berbew | 77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863

Analysis

max time kernel
93s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe
Size

340KB
MD5

ff1e686cd82bbae6375df530fc6bf42c
SHA1

399dedf4e2c1a111af45df52b74c8a99e433a427
SHA256

77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863
SHA512

725e28f09a1f3b5546c735a5a7c19fe1a84da5f28ba8cc127e89ce7bab212cf3d2934bdf6dec6459b550b7cc17abc775a893bcdd036a36b135803ec0af64f282
SSDEEP

6144:zs0Q+BSVq+Ju3/fc/UmKyIxLDXXoq9FJZCUmKyIxLjh:zs0Q+B1+F32XXf9Do3i

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Embddb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgfapd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahdged32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpfepf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilqoobdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmbmkpie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpecbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkpqkcpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdbnjdfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jljbeali.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmdjapgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpofii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbdgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpfepf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgpmmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peahgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmfdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Innfnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcqjon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpqjglii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmpjmn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Modgdicm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeiodek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomqcjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmndpq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfhkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknojl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmlddqem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oelolmnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekmnajj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjokgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iliinc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmnhcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omqmop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdcag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igpdfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iphioh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoalgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioolkncg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdnjple.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2160	Eblpgjha.exe
432	Embddb32.exe
3692	Ejfeng32.exe
5040	Fbajbi32.exe
4168	Flinkojm.exe
4968	Fimodc32.exe
1632	Ffaong32.exe
4344	Flngfn32.exe
1264	Ffclcgfn.exe
4520	Fmndpq32.exe
4196	Flqdlnde.exe
1748	Fdglmkeg.exe
3584	Fffhifdk.exe
960	Fideeaco.exe
4796	Glcaambb.exe
1448	Gdjibj32.exe
4764	Gfheof32.exe
3972	Gigaka32.exe
456	Gmbmkpie.exe
760	Gpqjglii.exe
4068	Gdlfhj32.exe
4804	Gbofcghl.exe
4768	Gjfnedho.exe
4340	Giinpa32.exe
4276	Gmdjapgb.exe
1316	Gpcfmkff.exe
928	Gdobnj32.exe
4672	Gbabigfj.exe
3588	Gfmojenc.exe
3864	Gkhkjd32.exe
3772	Gmggfp32.exe
4748	Gljgbllj.exe
4524	Gpecbk32.exe
3452	Gbdoof32.exe
1668	Gkkgpc32.exe
400	Gingkqkd.exe
1096	Glldgljg.exe
4760	Gphphj32.exe
536	Gbfldf32.exe
1492	Gkmdecbg.exe
4988	Gipdap32.exe
4516	Hloqml32.exe
1480	Hpjmnjqn.exe
1900	Hbhijepa.exe
4832	Hkpqkcpd.exe
1836	Hibafp32.exe
2312	Hlambk32.exe
5048	Hplicjok.exe
2112	Hckeoeno.exe
2504	Hgfapd32.exe
2720	Hienlpel.exe
5108	Hmpjmn32.exe
2664	Hpofii32.exe
4128	Hdjbiheb.exe
4972	Hginecde.exe
3252	Hkdjfb32.exe
3008	Hmbfbn32.exe
4208	Hpabni32.exe
1952	Hcpojd32.exe
5012	Hgkkkcbc.exe
2640	Hiiggoaf.exe
3908	Hmechmip.exe
3744	Hpcodihc.exe
2440	Hcblpdgg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmijpchc.dll	Akpoaj32.exe
File opened for modification	C:\Windows\SysWOW64\Gbfldf32.exe	Gphphj32.exe
File created	C:\Windows\SysWOW64\Jcikgacl.exe	Jqknkedi.exe
File opened for modification	C:\Windows\SysWOW64\Mebcop32.exe	Mccfdmmo.exe
File opened for modification	C:\Windows\SysWOW64\Mmnhcb32.exe	Mjokgg32.exe
File created	C:\Windows\SysWOW64\Fbqdpi32.dll	Ilnbicff.exe
File created	C:\Windows\SysWOW64\Lomqcjie.exe	Ljqhkckn.exe
File opened for modification	C:\Windows\SysWOW64\Pnkbkk32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Ekamnhne.dll	Knenkbio.exe
File created	C:\Windows\SysWOW64\Inqbclob.exe	Ijegcm32.exe
File created	C:\Windows\SysWOW64\Mnokgcbe.dll	Onapdl32.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Mociom32.dll	Iloidijb.exe
File opened for modification	C:\Windows\SysWOW64\Bffcpg32.exe	Bllbaa32.exe
File opened for modification	C:\Windows\SysWOW64\Hoaojp32.exe	Hffken32.exe
File opened for modification	C:\Windows\SysWOW64\Oaplqh32.exe	Onapdl32.exe
File opened for modification	C:\Windows\SysWOW64\Ipflihfq.exe	Iljpij32.exe
File created	C:\Windows\SysWOW64\Hojpmg32.dll	Pddhbipj.exe
File created	C:\Windows\SysWOW64\Pbegml32.dll	Hoaojp32.exe
File created	C:\Windows\SysWOW64\Adfonlkp.dll	Jpcapp32.exe
File created	C:\Windows\SysWOW64\Lejomj32.dll	Gdlfhj32.exe
File created	C:\Windows\SysWOW64\Hpabni32.exe	Hmbfbn32.exe
File opened for modification	C:\Windows\SysWOW64\Iciaqc32.exe	Ipjedh32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjkaabc.exe	Mgloefco.exe
File opened for modification	C:\Windows\SysWOW64\Nnafno32.exe	Nggnadib.exe
File created	C:\Windows\SysWOW64\Oplfkeob.exe	Onkidm32.exe
File created	C:\Windows\SysWOW64\Opkpck32.dll	Hlambk32.exe
File created	C:\Windows\SysWOW64\Kideagnd.dll	Hienlpel.exe
File created	C:\Windows\SysWOW64\Ikpjbq32.exe	Iciaqc32.exe
File created	C:\Windows\SysWOW64\Gbfldf32.exe	Gphphj32.exe
File opened for modification	C:\Windows\SysWOW64\Idhnkf32.exe	Ilafiihp.exe
File opened for modification	C:\Windows\SysWOW64\Ljnlecmp.exe	Lpfgmnfp.exe
File created	C:\Windows\SysWOW64\Lhnblp32.dll	Fbajbi32.exe
File created	C:\Windows\SysWOW64\Jpcapp32.exe	Jiiicf32.exe
File created	C:\Windows\SysWOW64\Gkjdipap.dll	Lomqcjie.exe
File created	C:\Windows\SysWOW64\Mgloefco.exe	Mcpcdg32.exe
File opened for modification	C:\Windows\SysWOW64\Onkidm32.exe	Nceefd32.exe
File created	C:\Windows\SysWOW64\Dlmmaqlm.dll	Hildmn32.exe
File created	C:\Windows\SysWOW64\Lflpengd.dll	Jnelok32.exe
File created	C:\Windows\SysWOW64\Cmcgolla.dll	Gblbca32.exe
File opened for modification	C:\Windows\SysWOW64\Imiehfao.exe	Iliinc32.exe
File created	C:\Windows\SysWOW64\Minqeaad.dll	Lokdnjkg.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Onapdl32.exe
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Offnhpfo.exe	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Fffhifdk.exe	Fdglmkeg.exe
File created	C:\Windows\SysWOW64\Hmbfbn32.exe	Hkdjfb32.exe
File created	C:\Windows\SysWOW64\Fnipgg32.dll	Mebcop32.exe
File opened for modification	C:\Windows\SysWOW64\Ahgcjddh.exe	Ahdged32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpode32.exe	Jokkgl32.exe
File created	C:\Windows\SysWOW64\Pplobcpp.exe	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Qfglbe32.dll	Ljclki32.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Jlmfeg32.exe	Jjoiil32.exe
File opened for modification	C:\Windows\SysWOW64\Omcjep32.exe	Omqmop32.exe
File created	C:\Windows\SysWOW64\Ghbjikdh.dll	Oldjcg32.exe
File created	C:\Windows\SysWOW64\Gbofcghl.exe	Gdlfhj32.exe
File created	C:\Windows\SysWOW64\Dkfadkgf.exe	Dooaoj32.exe
File created	C:\Windows\SysWOW64\Baaelkfn.dll	Fpdcag32.exe
File opened for modification	C:\Windows\SysWOW64\Ljobpiql.exe	Kdbjhbbd.exe
File created	C:\Windows\SysWOW64\Bjbmjjno.dll	Kgdpni32.exe
File created	C:\Windows\SysWOW64\Baiinofi.dll	Nadleilm.exe
File opened for modification	C:\Windows\SysWOW64\Qacameaj.exe	Qhjmdp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9500	9372	WerFault.exe	456

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioolkncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljnlecmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomqcjie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offnhpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkdjfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkegpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fihnomjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnmdme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbbffdlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ennqfenp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jinboekc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmbmkpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Innfnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjccdkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkgiimng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcoaglhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeiodek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdenmbkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fideeaco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmechmip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inqbclob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpcfmkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcikgacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnadagbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojigdcll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkahilkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fimodc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flngfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Giinpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdgnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnoaaaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjaabq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nflkbanj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbanbmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lflbkcll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilqoobdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lokdnjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akpoaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gphphj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnelok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gflhoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaldccip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqikmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjjkaabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moipoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onapdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcblpdgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjoiil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfodeohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgaokl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peahgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpcdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgnbaeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jknfcofa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjmfjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flqdlnde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaplqh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll"	Mgloefco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihcbonm.dll"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hloqml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll"	Oelolmnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofonqd32.dll"	Oeokal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkccgodj.dll"	Fnipbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jgeghp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkjeomld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lqpamb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijegcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcgnbaeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmggfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miepkipc.dll"	Ijqmhnko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkpqkcpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefeek32.dll"	Iefgbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcbdgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnlbojee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdkep32.dll"	Efpomccg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joicekop.dll"	Lekmnajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Peahgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhikb32.dll"	Fideeaco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcblpdgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idhnkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mccfdmmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chqogq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fijkdmhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkeajoj.dll"	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagea32.dll"	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknjbg32.dll"	Hmbfbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcpojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll"	Njfagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofkjd32.dll"	Gjfnedho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qabjcina.dll"	Glldgljg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcpjnjii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddplkbaa.dll"	Jgkdbacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgaemg32.dll"	Kjmfjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokmlmhl.dll"	Hpofii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdimkqnb.dll"	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamhbhe.dll"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll"	Gigaka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjlmclqa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfodeohd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onmfimga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hildmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdkdgchl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgaokl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knfeeimj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpdihki.dll"	Fmkqpkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdpni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lncjlq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2160	1844	77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe	85
PID 1844 wrote to memory of 2160	1844	77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe	85
PID 1844 wrote to memory of 2160	1844	77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe	85
PID 2160 wrote to memory of 432	2160	Eblpgjha.exe	86
PID 2160 wrote to memory of 432	2160	Eblpgjha.exe	86
PID 2160 wrote to memory of 432	2160	Eblpgjha.exe	86
PID 432 wrote to memory of 3692	432	Embddb32.exe	87
PID 432 wrote to memory of 3692	432	Embddb32.exe	87
PID 432 wrote to memory of 3692	432	Embddb32.exe	87
PID 3692 wrote to memory of 5040	3692	Ejfeng32.exe	88
PID 3692 wrote to memory of 5040	3692	Ejfeng32.exe	88
PID 3692 wrote to memory of 5040	3692	Ejfeng32.exe	88
PID 5040 wrote to memory of 4168	5040	Fbajbi32.exe	89
PID 5040 wrote to memory of 4168	5040	Fbajbi32.exe	89
PID 5040 wrote to memory of 4168	5040	Fbajbi32.exe	89
PID 4168 wrote to memory of 4968	4168	Flinkojm.exe	90
PID 4168 wrote to memory of 4968	4168	Flinkojm.exe	90
PID 4168 wrote to memory of 4968	4168	Flinkojm.exe	90
PID 4968 wrote to memory of 1632	4968	Fimodc32.exe	91
PID 4968 wrote to memory of 1632	4968	Fimodc32.exe	91
PID 4968 wrote to memory of 1632	4968	Fimodc32.exe	91
PID 1632 wrote to memory of 4344	1632	Ffaong32.exe	92
PID 1632 wrote to memory of 4344	1632	Ffaong32.exe	92
PID 1632 wrote to memory of 4344	1632	Ffaong32.exe	92
PID 4344 wrote to memory of 1264	4344	Flngfn32.exe	93
PID 4344 wrote to memory of 1264	4344	Flngfn32.exe	93
PID 4344 wrote to memory of 1264	4344	Flngfn32.exe	93
PID 1264 wrote to memory of 4520	1264	Ffclcgfn.exe	94
PID 1264 wrote to memory of 4520	1264	Ffclcgfn.exe	94
PID 1264 wrote to memory of 4520	1264	Ffclcgfn.exe	94
PID 4520 wrote to memory of 4196	4520	Fmndpq32.exe	95
PID 4520 wrote to memory of 4196	4520	Fmndpq32.exe	95
PID 4520 wrote to memory of 4196	4520	Fmndpq32.exe	95
PID 4196 wrote to memory of 1748	4196	Flqdlnde.exe	96
PID 4196 wrote to memory of 1748	4196	Flqdlnde.exe	96
PID 4196 wrote to memory of 1748	4196	Flqdlnde.exe	96
PID 1748 wrote to memory of 3584	1748	Fdglmkeg.exe	97
PID 1748 wrote to memory of 3584	1748	Fdglmkeg.exe	97
PID 1748 wrote to memory of 3584	1748	Fdglmkeg.exe	97
PID 3584 wrote to memory of 960	3584	Fffhifdk.exe	98
PID 3584 wrote to memory of 960	3584	Fffhifdk.exe	98
PID 3584 wrote to memory of 960	3584	Fffhifdk.exe	98
PID 960 wrote to memory of 4796	960	Fideeaco.exe	99
PID 960 wrote to memory of 4796	960	Fideeaco.exe	99
PID 960 wrote to memory of 4796	960	Fideeaco.exe	99
PID 4796 wrote to memory of 1448	4796	Glcaambb.exe	100
PID 4796 wrote to memory of 1448	4796	Glcaambb.exe	100
PID 4796 wrote to memory of 1448	4796	Glcaambb.exe	100
PID 1448 wrote to memory of 4764	1448	Gdjibj32.exe	101
PID 1448 wrote to memory of 4764	1448	Gdjibj32.exe	101
PID 1448 wrote to memory of 4764	1448	Gdjibj32.exe	101
PID 4764 wrote to memory of 3972	4764	Gfheof32.exe	102
PID 4764 wrote to memory of 3972	4764	Gfheof32.exe	102
PID 4764 wrote to memory of 3972	4764	Gfheof32.exe	102
PID 3972 wrote to memory of 456	3972	Gigaka32.exe	103
PID 3972 wrote to memory of 456	3972	Gigaka32.exe	103
PID 3972 wrote to memory of 456	3972	Gigaka32.exe	103
PID 456 wrote to memory of 760	456	Gmbmkpie.exe	104
PID 456 wrote to memory of 760	456	Gmbmkpie.exe	104
PID 456 wrote to memory of 760	456	Gmbmkpie.exe	104
PID 760 wrote to memory of 4068	760	Gpqjglii.exe	105
PID 760 wrote to memory of 4068	760	Gpqjglii.exe	105
PID 760 wrote to memory of 4068	760	Gpqjglii.exe	105
PID 4068 wrote to memory of 4804	4068	Gdlfhj32.exe	106

C:\Users\Admin\AppData\Local\Temp\77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe
"C:\Users\Admin\AppData\Local\Temp\77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\Eblpgjha.exe
  C:\Windows\system32\Eblpgjha.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\Embddb32.exe
    C:\Windows\system32\Embddb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\Ejfeng32.exe
      C:\Windows\system32\Ejfeng32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\SysWOW64\Fbajbi32.exe
        
        C:\Windows\system32\Fbajbi32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Windows\SysWOW64\Flinkojm.exe
        
        C:\Windows\system32\Flinkojm.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Fimodc32.exe
        
        C:\Windows\system32\Fimodc32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ffaong32.exe
        
        C:\Windows\system32\Ffaong32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Flngfn32.exe
        
        C:\Windows\system32\Flngfn32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Ffclcgfn.exe
        
        C:\Windows\system32\Ffclcgfn.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Fmndpq32.exe
        
        C:\Windows\system32\Fmndpq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Flqdlnde.exe
        
        C:\Windows\system32\Flqdlnde.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Fdglmkeg.exe
        
        C:\Windows\system32\Fdglmkeg.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Fideeaco.exe
        
        C:\Windows\system32\Fideeaco.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Glcaambb.exe
        
        C:\Windows\system32\Glcaambb.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Gdjibj32.exe
        
        C:\Windows\system32\Gdjibj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Gfheof32.exe
        
        C:\Windows\system32\Gfheof32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Gigaka32.exe
        
        C:\Windows\system32\Gigaka32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Gmbmkpie.exe
        
        C:\Windows\system32\Gmbmkpie.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Gpqjglii.exe
        
        C:\Windows\system32\Gpqjglii.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Gdlfhj32.exe
        
        C:\Windows\system32\Gdlfhj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Gbofcghl.exe
        
        C:\Windows\system32\Gbofcghl.exe
        23⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Gjfnedho.exe
        
        C:\Windows\system32\Gjfnedho.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Giinpa32.exe
        
        C:\Windows\system32\Giinpa32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Gmdjapgb.exe
        
        C:\Windows\system32\Gmdjapgb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Gpcfmkff.exe
        
        C:\Windows\system32\Gpcfmkff.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Gdobnj32.exe
        
        C:\Windows\system32\Gdobnj32.exe
        28⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Gbabigfj.exe
        
        C:\Windows\system32\Gbabigfj.exe
        29⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Gfmojenc.exe
        
        C:\Windows\system32\Gfmojenc.exe
        30⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Gkhkjd32.exe
        
        C:\Windows\system32\Gkhkjd32.exe
        31⤵
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Gmggfp32.exe
        
        C:\Windows\system32\Gmggfp32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Gljgbllj.exe
        
        C:\Windows\system32\Gljgbllj.exe
        33⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Gpecbk32.exe
        
        C:\Windows\system32\Gpecbk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Gbdoof32.exe
        
        C:\Windows\system32\Gbdoof32.exe
        35⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Gkkgpc32.exe
        
        C:\Windows\system32\Gkkgpc32.exe
        36⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Gingkqkd.exe
        
        C:\Windows\system32\Gingkqkd.exe
        37⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Gphphj32.exe
        
        C:\Windows\system32\Gphphj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        40⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Gkmdecbg.exe
        
        C:\Windows\system32\Gkmdecbg.exe
        41⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Gipdap32.exe
        
        C:\Windows\system32\Gipdap32.exe
        42⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Hloqml32.exe
        
        C:\Windows\system32\Hloqml32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Hpjmnjqn.exe
        
        C:\Windows\system32\Hpjmnjqn.exe
        44⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Hbhijepa.exe
        
        C:\Windows\system32\Hbhijepa.exe
        45⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Hkpqkcpd.exe
        
        C:\Windows\system32\Hkpqkcpd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Hibafp32.exe
        
        C:\Windows\system32\Hibafp32.exe
        47⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Hlambk32.exe
        
        C:\Windows\system32\Hlambk32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Hplicjok.exe
        
        C:\Windows\system32\Hplicjok.exe
        49⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Hckeoeno.exe
        
        C:\Windows\system32\Hckeoeno.exe
        50⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Hgfapd32.exe
        
        C:\Windows\system32\Hgfapd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Hienlpel.exe
        
        C:\Windows\system32\Hienlpel.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Hmpjmn32.exe
        
        C:\Windows\system32\Hmpjmn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Hpofii32.exe
        
        C:\Windows\system32\Hpofii32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Hdjbiheb.exe
        
        C:\Windows\system32\Hdjbiheb.exe
        55⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Hginecde.exe
        
        C:\Windows\system32\Hginecde.exe
        56⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Hkdjfb32.exe
        
        C:\Windows\system32\Hkdjfb32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Hmbfbn32.exe
        
        C:\Windows\system32\Hmbfbn32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Hpabni32.exe
        
        C:\Windows\system32\Hpabni32.exe
        59⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Hcpojd32.exe
        
        C:\Windows\system32\Hcpojd32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Hgkkkcbc.exe
        
        C:\Windows\system32\Hgkkkcbc.exe
        61⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Hiiggoaf.exe
        
        C:\Windows\system32\Hiiggoaf.exe
        62⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Hmechmip.exe
        
        C:\Windows\system32\Hmechmip.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\Hpcodihc.exe
        
        C:\Windows\system32\Hpcodihc.exe
        64⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Windows\SysWOW64\Hcblpdgg.exe
        
        C:\Windows\system32\Hcblpdgg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Hgmgqc32.exe
        
        C:\Windows\system32\Hgmgqc32.exe
        66⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Hildmn32.exe
        
        C:\Windows\system32\Hildmn32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Iljpij32.exe
        
        C:\Windows\system32\Iljpij32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Ipflihfq.exe
        
        C:\Windows\system32\Ipflihfq.exe
        69⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Icdheded.exe
        
        C:\Windows\system32\Icdheded.exe
        70⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\Igpdfb32.exe
        
        C:\Windows\system32\Igpdfb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2476
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        72⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Ilmmni32.exe
        
        C:\Windows\system32\Ilmmni32.exe
        73⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4036
        
        C:\Windows\SysWOW64\Icfekc32.exe
        
        C:\Windows\system32\Icfekc32.exe
        75⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Iknmla32.exe
        
        C:\Windows\system32\Iknmla32.exe
        76⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        77⤵
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Iloidijb.exe
        
        C:\Windows\system32\Iloidijb.exe
        78⤵
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Ipjedh32.exe
        
        C:\Windows\system32\Ipjedh32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Iciaqc32.exe
        
        C:\Windows\system32\Iciaqc32.exe
        80⤵
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ikpjbq32.exe
        
        C:\Windows\system32\Ikpjbq32.exe
        81⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Innfnl32.exe
        
        C:\Windows\system32\Innfnl32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        83⤵
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Idhnkf32.exe
        
        C:\Windows\system32\Idhnkf32.exe
        84⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Iggjga32.exe
        
        C:\Windows\system32\Iggjga32.exe
        85⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Ijegcm32.exe
        
        C:\Windows\system32\Ijegcm32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Inqbclob.exe
        
        C:\Windows\system32\Inqbclob.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Ipoopgnf.exe
        
        C:\Windows\system32\Ipoopgnf.exe
        88⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Icnklbmj.exe
        
        C:\Windows\system32\Icnklbmj.exe
        89⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Igigla32.exe
        
        C:\Windows\system32\Igigla32.exe
        90⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Jjgchm32.exe
        
        C:\Windows\system32\Jjgchm32.exe
        91⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Jlfpdh32.exe
        
        C:\Windows\system32\Jlfpdh32.exe
        92⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Jdmgfedl.exe
        
        C:\Windows\system32\Jdmgfedl.exe
        93⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        94⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Jkgpbp32.exe
        
        C:\Windows\system32\Jkgpbp32.exe
        95⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Jnelok32.exe
        
        C:\Windows\system32\Jnelok32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Jpdhkf32.exe
        
        C:\Windows\system32\Jpdhkf32.exe
        97⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Jcbdgb32.exe
        
        C:\Windows\system32\Jcbdgb32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Jgnqgqan.exe
        
        C:\Windows\system32\Jgnqgqan.exe
        99⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Jjlmclqa.exe
        
        C:\Windows\system32\Jjlmclqa.exe
        100⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Jnhidk32.exe
        
        C:\Windows\system32\Jnhidk32.exe
        101⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Jpfepf32.exe
        
        C:\Windows\system32\Jpfepf32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Jcdala32.exe
        
        C:\Windows\system32\Jcdala32.exe
        103⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Jgpmmp32.exe
        
        C:\Windows\system32\Jgpmmp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Jjoiil32.exe
        
        C:\Windows\system32\Jjoiil32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Jlmfeg32.exe
        
        C:\Windows\system32\Jlmfeg32.exe
        106⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        107⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Jcgnbaeo.exe
        
        C:\Windows\system32\Jcgnbaeo.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Jknfcofa.exe
        
        C:\Windows\system32\Jknfcofa.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Jnlbojee.exe
        
        C:\Windows\system32\Jnlbojee.exe
        110⤵
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Jqknkedi.exe
        
        C:\Windows\system32\Jqknkedi.exe
        111⤵
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\Jgeghp32.exe
        
        C:\Windows\system32\Jgeghp32.exe
        113⤵
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Kmaopfjm.exe
        
        C:\Windows\system32\Kmaopfjm.exe
        115⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        116⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        117⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Kjepjkhf.exe
        
        C:\Windows\system32\Kjepjkhf.exe
        118⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Kmdlffhj.exe
        
        C:\Windows\system32\Kmdlffhj.exe
        119⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Kdkdgchl.exe
        
        C:\Windows\system32\Kdkdgchl.exe
        120⤵
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Kcndbp32.exe
        
        C:\Windows\system32\Kcndbp32.exe
        121⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        122⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Kmfhkf32.exe
        
        C:\Windows\system32\Kmfhkf32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Kglmio32.exe
        
        C:\Windows\system32\Kglmio32.exe
        124⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Kkgiimng.exe
        
        C:\Windows\system32\Kkgiimng.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Knfeeimj.exe
        
        C:\Windows\system32\Knfeeimj.exe
        126⤵
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Kdpmbc32.exe
        
        C:\Windows\system32\Kdpmbc32.exe
        127⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        128⤵
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Kmkbfeab.exe
        
        C:\Windows\system32\Kmkbfeab.exe
        130⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Kdbjhbbd.exe
        
        C:\Windows\system32\Kdbjhbbd.exe
        131⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        132⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        133⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        135⤵
        
        PID:916
        
        C:\Windows\SysWOW64\Lknojl32.exe
        
        C:\Windows\system32\Lknojl32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1772
        
        C:\Windows\SysWOW64\Lmpkadnm.exe
        
        C:\Windows\system32\Lmpkadnm.exe
        137⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        138⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Ljclki32.exe
        
        C:\Windows\system32\Ljclki32.exe
        139⤵
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        140⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Lnadagbm.exe
        
        C:\Windows\system32\Lnadagbm.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Lqpamb32.exe
        
        C:\Windows\system32\Lqpamb32.exe
        142⤵
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Lekmnajj.exe
        
        C:\Windows\system32\Lekmnajj.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        144⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Mcqjon32.exe
        
        C:\Windows\system32\Mcqjon32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        146⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Mnfnlf32.exe
        
        C:\Windows\system32\Mnfnlf32.exe
        147⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Madjhb32.exe
        
        C:\Windows\system32\Madjhb32.exe
        148⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Mccfdmmo.exe
        
        C:\Windows\system32\Mccfdmmo.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Mgaokl32.exe
        
        C:\Windows\system32\Mgaokl32.exe
        151⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mkmkkjko.exe
        
        C:\Windows\system32\Mkmkkjko.exe
        152⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Mjokgg32.exe
        
        C:\Windows\system32\Mjokgg32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3884
        
        C:\Windows\SysWOW64\Mkohaj32.exe
        
        C:\Windows\system32\Mkohaj32.exe
        155⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\Mnmdme32.exe
        
        C:\Windows\system32\Mnmdme32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        157⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        158⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        160⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Njfagf32.exe
        
        C:\Windows\system32\Njfagf32.exe
        161⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        162⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        163⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        164⤵
        
        PID:944
        
        C:\Windows\SysWOW64\Nenbjo32.exe
        
        C:\Windows\system32\Nenbjo32.exe
        165⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        166⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Nccokk32.exe
        
        C:\Windows\system32\Nccokk32.exe
        167⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Njmhhefi.exe
        
        C:\Windows\system32\Njmhhefi.exe
        168⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Nmlddqem.exe
        
        C:\Windows\system32\Nmlddqem.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Nhahaiec.exe
        
        C:\Windows\system32\Nhahaiec.exe
        170⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        171⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Omqmop32.exe
        
        C:\Windows\system32\Omqmop32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        173⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Oldjcg32.exe
        
        C:\Windows\system32\Oldjcg32.exe
        174⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Oelolmnd.exe
        
        C:\Windows\system32\Oelolmnd.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Ojigdcll.exe
        
        C:\Windows\system32\Ojigdcll.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Oeokal32.exe
        
        C:\Windows\system32\Oeokal32.exe
        177⤵
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        179⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Plkpcfal.exe
        
        C:\Windows\system32\Plkpcfal.exe
        180⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\Pdfehh32.exe
        
        C:\Windows\system32\Pdfehh32.exe
        181⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        182⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6268
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        184⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Aednci32.exe
        
        C:\Windows\system32\Aednci32.exe
        185⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Ahgcjddh.exe
        
        C:\Windows\system32\Ahgcjddh.exe
        187⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        189⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6556
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6596
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        192⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        193⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        194⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        195⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        196⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        197⤵
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:6880
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        199⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        200⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        201⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        203⤵
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:7136
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        205⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        206⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:6336
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        208⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        209⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6544
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        211⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        212⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        213⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        214⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        215⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        216⤵
        Drops file in System32 directory
        
        PID:6960
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        217⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        218⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        220⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        221⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        222⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        223⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        224⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        225⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        226⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        227⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        228⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        229⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        231⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        232⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        233⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        234⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        235⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        236⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7144
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6500
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        239⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        240⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        241⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6824
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        243⤵
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:7212
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        245⤵
        Drops file in System32 directory
        
        PID:7252
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        246⤵
        Drops file in System32 directory
        
        PID:7296
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        247⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        248⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7420
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        250⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:7516
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        252⤵
        Drops file in System32 directory
        
        PID:7560
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        253⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        254⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        255⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        257⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        258⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7868
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        260⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        261⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        262⤵
        Modifies registry class
        
        PID:8000
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8044
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        264⤵
        Drops file in System32 directory
        
        PID:8088
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        265⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        266⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        267⤵
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:7284
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        269⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7280
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        270⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        271⤵
        Drops file in System32 directory
        
        PID:7456
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7572
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        273⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:7704
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        275⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        276⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:7920
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        278⤵
        Modifies registry class
        
        PID:7944
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8036
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        280⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8116
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        281⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8188
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        282⤵
        System Location Discovery: System Language Discovery
        
        PID:7264
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7376
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7484
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        285⤵
        System Location Discovery: System Language Discovery
        
        PID:7592
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        286⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        287⤵
        Modifies registry class
        
        PID:7836
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        288⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:8028
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        290⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        291⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7368
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        293⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7600
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        294⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7932
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8104
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        297⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        298⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        299⤵
        Modifies registry class
        
        PID:7796
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        300⤵
        Drops file in System32 directory
        
        PID:8056
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        301⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        302⤵
        Drops file in System32 directory
        
        PID:7876
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        303⤵
        Drops file in System32 directory
        
        PID:7396
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        304⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7968
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:7988
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        306⤵
        Modifies registry class
        
        PID:8160
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        307⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        308⤵
        System Location Discovery: System Language Discovery
        
        PID:8252
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8296
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        310⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        311⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8384
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        312⤵
        System Location Discovery: System Language Discovery
        
        PID:8428
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        313⤵
        System Location Discovery: System Language Discovery
        
        PID:8472
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        314⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8516
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        315⤵
        Modifies registry class
        
        PID:8560
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8608
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        317⤵
        Modifies registry class
        
        PID:8652
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        318⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        319⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        320⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8784
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        321⤵
        Drops file in System32 directory
        
        PID:8828
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        322⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        323⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        324⤵
        Modifies registry class
        
        PID:8960
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        325⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9004
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        326⤵
        Modifies registry class
        
        PID:9048
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        327⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        328⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        329⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        330⤵
        Drops file in System32 directory
        
        PID:8200
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        331⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        332⤵
        System Location Discovery: System Language Discovery
        
        PID:8328
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        333⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8460
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        335⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        336⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        337⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8672
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        338⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8748
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        339⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8812
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        340⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        341⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8956
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        342⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9032
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        343⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        344⤵
        Modifies registry class
        
        PID:9160
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        345⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8216
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        346⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        347⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8456
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        348⤵
        Modifies registry class
        
        PID:8508
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        349⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8684
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        350⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        351⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        352⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        353⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9112
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        354⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        355⤵
        Modifies registry class
        
        PID:8416
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        356⤵
        System Location Discovery: System Language Discovery
        
        PID:8544
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        357⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        358⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        359⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9172
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        360⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:8752
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        362⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        363⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        364⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        365⤵
        Modifies registry class
        
        PID:8804
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        366⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        367⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9088
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        368⤵
        System Location Discovery: System Language Discovery
        
        PID:8856
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        369⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        370⤵
        Drops file in System32 directory
        
        PID:9244
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        371⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        372⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9328
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        373⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9372 -s 412
        374⤵
        Program crash
        
        PID:9500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9372 -ip 9372
1⤵
PID:9436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
340KB

MD5
4852fe699647cc1d2aeb8bfd06d0fd79

SHA1
5b80c2250567d78b9eabdb1e75ee718695a32ffd

SHA256
5cdbb3ff3ed6aebaf83ec42656b4e633fc6d1bedeb3ee45142ae598fa1cf3114

SHA512
f6f7c196c3181c8ea3e6e59c148929418a28f91a62757d539911dda013e5d2c5d7b95542151ad6d9fba3114cc0fdb263e8ed1727f88bf2461af743a9b556c5f1

Download Submit
C:\Windows\SysWOW64\Aaldccip.exe

Filesize
340KB

MD5
f1f4aaaa84ad65209f68a9eec08f374b

SHA1
ecf7a55384fe7b1b3ccb21957d5c2d57d3773548

SHA256
183d6c208a896d7fd0639a8ca54c1bda01dbf052dfa8a0b487c7db99954c7a7f

SHA512
824eeeb9621da09babc8955625680c05191b609d35f5a22fdb43ce85521dd82c094461c9155060cf43bf05e3c1fb4c1f38711f74479e81ab6e6930b0977a4dfe

Download Submit
C:\Windows\SysWOW64\Ahdged32.exe

Filesize
340KB

MD5
a210da84259820bbd5e3ea52d302f092

SHA1
530b65750ba65586e1f0adbb9cfbbbca30e49cbc

SHA256
07cc4cde7818cb01e6b5b0aef01398b171e8695abfda157eccce7ba98486b36f

SHA512
944242b79dce94f5c19a8c7053da793c02e8f1d250b3d2dd2a80cffb357e32c72b1509646783e6d899fa2c171f6ff76eba99b6e3b2a7f0e421aeca571a213f40

Download Submit
C:\Windows\SysWOW64\Aogbfi32.exe

Filesize
340KB

MD5
f5bff80f6b693f88c03a07dac890231c

SHA1
2b926575bd5bdd577ce652f644234f440ebd5c29

SHA256
fe07bd54de2c087902325bdde8a845eb030eca2593cf3674d062421586568d29

SHA512
95ef93c727bccfc9ceec32fbb88feff0a6824714961318f61699b8cfb22f209f85b1516a561de2769ac609d103f1efcd92d9e0e2e729333a53d4d4e5c82a3483

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
340KB

MD5
bee8932fc34006af1ff8fd9086fba4af

SHA1
6873f378d9fb2860685a634149d0119f11f4fe0f

SHA256
c7bd1ff22dd1b943fd7407a53dc4b53db418868b4d90f757aab27fb236e62b53

SHA512
1c2f7eaaec62c72aae04e815c2aaee048961ceccf64c14ec9c33d3c3c12f486c686bf749e14b2144a217da3637b2516f21fc6056f3edd73eb03b2291e994b9ad

Download Submit
C:\Windows\SysWOW64\Bemqih32.exe

Filesize
340KB

MD5
54c9c230ac72bfabe7348f17c9e74a94

SHA1
e5e6ea314c7fc67ff52e3b8673d56ba38e3178fd

SHA256
cc71c54a156c1241ff548b4d9d3523b1872224c178faf0e2dc94de4661696ef4

SHA512
7cf4d6963c67c04117c09f8dadffabbb81e483eedf69cb1de38af5bf03f3344fcfbad34c29c7cf496beea65c25c7bc96a3d0809acbfcdf17bdc4a682346e5260

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
340KB

MD5
ee373bc09189990fd37dcd8ccc4413d9

SHA1
d58a43885cc28098dfd1ecdbb198281b8a92743d

SHA256
b6af6828da808313edd0e1fa9c4768f24cb23468016a08a93bb4ad20444a2823

SHA512
dcc95cea9e6f2e02ad3267e56b536483956728b32de7bdb790e6e80a85578830941b5d3720c28a640ae4c68f59b7ffac6bc1f5b3585fdf97f543e53c0ce04b48

Download Submit
C:\Windows\SysWOW64\Chqogq32.exe

Filesize
340KB

MD5
6af384c8c1f698fcc46a0a96388ecfcc

SHA1
6547b3349c9d63b6be52f0237357d8acb177b9b3

SHA256
60666f8ef093c904ba3346d6e25908f132f0b385d486f99774090a2f7e77748b

SHA512
d2be39e9feecf7f53d9498911935fbbd42a2dbb95d3ae8981346dfa53412d1d7eadf9669637c3c7a3819c4659bdb81d35c6af606b4bd97566a4a65ce711b14d8

Download Submit
C:\Windows\SysWOW64\Ckhecmcf.exe

Filesize
340KB

MD5
de0e376458442144b0e3fc57ce95f915

SHA1
3d27e10c6518be5bf289d28cc1b0da9d983fad82

SHA256
f4a766c9578447b3b82f2a27d265c63ca9761b10c52dd44bf0c76cbf2219150c

SHA512
f24b19a45a985bc6e93c55e28521654f89288fb6e2e4557865326a6335b8a4814e064f9de8433aac9e38992580eb72743b3d999b1ebd2dd65bf1b3fc426231e3

Download Submit
C:\Windows\SysWOW64\Coegoe32.exe

Filesize
340KB

MD5
cde385125ec6d1b746f96ade98df4b12

SHA1
4e7153204c058835a38a3d784e2b667de2f2f285

SHA256
6bffd449b8df97eb444d282a0a94199e7e7b9e4b46ab554d3b3917d88972002b

SHA512
f05805e40b3ba796a8993425c20d5b37e9808f2d9937ef9381fedc2fbb61865424a2ff5193a5e6b8fcae6481947ce35fde93373e1d220d6b15f33524faf4b92b

Download Submit
C:\Windows\SysWOW64\Dbbffdlq.exe

Filesize
340KB

MD5
cf72289256b780ba7daa7a11b1bddab3

SHA1
0ca932181e26e43fc0c42c3df98dac61586d318f

SHA256
06f254709aa0ad650acab6de07d3086de7e4087179aefc7ab4cae3fd8f9661f8

SHA512
89704e361f6f2a7fac864ca8e7af97a26e3705277dc71ba8b143adc7b17b21014dd169bc9fcd07c6163144ff66c35cced939235a6af81c17bd6bd7106ba61f42

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
340KB

MD5
59e09b4d298745c34387f6db2278aedf

SHA1
f545a23068dd71f98d7cf22e5a68efb0f4c62b78

SHA256
aedf375f00ae4299897435d5dd027e873b09c11663dcb25c25ed798be62a512a

SHA512
89552f6bb9147814ca65871d67342a5fdc8be02708153806fdeed4c84c9200ca73f270e696c2627048dfb71e94a19141ce38a2a51a95144b952b39f173af406d

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
340KB

MD5
8982a40925e6978a3233e9eb30a5576b

SHA1
b807f8df25fabac14bd2cd1ae7b32b20f691a91e

SHA256
b4dfafdc496c8c4905ce3ce36fcb08fcecc2d1f39ff7a67920a1c35887e0c3ef

SHA512
c3df104a10ae79bb2b21c8240e264970f192886e4025e2bc6e8653f8ffb4aead58ed4df855edee40a96507543c49204fe069da502b08a0e081b0197242df7aa7

Download Submit
C:\Windows\SysWOW64\Eblpgjha.exe

Filesize
340KB

MD5
3c6b7113ce8d63472a4bfefac7b6eeca

SHA1
70f8d0ab398c12e283ef222c5e63e307e200aa4e

SHA256
5e87a26f86fadaf2b1ed296edc53789438cce3b0232622a67ce51d2c4fa0fd27

SHA512
0a15f650c6238a7c12b2b4b2cec7fab992a00fb5c96cc4a3f78a97624dc95cd214a01bfe40fd5307166f03911c63d1f5c268f0050e8880f6e26316eb2af4ffe8

Download Submit
C:\Windows\SysWOW64\Ejfeng32.exe

Filesize
340KB

MD5
e96b01d4c496ebb14796bf5fdf932c47

SHA1
9cd4c873cfe5bd4359bdaecdc53f6c46493ccd81

SHA256
1d5fcca706d31acb505e2e17adc169982365b37f4ecc34e0802c5a5776e1e572

SHA512
fca9acd1e28350610141a547e97b56d3a0b1627c0ce4c1b0008708cb4531fb554f43edfc9756220cef0fbee445254da371dec13b010f307d0295251edec40a1e

Download Submit
C:\Windows\SysWOW64\Embddb32.exe

Filesize
340KB

MD5
950a7a0f79ffc5ddb8ca9e79861e2c78

SHA1
1cfbc827362df769fadbf85e60690c4c0a232b78

SHA256
55a3a0c401955b4b0bd779d97826095f26eadc99dc0dbb72b58cba4fa29e5af9

SHA512
1c89b9135a0087874d0bf643fe36ab2163f5ff95da1455356f4f12f688f74eb3374275059525d33e567d533b42d26a5874bd033a033b01c9cbb191a50dde2cc6

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
340KB

MD5
3fe813ceb0e39c95cfd71e7e315bfff6

SHA1
5bfb0e8b1dc7b3082a86a55d4005de06dc38fd28

SHA256
3fda208da7f892ee3ee68d0fa468f01a3ea377c7cac2394eabf59662426ed39b

SHA512
dfc8b1f4e5bcd07a8ce733d93e36ca1f12e10c7ee2dedcf41f2e87c8c0ec24403c1649115e83aa8f7606bac38960539798a327245ff81d1417a69aab2abe5ffd

Download Submit
C:\Windows\SysWOW64\Fbajbi32.exe

Filesize
340KB

MD5
38f6c9718d6114416c0bbba7c2d6cceb

SHA1
e899eb11659ac6290537888942e2f3645a7518ab

SHA256
ff5d5222f0e20970c137adb9b34ac2260e5eb8023c84367b6cbc929008d07962

SHA512
d5314524c106f44fe0a013b571c4a9440aec63c57fe4c7d2da44293c2fb2e3346aa8e80b4a2f8f8e557200ce897edaf645f904632ccdef2d84191e052df04b46

Download Submit
C:\Windows\SysWOW64\Fdglmkeg.exe

Filesize
340KB

MD5
61bf86cb64e2816c5eacc0512ce7bc15

SHA1
67dc6067c88f62760234234b58c0a91dfb7c950e

SHA256
aae7778ec80bd646a8307ee8c6b07a1654fadf445a81aab1549a5ef8e602ec70

SHA512
2243b328e2d7df33482012c0cbe0d29ff9862721fcb77d46aeb6b30cbec47efe02c750746fa6cbdc58515749b36256403758d24e9ac32b2ce66fb7b38e7cddc8

Download Submit
C:\Windows\SysWOW64\Ffaong32.exe

Filesize
340KB

MD5
ddd4eb2a281fc0a501b26672cf04faa6

SHA1
5386cf4feb4fb2ead93d82fdc7912d3e7e567da2

SHA256
784f1556f50350954d45c2a7ad6034c72bf0b7d0461b20bcdcca033aa05eb53c

SHA512
82f538e362a630b4937361e2b8e0027c1c171db48bb7852234fd20216db825588d9975dcb3c98f83b402494972e9a09f31c75ef74aaf4310fc1e788121c9d170

Download Submit
C:\Windows\SysWOW64\Ffclcgfn.exe

Filesize
340KB

MD5
c84b297cd8cd6990317e4af5c4f2d3d8

SHA1
321e99b08e2f870a4af9f9147441ecc70b46cadb

SHA256
a954eed226fca74968af2cbbed1144d3d69da773532d1bd2a8aac43a8c87d4d6

SHA512
461334da83753e1495bd6ea04634e12756b79dcad5eeeff276e7497e9c8ad6c47459ca9400a1cb9c1d87f5d9e567ba89bb4a34763bd0fd8000349ac5ece69a13

Download Submit
C:\Windows\SysWOW64\Fffhifdk.exe

Filesize
340KB

MD5
5dec5b047de813c9b2c434caee5c43c0

SHA1
a9e99c16b365edb64487fb76fef4c6452bb23bed

SHA256
93aad136bffe7042715b5a690b2f0445a4f48ca43e5813fb17acab69d7fd5afe

SHA512
f9689da70961fa93e797ce7ae24ebe7637bbb1bd9e8023ab8efd404b452272be53bbabcf12a15aa82e0080e59026f7d022fd9446db2f7667ea17811c6814115e

Download Submit
C:\Windows\SysWOW64\Fideeaco.exe

Filesize
340KB

MD5
bbc34ab97fe9554b858f53f804d9cab0

SHA1
6e0e1e2fdf09dfdc3313b61b89869b17826f7799

SHA256
072576ba571b710deb4fcc4735e0974d9876ab13c776af02c61e477782bee97d

SHA512
474d1f60e34805822dcd336bbc81830ab6eb3fb9701c637e48d3232604c67305e8bf11c3e10d6c377548066c424ee6a69a942ebbfc71a36208b43979e18a9872

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
340KB

MD5
a19375f16d820ae70c41199dea0a3416

SHA1
c6462840e9e0ebe4cc6aabf03a897d1c4dfc6a24

SHA256
882bdabb321f7cda8dac91a5b0d291579b9dfc5de2538e55b7183a0d3c955bbc

SHA512
356a7031bda7f2e3dd97982dca50a17c17124010409616ef6d60acc825fd7d4ce6ff8f665903a816f21cf6609ab549fd37c7d5e0f517a62193a5c1b522a3a4c0

Download Submit
C:\Windows\SysWOW64\Fimodc32.exe

Filesize
340KB

MD5
6a5fcb236c7ba4cac97d561773180462

SHA1
7f22c107c22358ca4ffe748131e72dd4beb205c6

SHA256
0f0e4954dc4fbf7f3f11f6bb8cce28672e1ffc36d0099cfcc8fab11df3bc8787

SHA512
0f0ce6096060972614196e523ae81c30426394397e1f2643ff1f7d84278f9342edd24907a12c756c3ce63468b9f357fb2a30099289ee1a6908f42291db260340

Download Submit
C:\Windows\SysWOW64\Flinkojm.exe

Filesize
340KB

MD5
0c61869fa9d83d920511fa61915ad3c5

SHA1
e700a7118f73f2f0c9a11c54dad0691e46a60735

SHA256
860a567f356994e2227890a993b324d5e3ec5e7e592df86f1dd2d325fa087f12

SHA512
827256f87bce11e3de982fc790b52d405f9f66a0c05bcd672d73d213b78b2e8bc382971d14f836e092d9d3b44375f107e537f3e53fafa64bbe8b44eb36f557ab

Download Submit
C:\Windows\SysWOW64\Flngfn32.exe

Filesize
340KB

MD5
72a143ac1888396aad79e8a2363760ef

SHA1
0d350f44754b6bfcbdbd0184e558d21a5bb55e18

SHA256
d90227cccfe2dbd7160a601bb704fe764f7fba13120aeaf63ba546f4c93e4946

SHA512
700e6021722fdc909a1efc13a8618107647cb035118f94dcf4371d04ed838b08f60d1a8b92d492b5c59039cf528326a3872dbeda519b3387bc72cc88693b127f

Download Submit
C:\Windows\SysWOW64\Flqdlnde.exe

Filesize
340KB

MD5
b079cbdf60a32914247a52ffbc9f969f

SHA1
d1913e053227fd337902ae6f93904436f002241f

SHA256
8834543793beb9c9f16237e083aecafcfe137891b2b1fee0b47f3e746b29fbd2

SHA512
9605508bbe1c6095b995268d51de0d1b721d120f97fb550080752f17c517501c060c92a4d9cafc9a562f95d4fb5ffdda24df5813590b655f0381a29110cca8c9

Download Submit
C:\Windows\SysWOW64\Fmndpq32.exe

Filesize
340KB

MD5
abc0439fc96c3cf81443450178ab2a88

SHA1
d59be5dc3a30e67c8195bfec487e8f43c2253412

SHA256
de6de839410ce67223558cbe80831d6bc9adc3c67989d31e05d13fd8b4f19fb1

SHA512
04e00b7f009186fabc9b9bb3f44ebc0bdec19c115d27b0503a3a7e7f979fe1ed1a2ac56eea847d0589334286a7128bcd55aa541647483b34116b28625dbbce93

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
340KB

MD5
b4576a49e80109cc8557ba2a0816e2bb

SHA1
f0d2c99162868964ae43300e52320e5bd5430d26

SHA256
87dfb6ab442a8e712f82a8d98f2fa07dac246cf6d5feb88fe0ecd88e976f553e

SHA512
737540c98fbce03443c83c00ea0eec5312aad12382104c49330dea5f762012fa3fb777b691d7401e9cf15952d67cab98e6bb54704709704292415f25537d6aec

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
340KB

MD5
374dada9eada293fd420236324d7350d

SHA1
481c5b0642b04c73bba9c324583104652a8ad1c4

SHA256
670ea9b1c1e26d0c064808fa492887618c1b72e150475b7efdbb46639a729be7

SHA512
1dedf099496d6ee8d903bad718a569e90ebc52e62aaa665dc18ed970f2fe013ab04ed1691b17205fe2fae43c201aee34af44b03eb319e72144f0292763502cb0

Download Submit
C:\Windows\SysWOW64\Gbabigfj.exe

Filesize
340KB

MD5
93dde16950fe0ccd165648dc0acd3ac2

SHA1
20e45a1f91c4e2c074ecad9f3c7b35d9b1353b5c

SHA256
4f7aa572da3ac7563295bc39d6abd2a9dd104ff5137b636e290a2f4d2e0c1e0f

SHA512
c7f197a61eebb5c4d752941c01661906cd7969ad580744d34f6673679e34c2b2b08539cb1d26f3be361814881853ddc398cf1f75d86a107dddef8e1a7040541c

Download Submit
C:\Windows\SysWOW64\Gbeejp32.exe

Filesize
340KB

MD5
ffd3b5451067be0efcd995320487fab5

SHA1
8805f06b5d299eeedd536c95988a0bff3e50b45c

SHA256
50e0b19547ff8f381e3c98730919770c896bdce91cd6f21d1b058d2fc3676d05

SHA512
b5b08b20b94bf53b5566def450204d1bad4fd2b48535d6992415f36d8f295e2a4273e03190952c1be92873982056782ef7443f3a80be494b03d709fe63b45e98

Download Submit
C:\Windows\SysWOW64\Gbofcghl.exe

Filesize
340KB

MD5
82ae738b0170930d0216a0e2c478cf4a

SHA1
9918c08da83ff15b9cbaf27a55ac3494a3ebf523

SHA256
4754901e4fc039e56de5b13cc1946164bc0a0138805a2e744186717d8da35184

SHA512
046adf6934a04837d750ccd9fc602c703a64fcba33dc1a97422ca0d3bcf9b0d31c8f6d9870ccb7cf4164a77597d414b58a419904ddf45dc91e6589d2a536cb9f

Download Submit
C:\Windows\SysWOW64\Gdjibj32.exe

Filesize
340KB

MD5
76fb21bfe9e219cd08a834543e38152c

SHA1
b355d07d65dd435ef47bd3ea7be809836dd1603b

SHA256
908380b45130b4e366ae4e6f6fc2fee377028aa7f8491c1a4b3bcf967490dfd7

SHA512
d2b3751ba319072d9593c5a73136e16f7bde7be723b2373b5ebd0ba830e87b97e27d99eeca2789829b67e28f531ace70b75b262845510e8eca3d1186a7210d75

Download Submit
C:\Windows\SysWOW64\Gdlfhj32.exe

Filesize
340KB

MD5
ceb07150f22a00d2d0ee67f051a1bc11

SHA1
155e66e7c23abdbe083acd209450ae88f053993a

SHA256
e01a2f82a5a8be72d72a0c6555b5208f08edbfdf277e21e25ea5df2ddeb64e35

SHA512
1991b92802f01a41791f79363c2ea89397a95fbb4938eb80c3b487172e929dd47f9c666d1a4c50ff3f0e7a0b9065157030de4e3dd182701c5f3ef845ccc08437

Download Submit
C:\Windows\SysWOW64\Gdobnj32.exe

Filesize
340KB

MD5
fb6d786601a79953e2a3dbf72e48e78b

SHA1
b28a4f2f857951fbb0031f68c383c7e9018d50c8

SHA256
b60cfe082d12fb2f9110a87b13d2ba44ed2cc01b6f1ebda8289b45249a8daf8b

SHA512
e94d72449051d55365c73830aa287a7ee13953859bb81057e1ddb1a57c9591c99fd552ec69eaf1ed46bd9886ab0997811924ccd868c3fb9ce2ae779e6c681b7b

Download Submit
C:\Windows\SysWOW64\Gfheof32.exe

Filesize
340KB

MD5
77465d4f9624f49df385c2add80fd28b

SHA1
5c38056c15ab64a0b1f82b67f5a24db96eba5a64

SHA256
58cc1f8052a013ba788183349d2fc82e440a2854d2055351f49bc8a043c4b341

SHA512
351d0fd5c8de70b5742e53f83e2d5a12967440627dcd86b9665e1374277b6e3dff8cafa94fd06805537a50555066309fe7e592bca7dd04993822648772f83153

Download Submit
C:\Windows\SysWOW64\Gfmojenc.exe

Filesize
340KB

MD5
1ea7eb77a9932f6b1198946b786447a2

SHA1
5196163313243aadb3bd0ef49cd15d19a5e797a8

SHA256
c38c01c1a748e05944a9442d11ad1a42701df2fea69a68d47f46017197ce46d2

SHA512
f37ec3b436accaab26e2bee5a41ea1c8491a4216cced14fef21d6028b437fd057b04ea336402b26424751998110e72055814d7cde4a702ee50d8069f41f94971

Download Submit
C:\Windows\SysWOW64\Gigaka32.exe

Filesize
340KB

MD5
7261e053895dc494c111e447e4012907

SHA1
50b936684e8228f11a0862bb99e47d01cb39358b

SHA256
5bd2a5bb5f1fda297531a3bc344ba7b8662d2aed4607030378d684af364f85a7

SHA512
8d2cd3f3845d22b27af9eaf2f051fee97f604d39e093130311b42f5ce514b39d934c954d63f515d4d84489601c0868a448fd595251ba54fc3ce85df1c82f7209

Download Submit
C:\Windows\SysWOW64\Giinpa32.exe

Filesize
340KB

MD5
74d0978e1315849db3dd6b05e010a9dc

SHA1
ecaaf2ee7bd4998b1795b5341225d98ee2ce4a70

SHA256
174905940460fca64a6c589b5a91bce5d3f0771a787f56ba2874d5b8618848ad

SHA512
9a40a12b979dc9c1d7c0a49d366aefa97bd21e521785b2f24793c50dba24e21abb560d3c567fb031459101048a656810068689d11b349c4ec8a34f4fe47bdabb

Download Submit
C:\Windows\SysWOW64\Gjfnedho.exe

Filesize
340KB

MD5
62ffe94fee6e2db5fd43ccf5ceadd3e2

SHA1
50a4183c8a7d82d08057308d98b279fade78cb84

SHA256
3de40a48e9b75c4cfc9b4e6cc5b3fea3718fbef49349f3109e0b812eeb606e7a

SHA512
ea64f5e042fc6c7f84f9927081ca6a08dd44fb822941493d2851b007c7dd567a6943f9ed7e898663a2a935e862954607dabbffd46fd558f41001f67dff9778d9

Download Submit
C:\Windows\SysWOW64\Gkhkjd32.exe

Filesize
340KB

MD5
9d7d1e0cb02bedbdbe700190a385f9ec

SHA1
87f369178c9fac314ee24d40f0a1568bb989f5df

SHA256
ae140ffde69ffb8326c539f8a6d6960c1f40a2cf2b40c676e6564255a8cd423b

SHA512
9750e22f2b1638a06b885d4669c65af66f42988e1ddeef5ff09c86520c10283364655db17558c60a8ba2b1d5860853beced24cb19b481d6a123b19b36b754fa4

Download Submit
C:\Windows\SysWOW64\Glcaambb.exe

Filesize
340KB

MD5
66a0e86a2b2a0eaba27253e7338cc001

SHA1
b3bfb7dc278b2f4d9752d1b99ab9819fb5d1cf43

SHA256
cdb9ee4bb953cdf484c235d58252b9c6f1f405cc281e1221428bde9a7043982a

SHA512
6e69170437a76322fec37369fa888de247e917571973c695595bdee8bfe1a358a57b44e760d1ca9f583b58e0a7d7d2b43591d8e0f9b4e9d7eed164920109b968

Download Submit
C:\Windows\SysWOW64\Gldglf32.exe

Filesize
340KB

MD5
b4281292dac2e87294e62e9b6aae837d

SHA1
0e045099db2600fd470640d7bf4cd29d7a583e51

SHA256
2a3396e27526b7cfa1d9c2029806c2f2930451655236c3302bfc8548aecbbda0

SHA512
5f6d096463c6e8dec09d8d6185aa02ae1ffea1bf80a65f59a3a6b85d3e3f4485825b4c8a4d9f8d429aa3e452a6be646117228531a9d8e91d9f4c85b9b2389fff

Download Submit
C:\Windows\SysWOW64\Gljgbllj.exe

Filesize
340KB

MD5
5f985b4602ee376169929a4e9fe5aa19

SHA1
7546551e9c12b7fdccfefc211d1f4a31cba90b79

SHA256
4a4d8905a35f0f6e9643f8d311f9c3e2d5e096f8af515bf8a4fe9f4cf11ddd39

SHA512
13ec22d327c709cd26861ee7be884b8277eedb5fe23488bf775c88122c24f9c7388925ad93f079a0fef7534b2b5a84c5e0ce6e3053d4dea64f59a07b457c1120

Download Submit
C:\Windows\SysWOW64\Gmbmkpie.exe

Filesize
340KB

MD5
9a3292929203a93c0dd3d3a6b99793dc

SHA1
a43bac81f91ab7802c1b5869c610c37c19d7af2d

SHA256
bcfad5baca10ab811467ec512cd85bf8a3ac9610ea7e1c3bbfdf4aa0239e93fa

SHA512
55a747072f6e1c84a33a2796b8c1ad05950d61889d2cc120b968a5a103b33facba49531730c84ae346e31324094f2aabdcb6cf84356efc89f10a402bf7f24d86

Download Submit
C:\Windows\SysWOW64\Gmdjapgb.exe

Filesize
340KB

MD5
eed975856eee29c79046f9e9547950fa

SHA1
b02ef6ff45f4f623265049c52b72c13bf386e39c

SHA256
37114b0bf46777bf8c817ef18f10760b03a1e8e7f3db567eccee31d31b404dbd

SHA512
9fd6292020917833ae95d8b90ca75225676533b46206c5705bd1e593df391421a6db5bc43828f62ba94e9d83ddc96403e567b1fe4a3d712413683d4560e68f80

Download Submit
C:\Windows\SysWOW64\Gmggfp32.exe

Filesize
340KB

MD5
0cbdfa139c3aafe6db83bc8cfb00c5c3

SHA1
32a51619e225ab016479770121154cc8add5eaa2

SHA256
0fb6b02efc4043f26584d75a0baa6e58dd898b09d2ef65c4b40081083df2924e

SHA512
30a4dce9d65c94aef8d1e94d32b90c667c4324116a488525499542b5db8abe31cc7c440f27d74e0b5e0bb476e27e674ef130f79effdb76f7e77275617a836c49

Download Submit
C:\Windows\SysWOW64\Gpcfmkff.exe

Filesize
340KB

MD5
3b2338e6c08d2c340cc0974b6d4ac416

SHA1
6e2fe43e19cf64a31f8633c10937201f0410524f

SHA256
1b24b189d9ee1f79a4717ac92404a4ac305d37f598763fed1c3c6bdfb153f346

SHA512
dba8565899a904552ca89e43fe690c9502dc14a6745805aa704181e532182510837db4ccef53d05c04e2e711d10f7a2f7d781179f6d3cccd643a20c1d432d19c

Download Submit
C:\Windows\SysWOW64\Gpqjglii.exe

Filesize
340KB

MD5
aa9cddcc1e821b6a90b41c2f121d4269

SHA1
08872268a62d8f5ccca2c274d08544884fb364bf

SHA256
ccf96c5b60a31ad6b12544c2e5c803d6cd67db572379320546298873e50774ba

SHA512
7d7c780a31f780bae67c40848c9902c233255ef87818dd57ab21599dbc1da9ae43d1a61413ef67f7da997f77fd6624718c80a4c228eb06e773981d3ffe7bce56

Download Submit
C:\Windows\SysWOW64\Hpiecd32.exe

Filesize
340KB

MD5
52cf138a6aa360d47f0bb46bb55c0c3e

SHA1
15a1d50e222ce72b7eba021a1c16e8eec229ecd3

SHA256
da664829d7ca6b9747179a040ba6ea593ae8883f3e1236c188bf2d04d442c931

SHA512
4db756f8aadf8bec3104c53668f7cd7fe9fa0a1c2fc8635606f941fdbf5d807bfbf1f4e5473351cbb10a9b3a739c9a9d0fbedd27ad127476cde74ac6bc27ec49

Download Submit
C:\Windows\SysWOW64\Hpqldc32.exe

Filesize
64KB

MD5
bc251930a84aa681b6de2d247cf8990c

SHA1
3b4f583fd631ade369dc013f11f38a99fdf50d46

SHA256
4ba12e6a3a58b41bbf1f9a598e043254dd062d66cecaadcd1e62344b4cc771b4

SHA512
b9ee777d56f01a64f8997a271359a903ca6f8aa032efe743c2034c65b036e5bb0ae8f2e65f9bf5da87577764e2cc37bd8eb321d22f9a6dfd03ec08f59bbc4b00

Download Submit
C:\Windows\SysWOW64\Iidphgcn.exe

Filesize
340KB

MD5
959c5968f7c547a0371a29c2507c5836

SHA1
302797ba1fed73b500289777dd4d972b97552c1e

SHA256
58749d81aa8462b71df700cc89c2a3e087df0cce972bfec69cd33d7cffdac104

SHA512
17461e912d3d1582e05e9ef3dd0c61bc70221dc6a2e10ab6bd151f79ed4ff05720acecb392e094c13fcb2bd28ddb07a543d48abb6506b71d2227f31a3bcfec6a

Download Submit
C:\Windows\SysWOW64\Iliinc32.exe

Filesize
340KB

MD5
70016786659714b2739b12aecc77bd29

SHA1
4e9d333fa1b3ef4858449051133ed62322d5949e

SHA256
8ead39f6834d6366abc55145a620cde8488bca6cff659c2c706f48453f6846af

SHA512
efc5aaad4e7949423007361621665ef22299d3600a9b957da45c029e78993f8da02807dca6346a99189e18173b0cea13978b02121106c74eea856f0a7051714a

Download Submit
C:\Windows\SysWOW64\Jokkgl32.exe

Filesize
340KB

MD5
aef5cbfb4bde83903b216944321352e8

SHA1
dfd835bff6c9bba753a1edbadf402c7f09e28b14

SHA256
d9d350cc796793d9e83d54e1f898758d93988664ad2eb1ef7bec321659292b5b

SHA512
70df88cf55ceb5a6186e68ca60d72e07b80b882de9bfc855f81d7ee85eb2220df837358fea186ab85644d6170b75e2f1006ca4cc133111df0b5f012420404f18

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
340KB

MD5
0944abc0c10402cd1a0117d887184207

SHA1
7f878074c595d4a0f9fd802ea78a426dd8afd175

SHA256
514f78a5a915f6388ba7c2d5ec70f6e921cf484428c804873a65bc1c9d5e388e

SHA512
7fc585f4c0715d3b7a8f3f09f0a223e892c0973d7eb1babdcdb8ffae06746817ac5a0a08a610f36be226444b4df6827870127768e799b3454573edcd57d32a19

Download Submit
C:\Windows\SysWOW64\Jpcapp32.exe

Filesize
340KB

MD5
ba1de5f00feb4cb7d914710bd17bbbd6

SHA1
ebe0be62c97e75080fa0eee7e32ab314c9f23c41

SHA256
4522d56bb7d9ca72a92d9014b2621d6d9af53669814d6e122de62ea2a30e81a4

SHA512
f347293ad586b15ce66e9a5981b44da6a1aff15a8e39d31c31b6e5633f53df91f1bce18f0ec74b59fae8bb299fc02ebee64a978c641b4a3b93f69eb79f407838

Download Submit
C:\Windows\SysWOW64\Kgdpni32.exe

Filesize
340KB

MD5
0c9094ef930f63d1a620b907ee828a25

SHA1
a386d9d326699a6ba662343039cf6ee838cbd5df

SHA256
34ef80691818584795954bb1d000a88688d559d291574ef9f00f04cf550b9f04

SHA512
00d5fa2f1ae13fd0ff35f8c94ac7abea591340cad0ebc85c9edb69bdf182244f4f57d6b4971c993439c73cc647be156fb3000055ae7b63c7abb6703e2727e6bf

Download Submit
C:\Windows\SysWOW64\Koaagkcb.exe

Filesize
340KB

MD5
8d2ac41693b11d040b9de877db01cf14

SHA1
25ff120c5bc1e62c328394273967caecb44b020b

SHA256
c4200395d4d7432d5026816d1798b25a7cad968d7c9b6a90c1ab30b8c676f25d

SHA512
5699abe914baf580552205e207d6482fd648b022475db0d1ff4773d94170b0268ee25122c58d7615f7deaf1b6d5c31c64db11cab0791dc05bc82db5c748be4bc

Download Submit
C:\Windows\SysWOW64\Lhnblp32.dll

Filesize
7KB

MD5
e57092f20ae42d9a7d4fef42cc63075c

SHA1
7fe50ba0bcc14722ea69433611147b374a32f1fa

SHA256
a117acbfc303e372bcdae11381e09a2a102f87e7186265bfeee043e9ff93f04d

SHA512
039bad92cb3370d5f4245148b47df403fab253d393ecf35347e1c64d01f63134e651a7aa5152f55fa3839af1048045f90092bcef9c3eda469c2c9f5e8115ad1b

Download Submit
C:\Windows\SysWOW64\Ljclki32.exe

Filesize
340KB

MD5
fd6fd8e4f6b4ffcabe517851625b77dd

SHA1
e00b145d0cfad6fba7ce4a37f9e6a4b9d0e684ca

SHA256
e789c21c9e4a7ff590d992fca11814f761749a8928a71a1503e52b599a4f0f67

SHA512
8ab5b3c5384a9e594487a92f3b675936ae47ece99dc9d56de1600d4229078f07c3a850189896d470ee665d85b32e7baa58f81ff3d5e440c6c51ae430ba02ce2c

Download Submit
C:\Windows\SysWOW64\Ljhefhha.exe

Filesize
340KB

MD5
debeb528ff7d2da8d2d9648a6b7c90e8

SHA1
07b078ed64cd766b347c261ca2afd92b7495bb31

SHA256
117f1e332551c35e3a2b22bde06f673d7fd5cc80d84afc710d4689203053e370

SHA512
353426cf9d3fb1585c0cb62bbb190765dc7d80eb2c38a1522938b41fea7b0b9d166935516e519e57d9221d22924f1ce9013d401038e5165a9f0df4a5189792f8

Download Submit
C:\Windows\SysWOW64\Lmdnbn32.exe

Filesize
340KB

MD5
16a4835019ef4ecefe4df9948dcfe7d4

SHA1
144010c8779a7f9894e1dd6dce160f61e58c5c0f

SHA256
9d46cdda3a44d24f6bff465a95631d7c5b4a60e93ade786842b9cb7de7dc8106

SHA512
1524e07dad6cc4c78ab7401ba337b5948d98bb32affba87a3c60b321f9897b4934c06bc30d0d6f72708ffb34a14bf612cb32b878c71a9ac6fb82dd3936ed6504

Download Submit
C:\Windows\SysWOW64\Lnoaaaad.exe

Filesize
340KB

MD5
ce9348ac3fad8044dd3b81f9d84021de

SHA1
800173b69871cd4674cbe580d36686e6c8fd3857

SHA256
91348a4c1cd34e7eb083a62a2078006c088cfdd13a9b1382ef40e1b450a3cb8d

SHA512
09592fae1b4c80e47a55c552feaab333243e529a0c903339ab6477d28c593ed8315aac9a48c0e0de4b544d20e8427320696be07da9e9b0d16f4b5c92457f804c

Download Submit
C:\Windows\SysWOW64\Lomqcjie.exe

Filesize
340KB

MD5
f8ba8ad484c736c399e479bda5751d96

SHA1
c3dc90bed3ef4387780ec643df3c5cafd801dc7e

SHA256
be3156d7dabcb7adff0536d936a7076ac853b25afe3773b011e6e29bdc2a626c

SHA512
3fe6b80f85318c4eb2714b48b87479b529626e999cee3bbf57a8d32519e78b0ec4d3467fabb634776d8d76a593619a9db39523c1563ed6943d32636748871ce1

Download Submit
C:\Windows\SysWOW64\Lpfgmnfp.exe

Filesize
340KB

MD5
7ef7d9040f75e5c1f9b7cdb7945b5ef4

SHA1
3ecc5351fa771497b44f6097eb2179c0c9604a3c

SHA256
504f3af2c1cbd43cf1f1d2ffca5d12a143b797130179b69d9d9bf2af926cd362

SHA512
a5bba8403ec712e82fde500146946668c9133a9f2892db6d703f8277be5bcc66d8deb9d43ab04be16c2ce38aa76c0e3ea3e7578a2f38cee239f565dde001af99

Download Submit
C:\Windows\SysWOW64\Madjhb32.exe

Filesize
340KB

MD5
667fc1cc3d236f057bf2c2863590051a

SHA1
902225e2eae24fc20a7ebf304bb87a4b9713695f

SHA256
6d5121df0b25ffab54bc9ee2067353edc2c2639ec960966fef2e1e1eb407386c

SHA512
12922620caf00a1a3d577959d759ffd53ef804de683582de55281a17cb6d2efab0f21b5025dee511a28dbfa49e2e8588d9a92a7277e3600c4be620426a4a0b9c

Download Submit
C:\Windows\SysWOW64\Moipoh32.exe

Filesize
340KB

MD5
152c67fd771532b2160658a39b1466fd

SHA1
d9dc62067ed4e69beb5927939f63ca1375127ee7

SHA256
3aca333f0839312e2d3b04b9eeaaf16305d3251321a93a5ebdbb11edbbe27d17

SHA512
7e20bd3b3775f592334fe20bf413f13ef2dcf2bf50dffb068111170234e482ae94eb7ae0335dd965f7f25252b5301db4e5680c413dcc27b56e2e7f95c2f8c359

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
340KB

MD5
5c29e9f75a653635fdf3d953aa68402e

SHA1
f8879be13617b38cae7ac43849f123d9ecc102fe

SHA256
e71113e07dd961537887dbd5c506a09db856f0181b48852d8047eadd1bf703cc

SHA512
a0596f92c35743b97b889fca23cdb0f3cddf4d0003b9de5d0e4c316066b15935a2262d1a4ce5067e4efc199ba92c51c2706e1990eb615b7a912b5319ad212e88

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
340KB

MD5
5ebb4ec8e852effd75f7de1b0a638d81

SHA1
f12001052418be2583c9ade718f8574a0b713380

SHA256
127aa84ca72a41fb41ef6939cf345edcc5d17a06d2118289d627643f3055b72f

SHA512
2e7cd05716e480fc760dfb22242eaaae6c5db6be947d0d1c50b94d689667b18306e9156001be9bdbc4ca5ff2cf24e769c90aadb3f0189ed464910d36100c2cde

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
340KB

MD5
8a7440055934772835824c822dc50710

SHA1
239b55b4fd73cded9970f8376c565db019953090

SHA256
312ebec89f36f23e07ad96ef3fbd8ae06756dc23d3c307d9b5a2750d229575b6

SHA512
efb4ab183b64afa9e75ce71a94ec19f18b95f8209e02d772686a7e311c0608f5ea52ae931cb1d4411563b674845b8ef54aec542c893e6aba173928a60acd43b4

Download Submit
C:\Windows\SysWOW64\Nhahaiec.exe

Filesize
340KB

MD5
113c1181c8deb65303dfae22fa18b9e1

SHA1
43bbe712e03f330e3b224f6adf7254601a3a9676

SHA256
3dee69a8151ed112e5c402ac3dd320d93e74316261bea40a9edc0fec5ebf7d25

SHA512
42a985e74365925789de965daf1e4185c90c251a15e6177304393415b1645db4e47f4e42a03d793e193975dabed7b8bb4bfc2838d565bdeea7e68f8e815d31aa

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
340KB

MD5
51c103bd36734b2c0f6c32f7ae29d2fb

SHA1
43c7f8d8a81769ba81f04fc6d15cf457010d0586

SHA256
0e6465f6578878360d13ecd921e95ca334c10268e68c565ec6d069327629731f

SHA512
59370e2e1d848768f802317ac0d8db489929c894041a163baf40cf4912c37432800012a899e3c8647176103b011ee2b48e55b0e4932ddfc254701965cb72411c

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
340KB

MD5
9c46b0ce6327e527f58a6b06845bfd97

SHA1
0f325e37bd974524a844f2fa257a93d9b40ee4df

SHA256
00dc8b2fb2031d5cf3a027f5299cbd93731abd18cabbb23b1777ec2b53e392e1

SHA512
86a70db0269a6c2585c9225306fbf96baf812802a8d826d59775dd1e0e8206ae34fb4b6fd02f3843586cc7ec21c3362c8e413e0af11f9b6bc8e1754628ff3179

Download Submit
C:\Windows\SysWOW64\Nqmfdj32.exe

Filesize
340KB

MD5
8e5b66dee25cea61acfb39e056c07745

SHA1
ab18dc10bad7083f601baefe845fcdab80243d9c

SHA256
751f6f39760a630a2b0c741458e59fa47f7034564a4169e8d5d41f025a4c4e1e

SHA512
aeb320f78629848cba86090d42da419abf60d8dc9669613c4335764a3ca9817f49730e9a363614b778c7335650c7d64b0122f2ab3908dfcc2a21378a8bc2e21a

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
340KB

MD5
de6c10bd221f181f2203686acdbbc2c3

SHA1
75083e8c9b739eb7209fcba0d953a630ba986d6c

SHA256
c88333c6bc6ec773b9fc88c27a4910493b7124accaed1f42f0ebc162caf7dcc6

SHA512
d93c088cae06694a687c1a2a32c7e022abc84f5653f91e3ac440761f8931ea482ac55797a760714b4cc77cef452b9aaa64a1475370d2befbea1e647f7731117a

Download Submit
C:\Windows\SysWOW64\Oelolmnd.exe

Filesize
340KB

MD5
31ef8d892f0cebaf43808cef7ff750a5

SHA1
cc81599df66b2f53b37f70b63508f675ec5713f1

SHA256
1005dbc10074ad47dc7d32153ead1cbdcffe94d9f2cda6fa72eed1b444cddadd

SHA512
f4fb3e0c7cef2daf6254345237574f2d12d6a071dc22a6cba1c3f1c1bfb7417a1785b4e259ce80c751d3c363694d34ba6ed37fb7256a759df6fd5b4c34271879

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
192KB

MD5
10b1342dd19babfcb222ac368e52333e

SHA1
70ac192914adf927cfa70f5163dfa5fec484f454

SHA256
bc50be2d06b9979d778bd7a0fc7e7a1ae6e9b34d96358e37fda01b0e4a1dbdd8

SHA512
b88a0c808d0fc6230d87ae25e57e18e7438092238c49da5362b40282de97d56371d79dc72775fbc288504fb4e63e2e07f44dfbafecf85cddc1d89470e5c9cd99

Download Submit
C:\Windows\SysWOW64\Pkegpb32.exe

Filesize
340KB

MD5
29062cd516e8f1d2ddd143789db26cd9

SHA1
325eeeeb362fa0cf82f9fb50f6096085c2b0e35d

SHA256
29fc148cf35abddae6faa889fc8d5b81023f5ff936e6c15903c7cac88f58313e

SHA512
977d757e8e58e26ab9f07b76e687e89668b7c2c4bbf195fdbccd92acc0d2384b25fe10b13ad32750ec5117ca5f1729b143f0020d0c7c082cf40eec87e8dbe862

Download Submit
C:\Windows\SysWOW64\Plkpcfal.exe

Filesize
340KB

MD5
6b360716286a897147fe3afd96eabce8

SHA1
2d3c84abf260bdcb6899a59bf596c96102212c44

SHA256
563c45aebf36d85954b76517fb7a192b09c18f1392959d4ddfdbcbdb9d203b8e

SHA512
bf6fc5689f9ae438515bdc3520f63ba2bdeab7105a3c9aba92adfc4ff72f8a2de65a624db6e74fd5033b95b7480328127a435cf7e675e1ebcda0ef36617f93c4

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
340KB

MD5
5d2858618646b20b0a5eb5dfd858dacb

SHA1
960febfd9d4b4ad37f5f2e0b3baf0f74d3101c83

SHA256
463a688f5139526ae7bfdf649a1f7142a7cef86e74df6e18702778bb4c09095d

SHA512
250a4edb5a10e604a9e057f13fa4e2c8150239ceb9d7248b8b40df64aaccf66d85ad7a7d85ce6bed6eb99806ebe37c708ca366de911486df97b6f8676ef476eb

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
340KB

MD5
ccef034030625e1b4d28e78a843fd203

SHA1
5cf3c240a317f1125e45ad24d00569216b65e54d

SHA256
43404db1de41e53eb0bb84d9aba7bf2a974353d54d941f8a35a25b7d6f6685d3

SHA512
deceb2aa179a82b0afbbf99a327fa3775a74f1147033892c87c906521c50ff04d98b9ebd9e2f18838683e89323e9c75aeee5f515b39b980d95f715efb7b19275

Download Submit
memory/400-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/432-563-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/432-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/456-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/536-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/760-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-221-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/960-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1096-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1264-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1316-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1388-482-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1448-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1492-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-537-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-597-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-101-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1836-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1844-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1844-549-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1900-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1952-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2112-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-555-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2312-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2440-453-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-488-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2640-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2720-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-525-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2936-531-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3236-513-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3252-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3372-501-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3452-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3692-569-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3692-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3716-564-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3744-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3772-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3864-245-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3876-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3900-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3904-519-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3908-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3972-149-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3988-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4036-507-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4068-172-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4128-393-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4168-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4168-583-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4276-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4312-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4340-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-84-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4524-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-550-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4664-543-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4748-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4760-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4764-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4768-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4796-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4804-181-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4852-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4892-557-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-591-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4972-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-576-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5148-571-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5196-578-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5240-585-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5284-592-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5324-599-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads