berbew | 7a65ea84978d653141d5fe65a05f59831cd7be417ae8c630a4e584647e92b35c

Analysis

max time kernel
148s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_007bfeb463de9ebee397b8e85562845b.exe
Size

434KB
MD5

007bfeb463de9ebee397b8e85562845b
SHA1

f55bb54a6341511aff404ffa98efc0bc1681c9f6
SHA256

940b24e2c55de6aa6ce0b5ba3e5e9b2994062f6003f01314b97cabc9d7151d0d
SHA512

215ba1e5134da92b94f255c2e16567ba6b099efdc4cc1b0ae2c3836b6b2fde28522cc3bd61b21371ed8b7e750c8125c61eeaffd9ea6b64cd20d66423eacc4bc4
SSDEEP

12288:HZxDmOQjkMmVY2gsvmQjBImVYymVY2gsv:L9Y2gsHYNY2gs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enemaimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkocol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdehlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnpphljo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmladbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkoplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keceoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gndbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hicpgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khabke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkefmjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haidfpki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkcigjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohbjkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iencmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhfbog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnaaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hegmlnbp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4664	Fnbcgn32.exe
2208	Fqppci32.exe
2504	Fkfcqb32.exe
4828	Fkhpfbce.exe
1216	Fgoakc32.exe
1980	Fniihmpf.exe
4708	Fbdehlip.exe
1256	Finnef32.exe
3800	Fkmjaa32.exe
4612	Fbgbnkfm.exe
4960	Gnpphljo.exe
2656	Gejhef32.exe
744	Gghdaa32.exe
4820	Gpaihooo.exe
2964	Gbbajjlp.exe
820	Hecjke32.exe
816	Hbgkei32.exe
4180	Hicpgc32.exe
884	Hbldphde.exe
4836	Hppeim32.exe
4452	Ipbaol32.exe
3540	Iijfhbhl.exe
4448	Iafkld32.exe
1512	Ibegfglj.exe
684	Ilnlom32.exe
900	Ihdldn32.exe
1904	Ilphdlqh.exe
2256	Ibjqaf32.exe
2148	Jifecp32.exe
2372	Jaajhb32.exe
4396	Jhkbdmbg.exe
1940	Johggfha.exe
3068	Jojdlfeo.exe
4552	Jahqiaeb.exe
3752	Kpiqfima.exe
2796	Kheekkjl.exe
4200	Kplmliko.exe
2248	Klbnajqc.exe
2392	Kekbjo32.exe
4848	Kcoccc32.exe
4140	Klggli32.exe
228	Lepleocn.exe
4544	Lcclncbh.exe
252	Lllagh32.exe
1616	Ledepn32.exe
3076	Lchfib32.exe
3280	Lakfeodm.exe
2880	Lckboblp.exe
2300	Lfiokmkc.exe
3568	Lpochfji.exe
880	Mapppn32.exe
4920	Modpib32.exe
4256	Mcoljagj.exe
1860	Mlhqcgnk.exe
1636	Mofmobmo.exe
4672	Mfpell32.exe
1092	Mohidbkl.exe
472	Mhanngbl.exe
3796	Mbibfm32.exe
3252	Mfenglqf.exe
3712	Mqjbddpl.exe
4872	Njbgmjgl.exe
1140	Nmaciefp.exe
4868	Nbnlaldg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ajmladbl.exe	Abfdpfaj.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Mpaifo32.dll	Hannao32.exe
File created	C:\Windows\SysWOW64\Mfmeel32.dll	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Qiiflaoo.exe	Qbonoghb.exe
File opened for modification	C:\Windows\SysWOW64\Eqmlccdi.exe	Enopghee.exe
File opened for modification	C:\Windows\SysWOW64\Fcneeo32.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Qppaclio.exe	Pmbegqjk.exe
File opened for modification	C:\Windows\SysWOW64\Jaljbmkd.exe	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Ndnoffic.dll	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Mlkhbi32.dll	Iijfhbhl.exe
File opened for modification	C:\Windows\SysWOW64\Johggfha.exe	Jhkbdmbg.exe
File opened for modification	C:\Windows\SysWOW64\Pmmlla32.exe	Pjoppf32.exe
File created	C:\Windows\SysWOW64\Amkhmoap.exe	Ajmladbl.exe
File created	C:\Windows\SysWOW64\Dfbjkg32.dll	Afhfaddk.exe
File created	C:\Windows\SysWOW64\Lmgglf32.dll	Ijmhkchl.exe
File created	C:\Windows\SysWOW64\Fbdehlip.exe	Fniihmpf.exe
File opened for modification	C:\Windows\SysWOW64\Ilhkigcd.exe	Iencmm32.exe
File opened for modification	C:\Windows\SysWOW64\Gkcigjel.exe	Gclafmej.exe
File created	C:\Windows\SysWOW64\Abmjqe32.exe	Ampaho32.exe
File created	C:\Windows\SysWOW64\Gbhhieao.exe	Gkoplk32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolie32.exe	Hgapmj32.exe
File created	C:\Windows\SysWOW64\Ldkhlcnb.exe	Lehhqg32.exe
File created	C:\Windows\SysWOW64\Joboincl.dll	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Bhkhop32.dll	Aibibp32.exe
File created	C:\Windows\SysWOW64\Bochcckb.dll	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Glbqbe32.dll	Gqbneq32.exe
File created	C:\Windows\SysWOW64\Khfkfedn.exe	Kehojiej.exe
File opened for modification	C:\Windows\SysWOW64\Ajohfcpj.exe	Adepji32.exe
File created	C:\Windows\SysWOW64\Qcnjijoe.exe	Qapnmopa.exe
File opened for modification	C:\Windows\SysWOW64\Bmidnm32.exe	Bkkhbb32.exe
File opened for modification	C:\Windows\SysWOW64\Hgapmj32.exe	Hqghqpnl.exe
File created	C:\Windows\SysWOW64\Obpkcc32.exe	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Aaeidf32.dll	Lepleocn.exe
File opened for modification	C:\Windows\SysWOW64\Gkoplk32.exe	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Hagapc32.dll	Gglfbkin.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Aealll32.exe
File created	C:\Windows\SysWOW64\Iokifhcf.dll	Jifecp32.exe
File opened for modification	C:\Windows\SysWOW64\Abcgjg32.exe	Qjhbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Khabke32.exe	Keceoj32.exe
File created	C:\Windows\SysWOW64\Nbebbk32.exe	Njjmni32.exe
File created	C:\Windows\SysWOW64\Gmoikj32.dll	Madbagif.exe
File created	C:\Windows\SysWOW64\Lckggdbo.dll	Ibegfglj.exe
File created	C:\Windows\SysWOW64\Nmaciefp.exe	Njbgmjgl.exe
File created	C:\Windows\SysWOW64\Ofgdcipq.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Opepqban.dll	Qcncodki.exe
File created	C:\Windows\SysWOW64\Finnef32.exe	Fbdehlip.exe
File opened for modification	C:\Windows\SysWOW64\Kbeibo32.exe	Jjnaaa32.exe
File opened for modification	C:\Windows\SysWOW64\Poidhg32.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Dccfme32.dll	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Fachkklb.dll	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Eeeibmnq.dll	Lhdggb32.exe
File opened for modification	C:\Windows\SysWOW64\Fgoakc32.exe	Fkhpfbce.exe
File opened for modification	C:\Windows\SysWOW64\Bkkhbb32.exe	Bdapehop.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Cancekeo.exe
File created	C:\Windows\SysWOW64\Cadpqeqg.dll	Iencmm32.exe
File created	C:\Windows\SysWOW64\Jbncbpqd.exe	Jnbgaa32.exe
File created	C:\Windows\SysWOW64\Bllolf32.dll	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cpfmlghd.exe
File opened for modification	C:\Windows\SysWOW64\Iloajfml.exe	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Jjdokb32.exe	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Iafkld32.exe	Iijfhbhl.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmbegqjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aplaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hghfnioq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkhlcnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kheekkjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafkgphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkmeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hchqbkkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhjjip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekbjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjjjjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iholohii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggepalof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hegmlnbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iapjgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nooikj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhdggb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbgbnkfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbbajjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpiqfima.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qapnmopa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajohfcpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcneeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjkbnfha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqppci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iijfhbhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcoccc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgnam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loopdmpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhfek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbibfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njljch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Johggfha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbphglbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjcmngnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkefmjcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmlla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjhkmbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdapehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmgd32.dll"	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnmeodjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkklk32.dll"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokifhcf.dll"	Jifecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lepleocn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaifo32.dll"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqpqlhmf.dll"	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldaec32.dll"	Amikgpcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibpgqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlnecf32.dll"	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ephbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Napameoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgoikbje.dll"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbblob32.dll"	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baampdgc.dll"	Finnef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ggepalof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkpla32.dll"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmofmb32.dll"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpjfgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahhgi32.dll"	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmg32.dll"	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcljmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qckfid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjiib32.dll"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celipg32.dll"	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	virussign.com_007bfeb463de9ebee397b8e85562845b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jahqiaeb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4664	4352	virussign.com_007bfeb463de9ebee397b8e85562845b.exe	81
PID 4352 wrote to memory of 4664	4352	virussign.com_007bfeb463de9ebee397b8e85562845b.exe	81
PID 4352 wrote to memory of 4664	4352	virussign.com_007bfeb463de9ebee397b8e85562845b.exe	81
PID 4664 wrote to memory of 2208	4664	Fnbcgn32.exe	82
PID 4664 wrote to memory of 2208	4664	Fnbcgn32.exe	82
PID 4664 wrote to memory of 2208	4664	Fnbcgn32.exe	82
PID 2208 wrote to memory of 2504	2208	Fqppci32.exe	83
PID 2208 wrote to memory of 2504	2208	Fqppci32.exe	83
PID 2208 wrote to memory of 2504	2208	Fqppci32.exe	83
PID 2504 wrote to memory of 4828	2504	Fkfcqb32.exe	84
PID 2504 wrote to memory of 4828	2504	Fkfcqb32.exe	84
PID 2504 wrote to memory of 4828	2504	Fkfcqb32.exe	84
PID 4828 wrote to memory of 1216	4828	Fkhpfbce.exe	85
PID 4828 wrote to memory of 1216	4828	Fkhpfbce.exe	85
PID 4828 wrote to memory of 1216	4828	Fkhpfbce.exe	85
PID 1216 wrote to memory of 1980	1216	Fgoakc32.exe	86
PID 1216 wrote to memory of 1980	1216	Fgoakc32.exe	86
PID 1216 wrote to memory of 1980	1216	Fgoakc32.exe	86
PID 1980 wrote to memory of 4708	1980	Fniihmpf.exe	87
PID 1980 wrote to memory of 4708	1980	Fniihmpf.exe	87
PID 1980 wrote to memory of 4708	1980	Fniihmpf.exe	87
PID 4708 wrote to memory of 1256	4708	Fbdehlip.exe	88
PID 4708 wrote to memory of 1256	4708	Fbdehlip.exe	88
PID 4708 wrote to memory of 1256	4708	Fbdehlip.exe	88
PID 1256 wrote to memory of 3800	1256	Finnef32.exe	89
PID 1256 wrote to memory of 3800	1256	Finnef32.exe	89
PID 1256 wrote to memory of 3800	1256	Finnef32.exe	89
PID 3800 wrote to memory of 4612	3800	Fkmjaa32.exe	90
PID 3800 wrote to memory of 4612	3800	Fkmjaa32.exe	90
PID 3800 wrote to memory of 4612	3800	Fkmjaa32.exe	90
PID 4612 wrote to memory of 4960	4612	Fbgbnkfm.exe	91
PID 4612 wrote to memory of 4960	4612	Fbgbnkfm.exe	91
PID 4612 wrote to memory of 4960	4612	Fbgbnkfm.exe	91
PID 4960 wrote to memory of 2656	4960	Gnpphljo.exe	92
PID 4960 wrote to memory of 2656	4960	Gnpphljo.exe	92
PID 4960 wrote to memory of 2656	4960	Gnpphljo.exe	92
PID 2656 wrote to memory of 744	2656	Gejhef32.exe	93
PID 2656 wrote to memory of 744	2656	Gejhef32.exe	93
PID 2656 wrote to memory of 744	2656	Gejhef32.exe	93
PID 744 wrote to memory of 4820	744	Gghdaa32.exe	94
PID 744 wrote to memory of 4820	744	Gghdaa32.exe	94
PID 744 wrote to memory of 4820	744	Gghdaa32.exe	94
PID 4820 wrote to memory of 2964	4820	Gpaihooo.exe	96
PID 4820 wrote to memory of 2964	4820	Gpaihooo.exe	96
PID 4820 wrote to memory of 2964	4820	Gpaihooo.exe	96
PID 2964 wrote to memory of 820	2964	Gbbajjlp.exe	98
PID 2964 wrote to memory of 820	2964	Gbbajjlp.exe	98
PID 2964 wrote to memory of 820	2964	Gbbajjlp.exe	98
PID 820 wrote to memory of 816	820	Hecjke32.exe	99
PID 820 wrote to memory of 816	820	Hecjke32.exe	99
PID 820 wrote to memory of 816	820	Hecjke32.exe	99
PID 816 wrote to memory of 4180	816	Hbgkei32.exe	100
PID 816 wrote to memory of 4180	816	Hbgkei32.exe	100
PID 816 wrote to memory of 4180	816	Hbgkei32.exe	100
PID 4180 wrote to memory of 884	4180	Hicpgc32.exe	101
PID 4180 wrote to memory of 884	4180	Hicpgc32.exe	101
PID 4180 wrote to memory of 884	4180	Hicpgc32.exe	101
PID 884 wrote to memory of 4836	884	Hbldphde.exe	102
PID 884 wrote to memory of 4836	884	Hbldphde.exe	102
PID 884 wrote to memory of 4836	884	Hbldphde.exe	102
PID 4836 wrote to memory of 4452	4836	Hppeim32.exe	103
PID 4836 wrote to memory of 4452	4836	Hppeim32.exe	103
PID 4836 wrote to memory of 4452	4836	Hppeim32.exe	103
PID 4452 wrote to memory of 3540	4452	Ipbaol32.exe	104

C:\Users\Admin\AppData\Local\Temp\virussign.com_007bfeb463de9ebee397b8e85562845b.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_007bfeb463de9ebee397b8e85562845b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\SysWOW64\Fnbcgn32.exe
  C:\Windows\system32\Fnbcgn32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\Fqppci32.exe
    C:\Windows\system32\Fqppci32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\Fkfcqb32.exe
      C:\Windows\system32\Fkfcqb32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        26⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        28⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        29⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        31⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        38⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        39⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        42⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        44⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        45⤵
        Executes dropped EXE
        
        PID:252
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        46⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        47⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        48⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        49⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        50⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        51⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        52⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        53⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        56⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        57⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        58⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        59⤵
        Executes dropped EXE
        
        PID:472
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        62⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        65⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        66⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        68⤵
        
        PID:112
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        69⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        70⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        71⤵
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:932
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        73⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        75⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        76⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        77⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        78⤵
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        80⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        81⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        82⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        83⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        84⤵
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        85⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        86⤵
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        87⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        89⤵
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        92⤵
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        94⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        95⤵
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        96⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        98⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        99⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        101⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        102⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        103⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        104⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        107⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        108⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        113⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        115⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        116⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        117⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        119⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        120⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        121⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        123⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        124⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        127⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        130⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        132⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        133⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        136⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        137⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        139⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        141⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        143⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        144⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        145⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        148⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        150⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        153⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        154⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        156⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        157⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        158⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        159⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        161⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        162⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        163⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        164⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        166⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        167⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:6704
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        170⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        172⤵
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        173⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        174⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        175⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        176⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7012
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        178⤵
        Drops file in System32 directory
        
        PID:7056
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        179⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        180⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        182⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6296
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        184⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        185⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        186⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6568
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        188⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        189⤵
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        190⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:6848
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:6928
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        193⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        194⤵
        Drops file in System32 directory
        
        PID:7068
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        195⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        196⤵
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        197⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        198⤵
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        200⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        201⤵
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        202⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:6880
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        204⤵
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        205⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        207⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        208⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Gkefmjcj.exe
        
        C:\Windows\system32\Gkefmjcj.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6652
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6864
        
        C:\Windows\SysWOW64\Gqbneq32.exe
        
        C:\Windows\system32\Gqbneq32.exe
        211⤵
        Drops file in System32 directory
        
        PID:7052
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        212⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Gjkbnfha.exe
        
        C:\Windows\system32\Gjkbnfha.exe
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        214⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Hepgkohh.exe
        
        C:\Windows\system32\Hepgkohh.exe
        215⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        216⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        217⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        218⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        219⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        220⤵
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7240
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:7276
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        223⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        224⤵
        Modifies registry class
        
        PID:7380
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        225⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Hegmlnbp.exe
        
        C:\Windows\system32\Hegmlnbp.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7464
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        227⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7500
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        228⤵
        Modifies registry class
        
        PID:7536
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:7572
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        230⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        231⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        232⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7720
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        234⤵
        Modifies registry class
        
        PID:7756
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7792
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        236⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        237⤵
        Modifies registry class
        
        PID:7868
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        238⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:7940
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        240⤵
        Drops file in System32 directory
        
        PID:7976
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8012
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        242⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:8084
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        244⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        245⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        246⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7176
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        247⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        248⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7320
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        249⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7408
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        251⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        252⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        253⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        254⤵
        Drops file in System32 directory
        
        PID:7636
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        255⤵
        Drops file in System32 directory
        
        PID:7708
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        256⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        257⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:7896
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        259⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        260⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:8116
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        262⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        263⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        264⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        265⤵
        
        PID:336
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        266⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        268⤵
        Modifies registry class
        
        PID:7620
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7744
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7820
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7968
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        272⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        273⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        274⤵
        Drops file in System32 directory
        
        PID:7328
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        275⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        276⤵
        Modifies registry class
        
        PID:7692
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        277⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        278⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        280⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7824
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        281⤵
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        282⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        283⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        284⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        285⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        286⤵
        System Location Discovery: System Language Discovery
        
        PID:8316
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        287⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8388
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        289⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        290⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        291⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        292⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        293⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        294⤵
        Modifies registry class
        
        PID:8612
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        295⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        296⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8724
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        298⤵
        System Location Discovery: System Language Discovery
        
        PID:8760
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        299⤵
        Drops file in System32 directory
        
        PID:8796
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        300⤵
        System Location Discovery: System Language Discovery
        
        PID:8832
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        301⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        302⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        303⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8940
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        304⤵
        Modifies registry class
        
        PID:8976
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        305⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        306⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        307⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        308⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        309⤵
        Drops file in System32 directory
        
        PID:9160
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        310⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        311⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8200
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        312⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        313⤵
        Modifies registry class
        
        PID:8304
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        314⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8376
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        315⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        316⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        317⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        318⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        319⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        320⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        321⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        322⤵
        System Location Discovery: System Language Discovery
        
        PID:8912
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        323⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        324⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:9112
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        326⤵
        Modifies registry class
        
        PID:9168
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        327⤵
        System Location Discovery: System Language Discovery
        
        PID:7948
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        328⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        329⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8360
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        330⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        331⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        332⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        333⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8984
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        335⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9096
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        336⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        337⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        338⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        339⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        340⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        341⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9188
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        342⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8640
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        343⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        344⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        345⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        346⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8828
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        347⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        348⤵
        Drops file in System32 directory
        
        PID:9264
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        349⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        350⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        351⤵
        Modifies registry class
        
        PID:9372
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        352⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        353⤵
        System Location Discovery: System Language Discovery
        
        PID:9444
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        354⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        355⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        356⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        357⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        358⤵
        Drops file in System32 directory
        
        PID:9624
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        359⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        360⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:9732
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        362⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        363⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        364⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9840
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        365⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        366⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        367⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9948
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        368⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        369⤵
        System Location Discovery: System Language Discovery
        
        PID:10020
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        370⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10056
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        371⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        372⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10128
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        373⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        374⤵
        Drops file in System32 directory
        
        PID:10200
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        375⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        376⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        377⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9344
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        378⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9400
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        379⤵
        Drops file in System32 directory
        
        PID:9476
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        380⤵
        
        PID:9540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abfdpfaj.exe

Filesize
434KB

MD5
bb8a49ea1d4a0cb7416f8bcdbb5e677d

SHA1
d210c12e60cee6835692f98f768ba9fc4bd25ae6

SHA256
91b36734df304f6deda0f7f8117a70a0b34f3e7de9c9eeed8ff17f7587aa94d9

SHA512
df9abb0bbe9e1ac44c411eceebdb415f67b736f20a97782db3e0b0f40ac59fd4997ec1ed6aad9456ff99685538f383701b60b86f1245b7da3a8b3e501774d7a1

Download Submit
C:\Windows\SysWOW64\Aibibp32.exe

Filesize
434KB

MD5
ad6eb34315acc6db7ea1b4f2d80fb4fb

SHA1
c27b1adcc4a014e3e71e576db041a507947e484f

SHA256
e31e1e1c48fb9855ecdd0144f374dbdb42e02585bee96dba453ebbf928294209

SHA512
46ee824db5a6e64fd58ec5ad898c2cc24b017d86f8962a78e819f3b43d0449db674022227a21091f53f29d952b328aa7a0e6768625861f9caa2ec2010b419a1a

Download Submit
C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
434KB

MD5
3b2e4eab4f6e7720875e1eb43e7b0b39

SHA1
6ac4299b9a2984f4c24770353729116d648831e0

SHA256
dd72f2ced37a389e97a95c4ce86c546eb9bc20ee42b2888df8e83a600b6ab82b

SHA512
a847f416c17f372edcd457d305890005e0ab08c1fd885203043cc258ae006c9059cca050623536a47706e2f0b9fb404c33a17f2d413def6f57c612a8e47487fc

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
320KB

MD5
2ea3b4fa00e70dbcc8215915c7472448

SHA1
1eaf3a4ab857005e186fe41fbc74f497736ced88

SHA256
5f634bca90d7f92863bc64e77c018cfc9ddd4284cbc2b5ec047455464328aee1

SHA512
aed9310fa328bfa4b73acea4ffd281899dfe18fddd22d5ae8a455a5f261e339629c07b8e0e2cb6a5b85bab292115936f4006771da906eefd4ac4e1cde3863db0

Download Submit
C:\Windows\SysWOW64\Bjfogbjb.exe

Filesize
434KB

MD5
ac3f048612f7fd6bcf58da410f8ebc2b

SHA1
4bcc0e9640faa7a97a6dd2381e7cae47c4bf47ca

SHA256
fa8f6c24e9e62934f1fb00406896485064a21a4821b780af244d6433e59ea6e9

SHA512
f3650014fc63cd93c0051ebbaf43a471e6a63a2f0b2fe9e0c60ea1f5c20325981b44582fdd41a023f130bf61119ed3f4c11c19a85ac414f095e90d6bd63874f5

Download Submit
C:\Windows\SysWOW64\Bjhkmbho.exe

Filesize
434KB

MD5
f49cd61b8b0adfdd751cc41ca45d492b

SHA1
eae6bcf2edb1f18c2c7cdddb577820131e77a330

SHA256
6969cc0bb451046930602b4c51f6cf39a9cf65ffc079293948220834f2ceb267

SHA512
83c74df275ecd7d76f9bc6caf7786f0f100514f2b798552984957cc084bd170662dc90421a0e69b55a398afb629deb94835af852ea9bc068f40e27dc89b31afc

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
434KB

MD5
15cadeae705db637696ee7e93431d14f

SHA1
bf8a446f517d8018f4b99df8fe33a32b7b3c0539

SHA256
53113ace36cb39b3b119110862cf8ec97f3ca9044d87505e7d0279364693ef26

SHA512
277c735c664205b47275437078737d3a34c5d18585b61fdcfde4b73db06cd54d49dcdf0340dad8a6745abc84af2f485fc01be0957e279839d16b240c4580de07

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
434KB

MD5
de997fe490fd0bdfff740522ee7f09e8

SHA1
8572aa295528a64cd598854f2459b85ef2cc4fe4

SHA256
dae5f3f35447c54e510057f4ee7b7abfec722b78f1b5631280ec7ab212e1b406

SHA512
892fe9c72469c5e3c7c7786877dd8e389c3440e64bb974605b462e08699c126b89938644df6b6ca5fa7e7d46603a4f88ef3095289ec705e685964525d0150cbe

Download Submit
C:\Windows\SysWOW64\Cgkeml32.dll

Filesize
7KB

MD5
1b7719a8fa520e460c163fad0ae5be42

SHA1
49166e2d6be89e73c38e87d23c14e3f8a2a2de26

SHA256
547fc4b816cd294de91d3821bb9f352028cf069178b3537cda1b6cc1dcdb0db9

SHA512
6cdafa19259ccd13538c5ad9c09b0f39e4017a78efacedae9f3477372cdf60d09f485740179140ecc88b37ffc6e4a9d50642c07a6a87c686cc5443b3675fbed6

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
434KB

MD5
f15ceb105a2ecf650769737dfaf4938b

SHA1
f2efe9a9eafff75ec822b63330c2730656b179f9

SHA256
ed23ac4ea13f9cc39caf46b2022bfd1f56f3e24b9500b12d9b598c8c681ab7cf

SHA512
2f40317bf1dcae339f879b7450fff9a01517657eba0fd16a4be84ede19d7aeec22929ec8719a1a385fe204b1aa69636e0cbe694b42dacdb98dcd59a705a76478

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
434KB

MD5
175503670f7b0a488eac82ec9522a142

SHA1
9108dbf8e3c02c5fe3089466b8edce83b40006a6

SHA256
6fa1f1c330a1d22cda48f858f7144604e0b4a6dd6e0ff82301cbf654d627e67d

SHA512
83a37468331ca07999b0b4a69df59e22c4c3d2524bc6fe2d48364dd223bd64f8714dbf25ecbfeaaf9b0651e0b8f464133f9654af1f9138dbaa0cf4c899f8922e

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
434KB

MD5
7b0ffb1a0ed8141538da0f31d829b3f4

SHA1
093b1b0be53d6acab07e2c8eaf2a56ba27f99266

SHA256
8e2c2f32517af9bd2c4f6cda91b6c81b55484e67c319d615497fd0e5c15a75ae

SHA512
a8d3297589ec88ba24375c82efc60e901ab89784989edb9f2106c641da2a4e88d70bbb5337fbe2a740c198a278b3b2f5e40bbd1e87f83308bd3e4d700f708a1d

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
434KB

MD5
1fedcbaa5b6ff08d9ae7d69ba79fe943

SHA1
20a6d33bea476cff5c250ae6642ab4fb4644dfae

SHA256
ecc9a9e2768c7a34d3eae84af928b662a8f0703fd7e60264fc6a7841de657463

SHA512
8a864fe7836b9da1dfbb645d11224d36dbcc5d6cd6268f88e1fd5fa3340840035ba99d311d8f392ccc801e1af16c4e4a1e37e62be56cbc8952b7047b5cbb63e3

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
434KB

MD5
7d5bd66b0f3dd1299c24620946f4b823

SHA1
a8b76b8cb01a53318ddedbaa5b40b6173032258d

SHA256
721e8384b0dd0c8908e11038af6f7c706a384bcc675a4e1cf4c0b67979a9ebd4

SHA512
e6b677631e0988b41480088c53887e06783c6b0495b3e3646d050b295287cbe031d4f15d7467070869f5167d62a1fefac99e2ce122a8a526013e3026f4ebe8d5

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
434KB

MD5
9f106ec588d7220a23911f79a81b9f42

SHA1
2650173d4bb3d4e18b7b6a71de07913284560041

SHA256
9f9153d42da96ab9f316aa22aaf9a9b4a235c8a656f8129ae19730c9b870e1e8

SHA512
c3af699f1b7e09d51b429f0f50b6adc4eb05b7395873249a0bd4f33da6a9d3ac6353baaf577b033edcba5c060b53a499de0ebac109a4169a9daaf10a0284df5d

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
434KB

MD5
491f1606ddaa8f1595a925aa73a6db5e

SHA1
f73732fdf8b6811668693e0f8ee80244374f545c

SHA256
ed11117aba23862685854f8e33454a4bb27b9c2890ead20ee0722994e1170bd8

SHA512
e93f391c063d43dab4c4ee35d5137d8add6d718ab3ec1d971881f700e9eece7b0eabb8cb34cc4812493959bf3578455bdefbb4c0ef66139efbc30536f90eac99

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
434KB

MD5
6d4d231bda99e487c9e0da81b6af933d

SHA1
e2d4dbed53eb869cef96b160f4ebe9cf0bfac82c

SHA256
cbb44157e68b7788e367a2b1505b1ac1c9586d3278ee7348143729c410d91c37

SHA512
bde7a0c6b8667eecfb9b19766e97c1c7e3f26593ed9a8d3c91a89db4e90383d85cda45646662e874184035b15010cb5ddfb5bb0f4a418437c43ee6f2929ed65d

Download Submit
C:\Windows\SysWOW64\Fbdehlip.exe

Filesize
434KB

MD5
43ee62c82704369474eaf4c2d9f4a140

SHA1
509d8689312c1ce959caca7a1f031a22a03f3619

SHA256
70a280a58858d96a081312129737e3483f447a660f5846898080727d4bf78f79

SHA512
e422ccc4ad86408057dfeb46bf138383290dd5ab4e905c9a6302b15cdfccd9e45009da062802ccf3445d3806e89bcedc99eb10bc863422d0451c387ad7ab0508

Download Submit
C:\Windows\SysWOW64\Fbgbnkfm.exe

Filesize
434KB

MD5
80386303530c47c50b9769b0358ee8f0

SHA1
380a7e2d93f7d896fac7a2114e2e33caedd054c9

SHA256
cb646aa0a22ca9a993d46e7a23b75e44fb3304927e67e3279c612809efaa38e5

SHA512
5713f7f05a5548ecde9eef811716c18b801cbcf0a7608c84ae02e7a10de184c02d04ebb58e22341561896c8abe99fbcbfc5fad49da0ace89eb9b36e6d0a1f201

Download Submit
C:\Windows\SysWOW64\Fcneeo32.exe

Filesize
434KB

MD5
61332aa87a64b923334cf8d88b07f317

SHA1
70cc6cc579af8f66a78f0dc114dd20b539b8fc10

SHA256
02a1fe9e7c5fc10c98334f69ab9e043adcada8a91aa82ee57ce9bfa64ab4a698

SHA512
1995552be147bf97e6d609396cbfd61fd3ad561b42401a164d69480fd1108e46c4273a89fe8ebbb88a6bcf3f878c6346bc64d77774cf3de529b3574fa438112f

Download Submit
C:\Windows\SysWOW64\Fgoakc32.exe

Filesize
434KB

MD5
882b8f2103798a45fea2c7bc217dc4e6

SHA1
7a35c7ab6c64596a12a5273e90dc83325bd417e2

SHA256
ccbc073eb8a610e0fb68e2cb945288eb10a34550c6612541affa943da7c2e8dc

SHA512
cb0002e2675b0ff6bcbcf0b75c382b388d6f297b0dc13a9de967eda0230a8e089434e57361a48f334ccadd89b32ed44387a2670c4c69e77361ce866b93ccde0d

Download Submit
C:\Windows\SysWOW64\Finnef32.exe

Filesize
434KB

MD5
374082c99289f1072e30ea35aa0d02fb

SHA1
e3ff8496d7de8767a6888ee0a0ae1e8f35455105

SHA256
b41d1dca304ff88153383915430a41d9c7e05821fb691987374dbdfdb6f5d168

SHA512
b5fce99ca610780bcdfec2ad9cdf6b37bca73cd3f63cbf55e089b98779a805cf05a97f6d6f579cb2cb98d6798530181c68720bdadb97690a069b6d76de09157f

Download Submit
C:\Windows\SysWOW64\Fkfcqb32.exe

Filesize
434KB

MD5
3e32f33426d929aaf8465d26674d8e40

SHA1
c6fe67bf4e8d03b19a8977b92fee0f39a1d9abe5

SHA256
2cac4cbdca1bad677a5d4dd5e4c39c9ff56a4b456d3277c7b9620ff1a83b6f6e

SHA512
1306d8288bfd5ca5711903195a5ddce8938ba1bf9283b519fb900a72619a6830ad5f1816f45f14aa2350c5703018a1ad07d68d971a5b2092287c402cb64853da

Download Submit
C:\Windows\SysWOW64\Fkhpfbce.exe

Filesize
434KB

MD5
c66bb3fb0f97c6b8f129e7d6e7ea5fc2

SHA1
9610eb1ca6c92bf04c3b6ba2a089e8ed2c46222f

SHA256
e9706a7721830d756938407e651d649f7c6db686df8dc8f7461b7e02949e195b

SHA512
687f7a1f2c186aa1b2e85941be79d27d7497cd5c239760bde6d751519755dc06724e8513dd32135b6218085487b02f65158268c091f290b8808a48b443d2c2da

Download Submit
C:\Windows\SysWOW64\Fkmjaa32.exe

Filesize
434KB

MD5
bd066f26efe554742e42dee38b549567

SHA1
94a5883765983f711420d0ad1ee47b399c07dd67

SHA256
4b6b08b8956f08a914448dc838511c49d545fb7bcb7c8fd5150cf96241f8ea3f

SHA512
478ce0d0776cdbf3bf22ba09b928ca6bccd7e54110aaef58a3e66d2106b71dcfbfb8531b3a5400ca152204050682aed8928fa0e95fb2281f40d86548b7dba9e5

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe

Filesize
434KB

MD5
091fd5359989ec69821285b2169521b6

SHA1
ec50e104b57f2f4b0dd52c60c59b5f1a36daa171

SHA256
2a90db13f2649c74c48db7f1c5fa39dc4116faa35077633a9d0096656e623aa0

SHA512
dd3ec2fcb4a1919614afc0a8e9cb42c4e755166d600fa4d6a9dc81968bb72eee44cb88463cf9bc72542c9924888349d13491d43fa706663e316db6b9182fc386

Download Submit
C:\Windows\SysWOW64\Fniihmpf.exe

Filesize
434KB

MD5
9834bb251224178f340483df40c78b0a

SHA1
4cff2e2480aa9ebdafcb685e898201b33e56daf6

SHA256
5b2f8889fb68c931fe09c0159069e279c3da46afd249994217d265f33d054c56

SHA512
5313707cdec5e38813c163bbed29f7e86e3349e78b58d0f93ee3052b0319902f60a9207113eab35fb7205cd3cc590723fa688fb9fa0969fdc1a00fef239e8b22

Download Submit
C:\Windows\SysWOW64\Fqppci32.exe

Filesize
434KB

MD5
26a19a4e6676ca2db6ce1d18a9a3f98c

SHA1
07233bb09c160f1efe4ba4b67548fa3bb60e7a53

SHA256
95b37025b667a198f8be5180f0a63abbe732a2a47a3025509f4829df9b6cf282

SHA512
18d6a28a948677f237f89ee5200258b665646fc40fd05590f82b15d1f7a7bee8c8aab0653d0f175487e14d05f6468268a65b31dc48d07aa0d5da61c452e89611

Download Submit
C:\Windows\SysWOW64\Gbbajjlp.exe

Filesize
434KB

MD5
ee9f22a8dff343c6a3fcb67ff417088a

SHA1
898b8288bdb2b8ef1718d92a6b24b40dafab472f

SHA256
e0c7b6a4aca65b575fc36776063a70a97c40ab75d70d792c16919c11ed660995

SHA512
9131df2f68a5d3456e17019c9034e8bbbe90c1f88389b69903f717766c9609a81e4d7c63b80a369436171d108a1521bb2a077444ea45dffacf75ddcd60586b3a

Download Submit
C:\Windows\SysWOW64\Gbkdod32.exe

Filesize
434KB

MD5
af55b1bbf1c414c19163434872ddc228

SHA1
101faefea4f27082ad71a61dd50d1bb6c8064598

SHA256
c3aa6ff548914dd949606e93c61cb60691727524c9c9b9d8ab6f842d1c94679d

SHA512
b3c8f1641edbd78caef5121efe39a547a8d585e8c610378bbd082b8b95170628a92f58e652cd5ab5641486ddd5a8a59d4afc58ce2e2797996da68394e217b8ab

Download Submit
C:\Windows\SysWOW64\Gejhef32.exe

Filesize
434KB

MD5
861755f7c9cc6d9fbe867db14195fc33

SHA1
9446527d1308756024636477aa4eb8fa28339633

SHA256
0cb788975b69fd24b2b01e3fc2b974764c2ffb2e945425f8b4b6532c2a4879fd

SHA512
4a2f78a377407d4523dba76f23e76bf28e8a9f9037ba2623a4c2d2aee9667127dd80776770505e7717638645a4d2f6ce6dc06f3c48b1e8ea0193a04a9c7fe81b

Download Submit
C:\Windows\SysWOW64\Gghdaa32.exe

Filesize
434KB

MD5
5d348bc273088d37ff88f1ced37a8994

SHA1
c6c2f504d4f92ae90e4b84a33c87cee37aed77d2

SHA256
fa5afeb913046fe0ccbf945bd148dfe21db6e757cfb1d1b2bad6c89993b2024f

SHA512
917cd5f82c7f728519bd508f0043e797ccf42d14ae3e1408106275ec12bfa36d41d874113dfdb703a569d18d162addd5457b1eb869ac222b2397458d3e65cca6

Download Submit
C:\Windows\SysWOW64\Gkoplk32.exe

Filesize
434KB

MD5
d33eec9ac5a8e27c4cedd6fa9c9fb34e

SHA1
753b8d91727641cb3a3cc39819672dcf815a89c2

SHA256
3736f76a59592fd753e8d42346f9c0e26eb9757ab52a927172f48491adf7c41e

SHA512
1967f40028277c65041d9564be158eff9a2ec35739a780a10fe0bd6a2765bc56bd5a804024f44f10c4554dcbcb76dcf8f489f77db2ed6857b75551bc7019a18c

Download Submit
C:\Windows\SysWOW64\Gnaecedp.exe

Filesize
434KB

MD5
d07b64141ed7a42e117ccd695daa9bc5

SHA1
6c48eb64b2579627ae467b8dfc1e5a1ce8405744

SHA256
77f21f8fe6b1746804a7aafa0f2c67631d927aa921159b87c8f5d62230bf405d

SHA512
36eb014a1d82a7fb5ed42d1bbfbbabe449f2ae804c992b3e00ddc3e5808368ef8e62be47c5f033b60ac9f91f5dbc6e62f4bd1c1039774f9da99e70943c018155

Download Submit
C:\Windows\SysWOW64\Gnpphljo.exe

Filesize
434KB

MD5
ad31e03bfc27feb79e3bc3d2df83f0f1

SHA1
92f609137c02d8bb68f7c580c8aef83a7c0880e0

SHA256
7a5ed034386d8518b8ee530d5a36dc441afd1dc592ec7733f20f988c0e056cf9

SHA512
e30b9eb1cdcccca2c3da242286c2119fd1c4925c11f16827e4c28e7daf4f8a06ca39ca31c2c084935cc4916a43fdb9fd805a50d7a3624160947b82302f89ed78

Download Submit
C:\Windows\SysWOW64\Gpaihooo.exe

Filesize
434KB

MD5
ab53257750ef1eb4969c82c543f02efd

SHA1
e1443bce98105599a59b02b7eeacd9a4178233b6

SHA256
f45a6a7b2ec66c093f515401a48ccb57066fa36859bf63e8e5d74ef50cb42717

SHA512
613068bf50f6bfbeaeaf6968f4efc48c32be23935ee6287d08bf7f349f054cd3d01dd0c388e168fa11c791551347ea7eec3c408654bb554b6124bbc0de297f09

Download Submit
C:\Windows\SysWOW64\Hbgkei32.exe

Filesize
434KB

MD5
0753e08f4dea5d60d3ec9e1522585a6e

SHA1
a7ca8462e32ba6727759127e95a6e54c7a5041ac

SHA256
5d9df562ee0b8608e1a1622dd95bc6630cb5391d2e04a923b029cccd60b01735

SHA512
859e4b124204a90d6f75ad47b25cd6195eabd390c3d094abebc6e344dcc9fd83b66af7dcd0f81ffa9ea54efcaf7efe41027cf8372fc374c65104073216cbe620

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
434KB

MD5
8ce6a50d6f1dc3cccae0a7ab72beb4e3

SHA1
df728282591fbb0a6dfcabbfdc48a7a65811a915

SHA256
0f61f87a868122f1981e41fe472f3a247a59005f6b7e54e45abb48a22875e808

SHA512
c40c92caa8066afcc75eef40aa86b4a7434fa149efb2bdb14c2cd432296c1347850ee6b1a1d75858ca6db9469e8b272f5b7597b84b904023d9d861ab22d92c25

Download Submit
C:\Windows\SysWOW64\Hecjke32.exe

Filesize
434KB

MD5
b6fa913c35eeef3b55e74c41147afa37

SHA1
595f1e2e5cdc54904308cbf6f0bd603267239780

SHA256
257da3e9afd75a620fdde430f8a744db1332ce5db1c0f83c03d51944d3251435

SHA512
58a5d953c9cea3e1d59e52d161672a48cdea271d24737374954626acd4e5a435ef1c8008b1f167d71d26d3176ca7527f90933dfdf5063da0903a17a74e8940cf

Download Submit
C:\Windows\SysWOW64\Hegmlnbp.exe

Filesize
434KB

MD5
751402ee6254a930c0cfa78388fcbcc6

SHA1
40f295bf12c6fc430b0516a70b0f7ca1a9e6b57a

SHA256
bd8753a5057dd56de12bee723c8b779047d869aa1b10d8dee451f389cf5fa687

SHA512
d8516ec41ffa7272dab41fcc91c574fb0f272d34fa1a6aa869e5d937979d92e1ed207346e08a18e240e32c9502b788378ebc66d50de68e461f8713bb8c45755f

Download Submit
C:\Windows\SysWOW64\Hepgkohh.exe

Filesize
434KB

MD5
6a98dcad26e33e033c09685f228d1e88

SHA1
c538fdb4ec62c36d5c41761196bd1aedc89fc5d9

SHA256
fd0fb0f9a834cf0369c3c083275da0bbcabf5a33d34b4bc1793635f80f02c1ec

SHA512
8f1544526f0ef6d8a9f1c34517283eb66f1401530e785bfc994d68c44d89d7f1405b64a2524b3463517f27e556f6f4cbd14a2f6f75ab1990aab43e457f249ace

Download Submit
C:\Windows\SysWOW64\Hicpgc32.exe

Filesize
434KB

MD5
68b87c5a31d4406f191d98d78529a0ea

SHA1
670c5508dd380ea2c2e27f4725b74ce5fb76c7b0

SHA256
b893fdfe98eacdcf17ef5390a6ecb316bf1cd009e02c85275f247f5a312092c6

SHA512
4a3699327628cb471db89e368960b142f990694903bf721b0bf83bcef61c02d35776d393839a8a51c9c030bcb4aeecd212d664bc83a81589b3ad4720a218d9c0

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
434KB

MD5
519efbc7c12a4a5b60cdd7beed17c1f1

SHA1
82f60b8b111769200646e8bbac37dd824694a165

SHA256
c3a5f728f8db66cc22afbe68a7c30721877bb4c81ff09ac271ea36338ddc05da

SHA512
05da0e1e048e91148a56090bd6576388533d7ce2b21974d071bdc944adbad5d53340e506631e3c0f401748f6b76119445da6ca50e1160f2a0d6c5624989fa4c3

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
434KB

MD5
a39eab37a1b6180d8753194769f349ca

SHA1
96118f8ca93aef1a0f3d7f907e3f9a776a1c11c0

SHA256
135f137900b98588ee386a5e6f3305d2ff967e3144c86682832ba882b2634e01

SHA512
3b49969818b3728cf96cce5a978f20e596c2c1189b25ebc711e6aebc105a6490ae3c036edff54e5f6f4b24682e245afc19b3a2c7a18eca22e5b4d6bc47a902af

Download Submit
C:\Windows\SysWOW64\Iafkld32.exe

Filesize
434KB

MD5
5b3b27b32551e3789811b8976835e2dc

SHA1
102d3e1a976ce0b4f671f2b0e80fe6bb94d1be17

SHA256
2e637ce6df9ae6a770ad098f1311c1b6c629be4dd6db1078f0e6665503cb94c0

SHA512
f4d903ce3b05fdfdc031e0a26f2e628800adb57dc35743dfb282432b33c1049fb5a325477ffb20e36a5b125425651f0f1355007d10385b908b2fc456edad85ca

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
434KB

MD5
72bc23f710bb28a4c7ae5c361bf80ec1

SHA1
18618c63c3f28500402bd8b3faa4d26c92988a05

SHA256
d0b67045e7e7b95ce4db5c678c5b11ffc32e1947492ad57c7e059695f85add13

SHA512
6f40c9e848049809b09c94b8025afb5d2e749baf2ec2e0215ff93448d11fb483858df1b4545e82a659a4535b8815b7106c52d7ebb137cbcdfcfc175930743350

Download Submit
C:\Windows\SysWOW64\Ibjqaf32.exe

Filesize
434KB

MD5
2c95f85011ae7bf5d5d3b01de7ed4f7b

SHA1
4adc4358e39be6856b7948bceaef7069b5b67c3e

SHA256
2cee0ce0fe5ac8ad43c55cfd9fa468dd88232a2c64280c329d25f10655c44c25

SHA512
db676d229d164a085088cd60db8d32182e320972032d2b408de6f6dff4d52e349b66bb70b6dbad099b3f37f70e905a78ccb9028eaa15fac7f38013fee4950a5d

Download Submit
C:\Windows\SysWOW64\Icogcjde.exe

Filesize
434KB

MD5
e1e52b3028d65f9b34b9ba081b3862d7

SHA1
7dd60016b456b3cda4573c237a02803147945220

SHA256
5047aa94daf65a6f5474a15b22b2e6f5e17d1bc2ea3e5250ca6ed0b36007805f

SHA512
df34a78fbd7d1f3070bce7ea0307a14c1a429d6cc7e670bf2f7c8f6dc81d45baa5d6efdca6572e38064ff26d2bb3b43876cdd3801ed1afa64b47b8089eed8c72

Download Submit
C:\Windows\SysWOW64\Ihdldn32.exe

Filesize
434KB

MD5
27ddd1f33f6f6291890ebb461d4d8a85

SHA1
87e2dfebf9e0ca7b8d5b3c6fff680d81bdb96ef5

SHA256
1887e72243e300ed07f4d268cc7a0b845525e5858133673ba951c9b1b5483ccc

SHA512
4479ecf0c3d9ce3838122dbd0282bb271e77259874c55b18bc732c78ad719bf9d52542b175cc79cb2843a9d7043bb2a842ed0a7557b675ac8c2450efe9b09889

Download Submit
C:\Windows\SysWOW64\Iijfhbhl.exe

Filesize
434KB

MD5
b333576d3466bd0064b14a1d00d768d9

SHA1
4b34d15dad00980069e7335c7cb75dc85a0a5656

SHA256
798a8ba8f8ab0b48d8e0b31cbf67b3a860bb557fc33b56dd998c6ce261caac86

SHA512
060146996ee59eb19ee0be94720a7b056d326d049ab34c9860621478ea51f59c18d412ffa65c7c746aa00f45daf0241bd4b19d63389932559b88c7bf78d13255

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
434KB

MD5
793c0269c355a0663424e550aef70649

SHA1
9701a924def7fd3ff8f1ec060169b338ccd98120

SHA256
0be12436085550e01b589d34c3745e9a19e71d824b30cfa91a53f2cd70285dcd

SHA512
65873f287dd74aa6244eff71c4d5f0efb62c9302041e4094af883a1232695006567682db8c613eb222a58018542322181729d10ad7bdfc8544e80759272df030

Download Submit
C:\Windows\SysWOW64\Ilhkigcd.exe

Filesize
434KB

MD5
e81bc296294a0525ca1658585dd0933a

SHA1
5b6cde2790614b12db8e55a20768e8c2589caf97

SHA256
77269d2f456d42d547d5f02a37ef5d3dd9f52118840c1160c595d4e50ee9a997

SHA512
c08fd57c87384d155f8fa0c8d7a7f044b60cc8caa2efa03acdb36157d5e93e329a76191f19c0729f6cc8e9c150ea32bd971333c73341a74961b7fb8a649a4adc

Download Submit
C:\Windows\SysWOW64\Ilnlom32.exe

Filesize
434KB

MD5
1692185e2fc509302abc51445e39c9d1

SHA1
4fd69a885e746c223adccddb76191ea9d2dec82a

SHA256
3ef0c8c5a40da70e4c2491b8d4d7f641b7cc671520469274fd832b4f66d163a7

SHA512
50d801e3bb4e6c3a564b5d8937bdda3cd36fd1d632feaffe0dd93b2dbebcbcf3ea73b406a417ce159efae3a0293970deba34416a3a362837674753e94b1caffe

Download Submit
C:\Windows\SysWOW64\Ilphdlqh.exe

Filesize
434KB

MD5
318c2bd17cd89fe029b7559e4405b195

SHA1
13af1de5d792312b5c3e764bde56d9a2e19678d6

SHA256
d4e6f1ee441fb1e0f1a66e45a7ade950915d1590235ca63fd06a4f8f8116b39b

SHA512
d26fadf784efa1cff082b755aef267b6e50d52a8b4d22124d024d663b621a6820f79ee8d6b8b29fda373f8b7e120db8491d657c91af1c91467985aeec7e56db8

Download Submit
C:\Windows\SysWOW64\Ipbaol32.exe

Filesize
434KB

MD5
7f45feba139b00082d6b73257ffb8d0e

SHA1
e882511cadce249b7c6972939f5f6a8dd1980fd1

SHA256
97f585b4f074e8535bdf8ff9cf484b4b25b12783338f685c7da2f7e984d93079

SHA512
e79e14f20c019b2d240d2667a032b77d27423883e05565c42a57c4b74c83dcffb05bed3be588c5d32f8d010f50a6e2f9f799d89d207022bc3544ac3bab4ef5fc

Download Submit
C:\Windows\SysWOW64\Jaajhb32.exe

Filesize
434KB

MD5
f30312188cd50a76d6c68179bfedcf19

SHA1
7d27be616dbd9838106ebb057ce7e8819d1c468b

SHA256
0c37079d12792e3087c7ed0fc1f6626d7857fd4f3df1270b98b56d73578f7fe4

SHA512
db178ffe6446be2e2ac3fb512e032a9884ee658edd151009d3b57ff300506b25fe9bd75d673475bdebb215166402d9a2fd543fa07d7f64f158ba37a4307dc213

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
434KB

MD5
13ccb74ed11be4e91bb92c94563fbb89

SHA1
c222371443129278aa29a0d8a74f0812728104fd

SHA256
3790d411ad89a7ff2306501686054ea4400451dba9df8f690a60a1fa1e6be5a6

SHA512
ad55bf926ea2dafba05f5c7b7c6315122a904211eaf15a72e4343a9307269284890327dcaa0cf59287b238dce989504187ad4c8c86ab63fa92a9f7b56a8fc008

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
320KB

MD5
d44f12978c313fb64b12c69856a3c1b7

SHA1
abd4eaba8f8ba0fb2ad1eb6d2e4f5fd529e5de7c

SHA256
821b67d694974f777b590715357f2e9bbc11971f52bc7148660d6c3228f1b810

SHA512
9acd7d233d28ece22518ce4a6c4063cdf7df4a9b46d52811139c7f3c7b178323203016e6e66725bdd7b43e23d44fb39b94ce446731d71a472e4d278b25bf8801

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
434KB

MD5
62cda3bde56352c88b7d2bc066f97b1c

SHA1
c8b8fe9b35d1de178f34b0eb05551995870e275b

SHA256
02cb74ae664950e3db6d961775ac3b71700ceb8f82a37a15275e8a701f5e5656

SHA512
7ba533306b20696030b56cf7beef5c122caa50331fa7f755d995345aaa874372bb326acff40927e88391438165d86e8cabf54045763dd3471af143f10af16daa

Download Submit
C:\Windows\SysWOW64\Jhkbdmbg.exe

Filesize
434KB

MD5
ebabfd5bef3fa13e5daf7ee6311831a2

SHA1
954e8ed9dd328761f79199e60db8bd101524c25a

SHA256
3e891f1dd92c5a2686f014c67485d097507e3628643610a846896f51bed06e3f

SHA512
2123dc3f57b22820ff297690a59b2660c08da700ba9c19e1a5f8dbe2f67439e471967acd0382d15d8aa6aee97cb0e77b0ba13d34756620320dd0f3b57044a41a

Download Submit
C:\Windows\SysWOW64\Jifecp32.exe

Filesize
434KB

MD5
28f0a3afd878a8b89389e072b0e943e0

SHA1
fa071dbe32ab69b3e4a41a80ec350ba11df655a6

SHA256
beceec3fde2e4c9745cb19325b68a6925fc14c046c99984a98d36f0ac958270f

SHA512
faccf7a7b2c75bee3c923f59a0b1c7db9e0da1eafde10cf731b18675db3170eda18c6ad99348bcb79731119decb81b6e4f511e1b62e2c7300327aca6dcaa60fd

Download Submit
C:\Windows\SysWOW64\Johggfha.exe

Filesize
434KB

MD5
b1ecefde7b151a99e49fbd4f8f254ccc

SHA1
aac33627df6a906e7be886e5597e115174502498

SHA256
f63a44d2e4d70a17825a473c8661660fdc39de7e176eefbd755fd7ead05ec96b

SHA512
33916558f84a4065524a7d9ec72e65c0ea513a81d6115e7e7506e4f36cd0d6f29f3f0d0d50a169902254da77333bcb540995a95f2bd8eaecc6d538a7b9c062aa

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
434KB

MD5
76e4874fbd1cdb321b79978217a88e6f

SHA1
1cac4dc1608ce5ac81e1fbf49f1c67ea10090802

SHA256
842083a6bc1a11cbe9b673402ff7cfd9200c23d8f0f4c3384fa1e65377c79fc4

SHA512
2037acf020db72d17e982fcddfe2de4229b5eb05f321e62df761ffa623d50f9ec83c91abf8ceaff6fa0059eb8c9074cf7614029e44ac6862fff8993a873a3c3d

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
434KB

MD5
317e8d3c32fd135961e49ed74df9a937

SHA1
b5fd20cd8ba958724da75e659a251e161bf00ae3

SHA256
c415b6ccf68912dca2b45beddec7989fe6ee60204e455fefbef311cafee1fed5

SHA512
7de08473bc7a6b84de31cccc8e158d6072f64facdf469ac110241a9bf8d8aea8c7f4fcd06263ac31d7dc3d605d00c5601195aeea2086e19a07bf75592571be37

Download Submit
C:\Windows\SysWOW64\Kekbjo32.exe

Filesize
434KB

MD5
c1d4fc75e215b59b3bdeace302704631

SHA1
1ec6fe2579f2c135dd45c098d9c33ce31bdd5b08

SHA256
ebca0e189be6eedc0b75ff34442c3849c245f9aea913880d15fdafb13c4a4745

SHA512
06268f9f358695fb06d84929c1b39ee91f0e477b8be230a131d401248750fef8f3235ce30c4fd5086e4b5e494f353bb9b369ec84efb8b3929c8f4ee67155731d

Download Submit
C:\Windows\SysWOW64\Klggli32.exe

Filesize
434KB

MD5
3df43cf577de353ca9ffb313607247f1

SHA1
d07e319df79ba5d80457f45354bb6ca70a53481e

SHA256
56076d9e2da337bae1b1306766d6ccc445601d0de021b00632ba7a681c791962

SHA512
69decf5868db843748cd07ec491321718fc4db3e4055cf4ee7f00fdd5448859d831e6fc92ddaa270f4e678f194130e6f88fad31591ec61bfad396512d236a048

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe

Filesize
434KB

MD5
18a087571582ff65b238ed49cb4c0c6c

SHA1
879eaf70f83f89b37d1ae7afeaa3cb235b887810

SHA256
ffe567dcb9e111c01f1653ae7a76bcde053c50fc2ee35d0cf6f820116170d897

SHA512
3a985fe86b69bc7b15c30765062da5ae01daf8220e6c1c0a6165cad982adf6f04b3fe2197fcbb33dda2845b8888e81c7ada9d6bfbf4f5a29239f68f5b24bdf19

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
434KB

MD5
2c9ed905beca93e826714ad355ddd891

SHA1
51d3a780eca44acbbe25164310889e55a089b6e1

SHA256
9e43d029c80b3b5e1ad07408706117ebb1acd4c5dc5e4f136fb322c411ecceff

SHA512
f8f1da791bcb45c118e6501d2bb678f7c0d816b269e54de9da0f497e27987ed10c193ddffc5ff202b06e749efb093cb84fea99b40e1f358594e6f9d3e4076d55

Download Submit
C:\Windows\SysWOW64\Ldkhlcnb.exe

Filesize
434KB

MD5
202cd87dd6968f9e8a2bbcc1609596d2

SHA1
68333545ad3c61a5a85c714e859e0000a17870fd

SHA256
68e8ca9e2032868a781918818444859e6f843cf173fee3cc600116035e7c3da4

SHA512
66fb0590f8aaa6fd964b50c80d1393cf09fb6e65f524707ccada39d689a14e1b5789eea5801634cac119b4e517f62848c0836ba1ee31a329d958119db4b9135a

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
434KB

MD5
fff491c44d340561e2950c4e55836098

SHA1
08aaff259372f5f9e6349faee701eaf6a642d2bb

SHA256
4d0917c2b1fd1855d07647437405cdcc95776ea8081310b317090d331167ad4d

SHA512
247b8348bcd244847d6725bc6db628ade3daaef7b45aa6c8c67dd1a467a8915528d3618cf8fb18b0cf73020accaaa6aaa376696543522a0954f4253b55298690

Download Submit
C:\Windows\SysWOW64\Ledepn32.exe

Filesize
434KB

MD5
92218eb7d1e581890740e489ab8c468c

SHA1
6cc7b642946f495c158fcec6181a529b75398b21

SHA256
7a65cd90b0573d0dbf14811b82f9bebe30a0b2ba5ccc4dc6686d0df509462eec

SHA512
7cfc9df70ac1bfbdbf1aa7d3689a58d067100fa48511bf46af88d4b7bc598ba15c9dc855500fd0104aadfe41305e373ff0fb10669137b91723937bc3ce26e440

Download Submit
C:\Windows\SysWOW64\Lepleocn.exe

Filesize
434KB

MD5
675aef4a30a49d55fbba8807937597a8

SHA1
c257b3339cf78418f23815bad78544adcd2ff39f

SHA256
4d092917453a37e0b16c6f90305eccb609f3221ee70f17f9e861e1a9384be935

SHA512
09ce4475377922a7efcfc90a06f9b83a7fd04abc2067a890bed57243c2addee4c907c0e60be4af31269e1ada567e7c33dda6dc684b69b77b6490a8736760c4df

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
434KB

MD5
a58d107e3f900328c787e3c1fea54005

SHA1
2ed6fe15409225c775ddd1ef1849e6083cff63f6

SHA256
c9192e112b1b209e4de32c9405501d4049692e048ed91628119a47a5ad1e9221

SHA512
eb2158eb78011678f6ac9fec1a793748db7f86b265e3273b9bc79a517128d47d2cf96247b89a38e3bf747bf2fddf9ebfd7e2bcbfca2f74d89d4453e5f0bc512c

Download Submit
C:\Windows\SysWOW64\Mafofggd.exe

Filesize
434KB

MD5
5883e6d4942d634b74353bd891319868

SHA1
2dd3d37f46d0f54189dce8ddddbb6f40c4e25edf

SHA256
18481768e0683c4ef797f1c0aa74b1e604570031c053e64afeb356af3c006496

SHA512
27c0c317ff1f291e820bc8a2fdc6dd33f8eeac4caddc1f4d313b77fc342f0dae3d65e26129c2bbd92069822850806be59f6b6bfb8b75b7831d9819ec54c0c3d5

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
434KB

MD5
4ce032ec4d4678e2520c09131ac6c471

SHA1
870ac9df9eabf856a71d1f0b23037f43f96d2977

SHA256
c0a3542663e58832669718612ff2de5948a4d3ca2ec3fd92466fcd60fc3b5888

SHA512
9cf60c55d85709975c0971ab942f6a5a97abc5a33f727670268df77e730d9ed6155266863439296da10822d719883455979551a8f1225066238ad31e6271c1fa

Download Submit
C:\Windows\SysWOW64\Mapppn32.exe

Filesize
434KB

MD5
261a41612331d993a83cb190c0f7362e

SHA1
63259880e11ae05771cc4b6023bf2a78b2df8eab

SHA256
d9acfa7d8e86339829db810fba1a9dac758f0914c9d7f98a5ad93e94f92bac80

SHA512
72e7989b5c93c6e4889bfcaed7c68a009cd9ce259e346d496d49cec02cd35bedde37c8862a009ef66db68c7edd85a95a7b3b01cbc2aab07a9b9724f092b93f95

Download Submit
C:\Windows\SysWOW64\Mcfkpjng.exe

Filesize
320KB

MD5
33699928aaf93b965d2f3f30e42f5f6b

SHA1
06fa6b1b2810fafba4616cf718fd32c2e98482a5

SHA256
efa56a16d7ec7bbeb3676a5642da6850e44442509286e6bdd63c557101fed3b7

SHA512
060802198b665df30431e1d11d9c8f875e3ac46915168e8011d0bc744d62d66efb0508de83dd3be6607853836c1f79fdfc603d017c39528898c3dc76985ad3c7

Download Submit
C:\Windows\SysWOW64\Mhanngbl.exe

Filesize
434KB

MD5
65834b21986618a88b01c58434ecece4

SHA1
ae5e34e8daf5c75bcc2d7f7bd9e492565e07fd1e

SHA256
b4837a3f4f0940e2bd310b0c2d08d3f47bc66cada302e8f01f342497459858bf

SHA512
77e68431bcd194d822f8ec8dda6ca41998505107e6b21021ac9af0fcc8fbe5e46b04c2d535e74ce2566874ccdf22173c43eb597693687c29479a8a5becff776c

Download Submit
C:\Windows\SysWOW64\Mhnjna32.exe

Filesize
434KB

MD5
91d702679d0adad55f17dd59cbbea86f

SHA1
47af4dd4800556aa85b6cefa56a03c4e515b3f53

SHA256
70822154861a64cf03d2a60ef1f64b7daa67a67e4322e02c71c3f04adbad137b

SHA512
a34568cda26a0ff3b24ff77b94b8e5a96ae6071e16f0aca409c15d4c38b3f0ca8cd15ca803c91fb8b0985b5e7aad9044a8bb460cb9b135c308eab602fdd4f873

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
434KB

MD5
6d4a4c23f3af940ca3b4826020d6d0e7

SHA1
592cd9507775a36b4c2261cf0d551b6f147a68b4

SHA256
febe0f018a6c90bd9b3e9cbfddb04513c7d7d89bebf480bd45b3b61c76575b64

SHA512
de49be6ab6edc16b8540f16e78da9672a836b2582d62ce3d68230513f06c6b3a2a90600fe86e3307f32577825c825fbceecbf515afae22907784d5b5af131b60

Download Submit
C:\Windows\SysWOW64\Mohidbkl.exe

Filesize
434KB

MD5
9ad25bddfbb3a5b2d0ffae0bdd1540ca

SHA1
31d75783f60cd4018b4c9224123ed56b8a8bf92e

SHA256
87a63cf3d70b96ed1fecc492494c2dc01bd24122ae056b558689666e8b9604fa

SHA512
a5c933820edd88d4b16fd9679db82e640015569528561751bc0dca2829f40d3210a64642271c6dff3c587ec350984df4dfafa92a761cb314cbfcdab24db57e50

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
434KB

MD5
255657ed83b0a31c4f9c68e69d7cae10

SHA1
dd446de439eeb1bfc3ba43cc7e69374d69584a63

SHA256
942270a78b49c06e2ca2ca862e978d0399787f110c65bb7c1cbcc35f29671801

SHA512
f083aee57b2eb223cb27a427f69d3ac4b0d42f3a4176fc60a8fa0cb902db947cfd110a5a8d882d36e4e228c55a7f01a27b86037e9fd7d1b5574c71486028c44b

Download Submit
C:\Windows\SysWOW64\Nfldgk32.exe

Filesize
434KB

MD5
7a5958277a3d7b70bc7a251a2fff83bc

SHA1
f2b23223b67d42ebb68c0c5af9bc16066e7fc8d6

SHA256
630acd25896c5af1a953dfb352846e191ca477506c0fbe2942dcc8bab534965a

SHA512
c2c11814effbcd01d32dfedf2a7280be30edf6dd02d74543a46b68574dcc5b76e49c978599ada3f4079095bf7f4aba84b765d30f1c058906c7c0dd5c64368741

Download Submit
C:\Windows\SysWOW64\Nfnjbdep.exe

Filesize
434KB

MD5
0d6fd607eb3076f58078068dbf040563

SHA1
7974c49a84dcdb42d35f47c517a204436c0ae480

SHA256
187428f7a0d264d9e1db4aa575169bde03b95d0cadaa825466545dda9d9523a1

SHA512
996b0b98a2a37679c8ef236758fb1b1087d599b9d966e57d7aec7ea55ba511f1e6d5ccc0780b75558330a7a5110101633e2d8c5f264be0c47e0251f86cf68e24

Download Submit
C:\Windows\SysWOW64\Njedbjej.exe

Filesize
434KB

MD5
3e0dd753ac2bfd10c6e561015dbc3f86

SHA1
10386a38c5a906eb5b81482794c94d3c0ecad312

SHA256
b6b097294ced298e362502d340148911791fb60011f64153f2160c1d50a041ba

SHA512
f3918ec0c598ca12e1134863a21ddc6f0a11a2180ef8506aa8d88411df20ccce668a19d02b6993fd1766019dc13d2eb1ee99a8498b46d6f7db9fbde10182196c

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
434KB

MD5
731b1469127cc729e8234b86f71202cf

SHA1
62f5831bf6927c6b2c508bbf08c61c12585d7248

SHA256
be0affa0bc4a079c47ff03ef251f1e1e3cdd90701a2204e6d446462afca9b93d

SHA512
9a56deb66271f2bf8a218ca002c7ce99804b69086300b9b47b9f0eb354d43a5727df63a52091e556007e03cba3f3498bca562db1631e48f516ec7760f37d2230

Download Submit
C:\Windows\SysWOW64\Noaeqjpe.exe

Filesize
434KB

MD5
665275fc7f51efdb31ebefe85edaf85a

SHA1
80882f2be9cd653f7415ff13f047c3018b14a34b

SHA256
2c0e1be53cc49f51087676c11505ed92d542db4984d89d7695703f64f825fb0a

SHA512
5212114476cd4788784c91f330164ad5c059dd08d139ac397af092b233276ff6c1bcef1f1485ec70cb2320287b3113d61c8c80247e15de59a8e761a1a59276d7

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
434KB

MD5
51353015df9604d16a3d853ab98be6db

SHA1
aca5a0845c9f35083cc98e2c3f768a4fd865e594

SHA256
9047ee51bc5b22fb55cba6d5bab2059750e74b85f16247721b046d0006bb7259

SHA512
cf90cb348effdf6148475ce5985ae894c58b73410b4b0037e6265b52716a82157b9a62e8231c7d2ae59db4a4a22f963b5afc3514835d20546a74c85786e1f2c9

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
434KB

MD5
b7bb8261f338d2256bc4b39033fa90f0

SHA1
acc5a8824be1ed71dfa2217d8d37ae9545a29b3a

SHA256
18463741bfc3d53035b290147a0ba925447631efab304e3d643a4c726cc7a903

SHA512
93c4e58eda9fa2da884a84c6d2c9aa7468aa74ad4fec30abe88e4a1157de11f25fe99a4d4b2e655e27b690c11338cd513dc11dc8ddb527bea71a96cacc24239d

Download Submit
C:\Windows\SysWOW64\Ohhfknjf.exe

Filesize
434KB

MD5
1ed508cd670adbe175cf04dbbaebb36a

SHA1
c02363ccf50534e4f8954ccb074c469e526241e2

SHA256
cf53d63e6fbe4f8a5de343a7322ab0c15abdd360dae7fd23d78eb7804fabbfb7

SHA512
8469b9da153b57fe3214228c854d6da1f6c744d3de74fd519cd358218bfff45697c5a991b408f8d6ff2055582d5dd51d65400dac64c944f1dec5cc99e6c438b0

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
434KB

MD5
bc4408055dbfa6ee1a7d18f8d4dd861a

SHA1
e73b8f6c3b7ff1a70f55bf53dc667e26e914cc16

SHA256
b784b1357f7153189b1c3c391047c2b56c974b8da04e20244f347941a4769f0a

SHA512
1c8daff53a3bac014aa56467941dd817ff432c73f42e71697ee8ff0bd9607e8e3fd08317a965645aced99af0b6384c554f0a54a47729feac0522a6a4af43b99d

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
434KB

MD5
b02f8404b2c9899387c761a5c1430b23

SHA1
0cd3142a3b905825e46eae02bcdc4338f5597027

SHA256
8017a826e39499bfbbe0cde7b0d7e552ece83ff76b92adcc97424e7f288e0095

SHA512
043d779b5c4ffcd443e541f47469e7c600e923d897910ab5139207358b49a8271698042a6f8f44c0b6f078bb35803f2593d7fa3985e1f3f63502ed4f3805a5ad

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
434KB

MD5
9c1f86abad28c7d4050b38fbda114746

SHA1
ddb00dd5d8bd837b2860c8486f7aa134bf4ad194

SHA256
ab228cf632324b603ac8de0b6211efb6b132f933dfffcd690baee7936aed2e90

SHA512
ead5e931342736709ecdaf1fd241ecf6caef3b9b5ebfe62c4182126555d70cd4b6c945caed283692e5c7c95e8535c0d93cc010005469f0d9484fb7ef0e42c757

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
434KB

MD5
05c69e8bc7fee83ef07cd9b1801922f9

SHA1
9ee3cdef89c1cb975ef751176a9e2b8e5784c027

SHA256
3db12f2c6a2d173c021760093bbab35fccfde20fedec3e4eb5f3564a5de173b8

SHA512
1d415d51f7d0b493471734c6f20b089e6f7c70922111c4c23a2cfff54210037073aea3b903c428e22b0c35b9a8d093161e4384b4ca2f9af0766f30a80d24ab85

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
384KB

MD5
fbb094964f698001c1620c0f1e6138bf

SHA1
765fd49c1f15f254862de6a597e73a04d8091d64

SHA256
942f0032f0dfb74dd68d924f37c7e9c0a5834434a192db98d380d8d1c6a9b8dd

SHA512
9aed19d819185bb8c225194696e4098a737affa0c8c62a050358d0a2a02eeef0f6b1b66654233d6e721d48a6426ee731f73a11d08d4df21c9b01199d253285e6

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
434KB

MD5
dfc7b9d363804e4ab0386fb5b070db47

SHA1
9accdbdec50f5105b4d31f763994aa87871ad00a

SHA256
5792c22a058f3bfd5f50227a3d7bf8b99d2f3b6301998fe49e2a743bea882dca

SHA512
915a085c5781dd892e4eda306ac411d41a1850e12906d45d75abfd1356229ff0b78b9c42be07251cf00d8efbdd86f7dd318baa6260014c81978368d80a1be158

Download Submit
C:\Windows\SysWOW64\Pcfmneaa.exe

Filesize
434KB

MD5
93067a432207579c71970b174e848808

SHA1
1aaa88affe92b69ccad5bec943979f894c86c950

SHA256
69af7022b0ed5ad19e0f084a6a9b44d39dbacda79b89f87ac0f24ebe60ce96e4

SHA512
1ab03eefc460da3907ab0f1e57cf2711e059b4876f05abcc69201dc75f52df7a18810f2062ea973fa88b5a78e9cd6f1185b3dd4f31c7426ad37f54485867305c

Download Submit
C:\Windows\SysWOW64\Pfppoa32.exe

Filesize
434KB

MD5
72f1da48a7cd02ae5fe486a3157b83b0

SHA1
5644e336da2838dca60e2d9d19d81654d45e35cb

SHA256
f790b9c390de9c4378b1587651c5c55222409ae74f56a81c5daa2d58842c36bc

SHA512
f379159286666b031397061bea5b4be66d05a4a76f09550525fee11dabad7b7ededfbbdc9aef7990b86b161baabe3b8766920b695d55dcf8fdaf92ff48898ee2

Download Submit
C:\Windows\SysWOW64\Pmoagk32.exe

Filesize
434KB

MD5
69b1423ffd7f50d9916eff1532c9a5b3

SHA1
a9353c53fe646d8136c5c932ac83d729b6fe880c

SHA256
6c724e94a9dff40690cbbfa490ec737143cf42ec05818a85d065dad5820fa590

SHA512
8550a56eb6c867af6c7b680683a4db7e1865dabb737c01d07e062910afa357d4071bf55ddc16e166f376a775a45e5a043bbc4dcda4aef98c7ce27d9454335fa1

Download Submit
C:\Windows\SysWOW64\Qjhbfd32.exe

Filesize
434KB

MD5
f40c24dd262c2f34a572389950070030

SHA1
a946b4d03aa192731d6aa0e088d53ea6176c7e53

SHA256
d5d8d76b1c7cf2c7f197fb023933e8842d8e0869a4370643c5414e68acb5ebc0

SHA512
0b4fa4690434bb66e701ddcd7ad64e2af08a956e3eb06f7c9801be9d9171407f5a88b6d64bdb96096a5107f8eacfad4d205105b33c3f725cd6d57a558875e2f4

Download Submit
C:\Windows\SysWOW64\Qppaclio.exe

Filesize
434KB

MD5
472afb70a6cc92359e6199a37ffbe498

SHA1
e89af5c48271d44e3673dd63ff8826631fa54af6

SHA256
7dc6ae46d5c4f4880b66db60e8f066abb3be7761ea13be1e725254738a472930

SHA512
2728505544836f0a3bce0e19dfe14e5fc7dd8e705845f3604deb38b87b7ea8a18caa1ae829489dcafdc997b1d638479abb21c3da8f83ba16395558a7fe30bd56

Download Submit
memory/112-2541-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/112-465-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/228-316-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/252-328-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/472-412-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/544-453-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/684-200-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/744-103-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/816-135-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/820-127-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/880-370-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/884-151-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/900-212-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1092-406-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1172-549-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1216-575-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1216-39-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1256-68-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1256-595-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1512-191-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1588-530-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1616-334-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1636-398-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1860-388-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1904-216-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1940-255-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1980-581-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1980-53-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2116-477-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2148-232-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2208-555-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2208-15-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2244-2601-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2244-494-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2248-292-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2256-224-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2300-2466-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2300-358-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2372-240-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2392-298-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2504-24-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2504-562-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2656-95-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2672-602-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2796-280-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2880-356-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2964-119-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2968-500-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3000-582-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3068-262-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3076-344-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3200-589-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3252-424-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3280-346-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3296-483-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3348-536-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3440-569-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3540-175-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3564-475-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3568-364-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3656-506-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3712-430-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3752-274-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3796-419-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3800-76-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3800-601-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3840-556-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4008-518-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4140-310-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4180-143-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4200-286-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4256-382-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4352-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4352-542-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4396-247-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4448-183-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4452-167-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4544-322-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4552-268-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4612-79-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4612-608-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4664-548-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4664-8-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4672-400-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4688-528-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4708-56-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4708-588-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4772-459-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4820-111-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4828-568-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4828-31-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4836-159-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4848-304-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4868-447-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4872-436-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4920-376-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4960-88-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4960-614-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5096-512-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5732-2786-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5772-2834-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads