adc1bbbcc7e6a7d764fc69ce25d9a53a993892021e4366a9a

SHA512
7b2738af529fd4fa941616576a5f31b034e3dbed1f3fe0ee45d8a1a4a43651335523223fc1f36c69be84477892e4aec0aa55f800ba0fcd4702f37f71b9fac6c2

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
296KB

MD5
6c072a5788cb96cf534cd2708ce45013

SHA1
b0a977d75e3f27abbb7d4b99dae3b2257d20f3ad

SHA256
883449d36cdf57e29750f9b073cbb591078c375c99a64bdb3b57ee09e069b889

SHA512
4d336d03586c5a163e68b402d3f6069d27a36f523e9373f36386e0282c46b654db7cc590142408e25f1a18a8aee26795627e771a07d9f1af53a5385a90ea766c

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
296KB

MD5
931ef30e464f80098769330d23cfa621

SHA1
ca33e854b687218d0251e3dc3eadab05cf4430e8

SHA256
f9f678e8e7a78bf995ba7b1f54c2e868a71ed0065051f8c8b68094aeaed78f27

SHA512
43d08089cde361bbf1ed6c11be7c061ecc7cfa2b0ad83126f4fae8b7a0239e7e6865fd16174e9a955aaf2b9527ddaf521f549dfebe918e3c8abb491e9776b3c8

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
296KB

MD5
dfb9b416de5390e3ebff709260a1f6a4

SHA1
bae5945b8349d69078be95cea26b82b43dcdb7c9

SHA256
e1b2c748c76a8ceaa3a1092e13c300b2e96b4c53105efabf6353a4862e70cbbf

SHA512
560d7ab4961ca0d13836e63a2037e7382f44b4ce0a674033897d62900d89dcd2abbcdeb70d5411ebc3bae67f3dc5b9ce48cabbd608851aae10bf8fe41e6e2c8d

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
296KB

MD5
b212785ca9054812b032ece17a7b55d5

SHA1
50b7018a75cfefd91fc206afc09559bdf5f9d3a5

SHA256
f0536df325c537572c3a3bf4a74ecef87931eacccd053c914154a896c7ae0445

SHA512
df2b223638b8e68828b38f10c10181a8d4e048cc277ab0686de665828d9edcbddac6137c84efdb03b9e4ce42a599af2c669f4d771e21a46ddc0bda15f2c0ff57

Download Submit
memory/8-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/60-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/264-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9388-2564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9564-2557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9740-2550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9916-2543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads