berbew | 1dd9178177518b04a03e4e7a02629ed4af2fb9c409fd8b2b79dc847e80cf4f09

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dd9178177518b04a03e4e7a02629ed4af2fb9c409fd8b2b79dc847e80cf4f09.exe
Size

55KB
MD5

b1993adfb6db182eec76df79c49e1e55
SHA1

4882aece7cb5166a5863c10ca9f7fae0556dc7e2
SHA256

1dd9178177518b04a03e4e7a02629ed4af2fb9c409fd8b2b79dc847e80cf4f09
SHA512

6ae2c7697885d6c8b44ccad21dae97c10e858140669e9c038b496d996de4637da198e1f903efe47c28ebda9273cbfab88d278ba8ca12174592f046e79a2035fb
SSDEEP

768:F3w+OASO6EzI3jPc9v7trcxO2lyoRj8t2p/1H5lXdnh:F3HSO6EzKc9vprcXRu2Lt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plkpcfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckiihok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cohkokgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmfgek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Addaif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgmjmjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqeioiam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpahpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhenj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flinkojm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpbin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oalipoiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmadco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnlmhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gingkqkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Figgdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epndknin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhahaiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfglfdkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgibpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajohjon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncchae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icfekc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmigoagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmadco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oanfen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlgpod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhenj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chiigadc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmhpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmohno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecefqnel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaoid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgplado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnqfcbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qachgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bomkcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmennnni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihnomjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idhnkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchppmij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cljobphg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckqbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loighj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glengm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1536	Emkndc32.exe
2496	Ecefqnel.exe
1700	Efccmidp.exe
4380	Eiaoid32.exe
3272	Elpkep32.exe
2020	Efepbi32.exe
5080	Emphocjj.exe
4496	Epndknin.exe
764	Eblpgjha.exe
4456	Ejchhgid.exe
4512	Eleepoob.exe
2848	Ebommi32.exe
2228	Emdajb32.exe
1236	Fbajbi32.exe
1932	Fjhacf32.exe
464	Flinkojm.exe
4968	Fbcfhibj.exe
1904	Fimodc32.exe
2132	Fpggamqc.exe
772	Fjmkoeqi.exe
3988	Ffclcgfn.exe
3460	Fmndpq32.exe
1908	Fdglmkeg.exe
968	Fjadje32.exe
1612	Glengm32.exe
4292	Gbofcghl.exe
4428	Gjfnedho.exe
3532	Gmdjapgb.exe
2056	Gdobnj32.exe
4416	Gfmojenc.exe
2452	Gikkfqmf.exe
4708	Gdaociml.exe
3300	Gingkqkd.exe
2680	Hckeoeno.exe
2128	Hienlpel.exe
2968	Hlcjhkdp.exe
2412	Hcmbee32.exe
1460	Higjaoci.exe
4852	Hpabni32.exe
3616	Hcpojd32.exe
3984	Hiiggoaf.exe
4248	Hdokdg32.exe
2460	Hildmn32.exe
2832	Iljpij32.exe
5112	Idahjg32.exe
2184	Icdheded.exe
4580	Iinqbn32.exe
4604	Ilmmni32.exe
2616	Icfekc32.exe
4472	Iknmla32.exe
1208	Inlihl32.exe
5084	Idfaefkd.exe
2856	Igdnabjh.exe
4560	Ikpjbq32.exe
3296	Ilafiihp.exe
4564	Idhnkf32.exe
4532	Iggjga32.exe
460	Ijegcm32.exe
428	Ilccoh32.exe
2220	Icnklbmj.exe
568	Ikdcmpnl.exe
640	Jncoikmp.exe
3320	Jdmgfedl.exe
4152	Jgkdbacp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pbjnik32.dll	Flinkojm.exe
File created	C:\Windows\SysWOW64\Idfaefkd.exe	Inlihl32.exe
File opened for modification	C:\Windows\SysWOW64\Nflkbanj.exe	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Enfhldel.dll	Qfjjpf32.exe
File created	C:\Windows\SysWOW64\Gmdjapgb.exe	Gjfnedho.exe
File opened for modification	C:\Windows\SysWOW64\Higjaoci.exe	Hcmbee32.exe
File created	C:\Windows\SysWOW64\Jpmcbhlp.dll	Qachgk32.exe
File created	C:\Windows\SysWOW64\Enkdaepb.exe	Emjgim32.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nijqcf32.exe
File created	C:\Windows\SysWOW64\Ikpndppf.dll	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Knchpiom.exe	Kdkdgchl.exe
File created	C:\Windows\SysWOW64\Nclikl32.exe	Manmoq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngjbaj32.exe	Nelfeo32.exe
File created	C:\Windows\SysWOW64\Hifmmb32.exe	Hbldphde.exe
File opened for modification	C:\Windows\SysWOW64\Khiofk32.exe	Kekbjo32.exe
File opened for modification	C:\Windows\SysWOW64\Kdigadjo.exe	Kmaopfjm.exe
File created	C:\Windows\SysWOW64\Oldjcg32.exe	Odmbaj32.exe
File created	C:\Windows\SysWOW64\Deiljq32.dll	Afhfaddk.exe
File created	C:\Windows\SysWOW64\Agecdgmk.dll	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Ecefqnel.exe	Emkndc32.exe
File created	C:\Windows\SysWOW64\Ckclhn32.exe	Blqllqqa.exe
File opened for modification	C:\Windows\SysWOW64\Klcekpdo.exe	Kckqbj32.exe
File created	C:\Windows\SysWOW64\Njfkmphe.exe	Nmbjcljl.exe
File opened for modification	C:\Windows\SysWOW64\Efepbi32.exe	Elpkep32.exe
File created	C:\Windows\SysWOW64\Bjdlfi32.dll	Fnlmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Mgbefe32.exe	Mjodla32.exe
File created	C:\Windows\SysWOW64\Khgbqkhj.exe	Kamjda32.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Pmmnjnld.dll	Oeehkn32.exe
File opened for modification	C:\Windows\SysWOW64\Pkgcea32.exe	Pdmkhgho.exe
File created	C:\Windows\SysWOW64\Bdlfjh32.exe	Afhfaddk.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Oaplqh32.exe	Ojfcdnjc.exe
File opened for modification	C:\Windows\SysWOW64\Lckboblp.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Apocmn32.dll	Gbhhieao.exe
File created	C:\Windows\SysWOW64\Higjaoci.exe	Hcmbee32.exe
File opened for modification	C:\Windows\SysWOW64\Jncoikmp.exe	Ikdcmpnl.exe
File created	C:\Windows\SysWOW64\Mcecjmkl.exe	Mmkkmc32.exe
File opened for modification	C:\Windows\SysWOW64\Mmpdhboj.exe	Mgclpkac.exe
File created	C:\Windows\SysWOW64\Gceegdko.dll	Cfipef32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmgfedl.exe	Jncoikmp.exe
File created	C:\Windows\SysWOW64\Onpjichj.exe	Ojdnid32.exe
File created	C:\Windows\SysWOW64\Fechok32.dll	Ohmhmh32.exe
File created	C:\Windows\SysWOW64\Pkgcea32.exe	Pdmkhgho.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Gbbajjlp.exe	Gijmad32.exe
File created	C:\Windows\SysWOW64\Aglafhih.dll	Ibgdlg32.exe
File created	C:\Windows\SysWOW64\Dpmcmf32.exe	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Mfgdjh32.dll	Ohcegi32.exe
File opened for modification	C:\Windows\SysWOW64\Plmmif32.exe	Pdfehh32.exe
File created	C:\Windows\SysWOW64\Eejeiocj.exe	Enpmld32.exe
File created	C:\Windows\SysWOW64\Nfcabp32.exe	Npiiffqe.exe
File created	C:\Windows\SysWOW64\Ofgjophm.dll	Gikkfqmf.exe
File created	C:\Windows\SysWOW64\Anaemfem.dll	Jqhafffk.exe
File opened for modification	C:\Windows\SysWOW64\Pkbjjbda.exe	Phdnngdn.exe
File opened for modification	C:\Windows\SysWOW64\Npiiffqe.exe	Nnhmnn32.exe
File opened for modification	C:\Windows\SysWOW64\Njjmni32.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Oflmnh32.exe	Ocnabm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Cgklmacf.exe	Cpacqg32.exe
File opened for modification	C:\Windows\SysWOW64\Bddjpd32.exe	Bebjdgmj.exe
File created	C:\Windows\SysWOW64\Eanmnefk.dll	Lnldla32.exe
File created	C:\Windows\SysWOW64\Bccbakce.dll	Ffclcgfn.exe
File opened for modification	C:\Windows\SysWOW64\Gldglf32.exe	Gifkpknp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3444	3552	WerFault.exe	793

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plbfdekd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhecmcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglkoeio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggfglb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljbnfleo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddifgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjadje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpbin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljhefhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkpmdbfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enigke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnplfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gikkfqmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpdhkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphgeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loacdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pciqnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnbnhedj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omqmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmoijje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmdlmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbjcljl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhegig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oophlo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfihkqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojajin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cienon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkedonpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnaecedp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdaociml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhnkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkbjjbda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blqllqqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdjeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gemkelcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gingkqkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncabfkqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnjpfcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epndknin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjfnedho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkdgchl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmohno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndnpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnohlgep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjbhmad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpbpbecj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkeekk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gehbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nflkbanj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfehh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglhld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adikdfna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll"	Pkgcea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdbplg32.dll"	Gehbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinlh32.dll"	Fdglmkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqkgbcff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjmba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjgeedch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahhgi32.dll"	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbbjj32.dll"	Eiloco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmell32.dll"	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhefclee.dll"	Ecefqnel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icfekc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjkaabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekpedip.dll"	Fimodc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkgcea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkiongah.dll"	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggkqgaol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiiggoaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebjdgmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjoqdcl.dll"	Cbpajgmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcbhah32.dll"	Cdecgbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dooaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jklinohd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmojkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhlki32.dll"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmejc32.dll"	Dgjoif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiabl32.dll"	Mkhapk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjdebfnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdlqqcnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fedbbjgh.dll"	Mnhkbfme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oloahhki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbdnipf.dll"	Fihnomjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gikkfqmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflkamml.dll"	Mccfdmmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megljppl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbalhp32.dll"	Bnmoijje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbjena32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkjnfkma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcnbjk.dll"	Fgmdec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inlihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inngdb32.dll"	Jcbdgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcpka32.dll"	Ahpmjejp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aknifq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeqca32.dll"	Fbmohmoh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcnmin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdbnjdfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll"	Lgibpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqjbf32.dll"	Mmkdcm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1536	1960	1dd9178177518b04a03e4e7a02629ed4af2fb9c409fd8b2b79dc847e80cf4f09.exe	85
PID 1960 wrote to memory of 1536	1960	1dd9178177518b04a03e4e7a02629ed4af2fb9c409fd8b2b79dc847e80cf4f09.exe	85
PID 1960 wrote to memory of 1536	1960	1dd9178177518b04a03e4e7a02629ed4af2fb9c409fd8b2b79dc847e80cf4f09.exe	85
PID 1536 wrote to memory of 2496	1536	Emkndc32.exe	86
PID 1536 wrote to memory of 2496	1536	Emkndc32.exe	86
PID 1536 wrote to memory of 2496	1536	Emkndc32.exe	86
PID 2496 wrote to memory of 1700	2496	Ecefqnel.exe	87
PID 2496 wrote to memory of 1700	2496	Ecefqnel.exe	87
PID 2496 wrote to memory of 1700	2496	Ecefqnel.exe	87
PID 1700 wrote to memory of 4380	1700	Efccmidp.exe	88
PID 1700 wrote to memory of 4380	1700	Efccmidp.exe	88
PID 1700 wrote to memory of 4380	1700	Efccmidp.exe	88
PID 4380 wrote to memory of 3272	4380	Eiaoid32.exe	89
PID 4380 wrote to memory of 3272	4380	Eiaoid32.exe	89
PID 4380 wrote to memory of 3272	4380	Eiaoid32.exe	89
PID 3272 wrote to memory of 2020	3272	Elpkep32.exe	90
PID 3272 wrote to memory of 2020	3272	Elpkep32.exe	90
PID 3272 wrote to memory of 2020	3272	Elpkep32.exe	90
PID 2020 wrote to memory of 5080	2020	Efepbi32.exe	91
PID 2020 wrote to memory of 5080	2020	Efepbi32.exe	91
PID 2020 wrote to memory of 5080	2020	Efepbi32.exe	91
PID 5080 wrote to memory of 4496	5080	Emphocjj.exe	92
PID 5080 wrote to memory of 4496	5080	Emphocjj.exe	92
PID 5080 wrote to memory of 4496	5080	Emphocjj.exe	92
PID 4496 wrote to memory of 764	4496	Epndknin.exe	93
PID 4496 wrote to memory of 764	4496	Epndknin.exe	93
PID 4496 wrote to memory of 764	4496	Epndknin.exe	93
PID 764 wrote to memory of 4456	764	Eblpgjha.exe	94
PID 764 wrote to memory of 4456	764	Eblpgjha.exe	94
PID 764 wrote to memory of 4456	764	Eblpgjha.exe	94
PID 4456 wrote to memory of 4512	4456	Ejchhgid.exe	95
PID 4456 wrote to memory of 4512	4456	Ejchhgid.exe	95
PID 4456 wrote to memory of 4512	4456	Ejchhgid.exe	95
PID 4512 wrote to memory of 2848	4512	Eleepoob.exe	96
PID 4512 wrote to memory of 2848	4512	Eleepoob.exe	96
PID 4512 wrote to memory of 2848	4512	Eleepoob.exe	96
PID 2848 wrote to memory of 2228	2848	Ebommi32.exe	97
PID 2848 wrote to memory of 2228	2848	Ebommi32.exe	97
PID 2848 wrote to memory of 2228	2848	Ebommi32.exe	97
PID 2228 wrote to memory of 1236	2228	Emdajb32.exe	98
PID 2228 wrote to memory of 1236	2228	Emdajb32.exe	98
PID 2228 wrote to memory of 1236	2228	Emdajb32.exe	98
PID 1236 wrote to memory of 1932	1236	Fbajbi32.exe	99
PID 1236 wrote to memory of 1932	1236	Fbajbi32.exe	99
PID 1236 wrote to memory of 1932	1236	Fbajbi32.exe	99
PID 1932 wrote to memory of 464	1932	Fjhacf32.exe	100
PID 1932 wrote to memory of 464	1932	Fjhacf32.exe	100
PID 1932 wrote to memory of 464	1932	Fjhacf32.exe	100
PID 464 wrote to memory of 4968	464	Flinkojm.exe	101
PID 464 wrote to memory of 4968	464	Flinkojm.exe	101
PID 464 wrote to memory of 4968	464	Flinkojm.exe	101
PID 4968 wrote to memory of 1904	4968	Fbcfhibj.exe	102
PID 4968 wrote to memory of 1904	4968	Fbcfhibj.exe	102
PID 4968 wrote to memory of 1904	4968	Fbcfhibj.exe	102
PID 1904 wrote to memory of 2132	1904	Fimodc32.exe	103
PID 1904 wrote to memory of 2132	1904	Fimodc32.exe	103
PID 1904 wrote to memory of 2132	1904	Fimodc32.exe	103
PID 2132 wrote to memory of 772	2132	Fpggamqc.exe	104
PID 2132 wrote to memory of 772	2132	Fpggamqc.exe	104
PID 2132 wrote to memory of 772	2132	Fpggamqc.exe	104
PID 772 wrote to memory of 3988	772	Fjmkoeqi.exe	105
PID 772 wrote to memory of 3988	772	Fjmkoeqi.exe	105
PID 772 wrote to memory of 3988	772	Fjmkoeqi.exe	105
PID 3988 wrote to memory of 3460	3988	Ffclcgfn.exe	106

C:\Users\Admin\AppData\Local\Temp\1dd9178177518b04a03e4e7a02629ed4af2fb9c409fd8b2b79dc847e80cf4f09.exe
"C:\Users\Admin\AppData\Local\Temp\1dd9178177518b04a03e4e7a02629ed4af2fb9c409fd8b2b79dc847e80cf4f09.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\Emkndc32.exe
  C:\Windows\system32\Emkndc32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\Ecefqnel.exe
    C:\Windows\system32\Ecefqnel.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\Efccmidp.exe
      C:\Windows\system32\Efccmidp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\SysWOW64\Eiaoid32.exe
        
        C:\Windows\system32\Eiaoid32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Windows\SysWOW64\Elpkep32.exe
        
        C:\Windows\system32\Elpkep32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Efepbi32.exe
        
        C:\Windows\system32\Efepbi32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Emphocjj.exe
        
        C:\Windows\system32\Emphocjj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Epndknin.exe
        
        C:\Windows\system32\Epndknin.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Eblpgjha.exe
        
        C:\Windows\system32\Eblpgjha.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Ejchhgid.exe
        
        C:\Windows\system32\Ejchhgid.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Eleepoob.exe
        
        C:\Windows\system32\Eleepoob.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Ebommi32.exe
        
        C:\Windows\system32\Ebommi32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Emdajb32.exe
        
        C:\Windows\system32\Emdajb32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Fbajbi32.exe
        
        C:\Windows\system32\Fbajbi32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Fjhacf32.exe
        
        C:\Windows\system32\Fjhacf32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Flinkojm.exe
        
        C:\Windows\system32\Flinkojm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Fbcfhibj.exe
        
        C:\Windows\system32\Fbcfhibj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Fimodc32.exe
        
        C:\Windows\system32\Fimodc32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Fpggamqc.exe
        
        C:\Windows\system32\Fpggamqc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Fjmkoeqi.exe
        
        C:\Windows\system32\Fjmkoeqi.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Ffclcgfn.exe
        
        C:\Windows\system32\Ffclcgfn.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Fmndpq32.exe
        
        C:\Windows\system32\Fmndpq32.exe
        23⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Fdglmkeg.exe
        
        C:\Windows\system32\Fdglmkeg.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Fjadje32.exe
        
        C:\Windows\system32\Fjadje32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Glengm32.exe
        
        C:\Windows\system32\Glengm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Gbofcghl.exe
        
        C:\Windows\system32\Gbofcghl.exe
        27⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Gjfnedho.exe
        
        C:\Windows\system32\Gjfnedho.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Gmdjapgb.exe
        
        C:\Windows\system32\Gmdjapgb.exe
        29⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\Gdobnj32.exe
        
        C:\Windows\system32\Gdobnj32.exe
        30⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Gfmojenc.exe
        
        C:\Windows\system32\Gfmojenc.exe
        31⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Gikkfqmf.exe
        
        C:\Windows\system32\Gikkfqmf.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Gdaociml.exe
        
        C:\Windows\system32\Gdaociml.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Gingkqkd.exe
        
        C:\Windows\system32\Gingkqkd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Hckeoeno.exe
        
        C:\Windows\system32\Hckeoeno.exe
        35⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Hienlpel.exe
        
        C:\Windows\system32\Hienlpel.exe
        36⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Hlcjhkdp.exe
        
        C:\Windows\system32\Hlcjhkdp.exe
        37⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Hcmbee32.exe
        
        C:\Windows\system32\Hcmbee32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Higjaoci.exe
        
        C:\Windows\system32\Higjaoci.exe
        39⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Windows\SysWOW64\Hpabni32.exe
        
        C:\Windows\system32\Hpabni32.exe
        40⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Hcpojd32.exe
        
        C:\Windows\system32\Hcpojd32.exe
        41⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Hiiggoaf.exe
        
        C:\Windows\system32\Hiiggoaf.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Hdokdg32.exe
        
        C:\Windows\system32\Hdokdg32.exe
        43⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Hildmn32.exe
        
        C:\Windows\system32\Hildmn32.exe
        44⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Iljpij32.exe
        
        C:\Windows\system32\Iljpij32.exe
        45⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Idahjg32.exe
        
        C:\Windows\system32\Idahjg32.exe
        46⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Icdheded.exe
        
        C:\Windows\system32\Icdheded.exe
        47⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        48⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Ilmmni32.exe
        
        C:\Windows\system32\Ilmmni32.exe
        49⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Icfekc32.exe
        
        C:\Windows\system32\Icfekc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Iknmla32.exe
        
        C:\Windows\system32\Iknmla32.exe
        51⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Inlihl32.exe
        
        C:\Windows\system32\Inlihl32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Idfaefkd.exe
        
        C:\Windows\system32\Idfaefkd.exe
        53⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Igdnabjh.exe
        
        C:\Windows\system32\Igdnabjh.exe
        54⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Ikpjbq32.exe
        
        C:\Windows\system32\Ikpjbq32.exe
        55⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        56⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Idhnkf32.exe
        
        C:\Windows\system32\Idhnkf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Iggjga32.exe
        
        C:\Windows\system32\Iggjga32.exe
        58⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Ijegcm32.exe
        
        C:\Windows\system32\Ijegcm32.exe
        59⤵
        Executes dropped EXE
        
        PID:460
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        60⤵
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\Icnklbmj.exe
        
        C:\Windows\system32\Icnklbmj.exe
        61⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Ikdcmpnl.exe
        
        C:\Windows\system32\Ikdcmpnl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\SysWOW64\Jncoikmp.exe
        
        C:\Windows\system32\Jncoikmp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Jdmgfedl.exe
        
        C:\Windows\system32\Jdmgfedl.exe
        64⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        65⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Jjjpnlbd.exe
        
        C:\Windows\system32\Jjjpnlbd.exe
        66⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Jpdhkf32.exe
        
        C:\Windows\system32\Jpdhkf32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:488
        
        C:\Windows\SysWOW64\Jcbdgb32.exe
        
        C:\Windows\system32\Jcbdgb32.exe
        68⤵
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Jkimho32.exe
        
        C:\Windows\system32\Jkimho32.exe
        69⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Jlkipgpe.exe
        
        C:\Windows\system32\Jlkipgpe.exe
        70⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        71⤵
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        72⤵
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Jgbjbp32.exe
        
        C:\Windows\system32\Jgbjbp32.exe
        73⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Jjafok32.exe
        
        C:\Windows\system32\Jjafok32.exe
        74⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Jqknkedi.exe
        
        C:\Windows\system32\Jqknkedi.exe
        75⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        76⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Kkpbin32.exe
        
        C:\Windows\system32\Kkpbin32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Kmaopfjm.exe
        
        C:\Windows\system32\Kmaopfjm.exe
        78⤵
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        79⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        80⤵
        
        PID:888
        
        C:\Windows\SysWOW64\Kmdlffhj.exe
        
        C:\Windows\system32\Kmdlffhj.exe
        81⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Kdkdgchl.exe
        
        C:\Windows\system32\Kdkdgchl.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Knchpiom.exe
        
        C:\Windows\system32\Knchpiom.exe
        83⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Kcpahpmd.exe
        
        C:\Windows\system32\Kcpahpmd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Knfeeimj.exe
        
        C:\Windows\system32\Knfeeimj.exe
        85⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Kdpmbc32.exe
        
        C:\Windows\system32\Kdpmbc32.exe
        86⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        87⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Kqfngd32.exe
        
        C:\Windows\system32\Kqfngd32.exe
        88⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        89⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Lklbdm32.exe
        
        C:\Windows\system32\Lklbdm32.exe
        90⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        91⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        92⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        93⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lknojl32.exe
        
        C:\Windows\system32\Lknojl32.exe
        94⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Lnmkfh32.exe
        
        C:\Windows\system32\Lnmkfh32.exe
        95⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        96⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Lcjcnoej.exe
        
        C:\Windows\system32\Lcjcnoej.exe
        97⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        98⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Lnohlgep.exe
        
        C:\Windows\system32\Lnohlgep.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Lqndhcdc.exe
        
        C:\Windows\system32\Lqndhcdc.exe
        100⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Ldipha32.exe
        
        C:\Windows\system32\Ldipha32.exe
        101⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        102⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Lnadagbm.exe
        
        C:\Windows\system32\Lnadagbm.exe
        103⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Lmdemd32.exe
        
        C:\Windows\system32\Lmdemd32.exe
        104⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Lcnmin32.exe
        
        C:\Windows\system32\Lcnmin32.exe
        105⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Lqbncb32.exe
        
        C:\Windows\system32\Lqbncb32.exe
        108⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Lenicahg.exe
        
        C:\Windows\system32\Lenicahg.exe
        109⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        110⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Mminhceb.exe
        
        C:\Windows\system32\Mminhceb.exe
        111⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Madjhb32.exe
        
        C:\Windows\system32\Madjhb32.exe
        112⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Mccfdmmo.exe
        
        C:\Windows\system32\Mccfdmmo.exe
        113⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Mkjnfkma.exe
        
        C:\Windows\system32\Mkjnfkma.exe
        114⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mnhkbfme.exe
        
        C:\Windows\system32\Mnhkbfme.exe
        115⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mmkkmc32.exe
        
        C:\Windows\system32\Mmkkmc32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Mcecjmkl.exe
        
        C:\Windows\system32\Mcecjmkl.exe
        117⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Mjokgg32.exe
        
        C:\Windows\system32\Mjokgg32.exe
        118⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Maiccajf.exe
        
        C:\Windows\system32\Maiccajf.exe
        119⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Mchppmij.exe
        
        C:\Windows\system32\Mchppmij.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Mgclpkac.exe
        
        C:\Windows\system32\Mgclpkac.exe
        121⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        122⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        123⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mgehfkop.exe
        
        C:\Windows\system32\Mgehfkop.exe
        124⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        125⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mnpabe32.exe
        
        C:\Windows\system32\Mnpabe32.exe
        126⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Manmoq32.exe
        
        C:\Windows\system32\Manmoq32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Nclikl32.exe
        
        C:\Windows\system32\Nclikl32.exe
        128⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Njfagf32.exe
        
        C:\Windows\system32\Njfagf32.exe
        129⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Nnbnhedj.exe
        
        C:\Windows\system32\Nnbnhedj.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:6200
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        131⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Nelfeo32.exe
        
        C:\Windows\system32\Nelfeo32.exe
        132⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Ngjbaj32.exe
        
        C:\Windows\system32\Ngjbaj32.exe
        133⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        134⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        135⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Nmgjia32.exe
        
        C:\Windows\system32\Nmgjia32.exe
        136⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Nenbjo32.exe
        
        C:\Windows\system32\Nenbjo32.exe
        137⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Ncabfkqo.exe
        
        C:\Windows\system32\Ncabfkqo.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6556
        
        C:\Windows\SysWOW64\Nlhkgi32.exe
        
        C:\Windows\system32\Nlhkgi32.exe
        139⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        140⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Nmigoagp.exe
        
        C:\Windows\system32\Nmigoagp.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Neqopnhb.exe
        
        C:\Windows\system32\Neqopnhb.exe
        142⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        143⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Njmhhefi.exe
        
        C:\Windows\system32\Njmhhefi.exe
        144⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        145⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Nagpeo32.exe
        
        C:\Windows\system32\Nagpeo32.exe
        146⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Nhahaiec.exe
        
        C:\Windows\system32\Nhahaiec.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        148⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Oeehkn32.exe
        
        C:\Windows\system32\Oeehkn32.exe
        149⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        150⤵
        Drops file in System32 directory
        
        PID:7084
        
        C:\Windows\SysWOW64\Oloahhki.exe
        
        C:\Windows\system32\Oloahhki.exe
        151⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Omqmop32.exe
        
        C:\Windows\system32\Omqmop32.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Oalipoiq.exe
        
        C:\Windows\system32\Oalipoiq.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6208
        
        C:\Windows\SysWOW64\Ohfami32.exe
        
        C:\Windows\system32\Ohfami32.exe
        154⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Onpjichj.exe
        
        C:\Windows\system32\Onpjichj.exe
        156⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Oanfen32.exe
        
        C:\Windows\system32\Oanfen32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6504
        
        C:\Windows\SysWOW64\Oejbfmpg.exe
        
        C:\Windows\system32\Oejbfmpg.exe
        158⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Odmbaj32.exe
        
        C:\Windows\system32\Odmbaj32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Oldjcg32.exe
        
        C:\Windows\system32\Oldjcg32.exe
        160⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Oobfob32.exe
        
        C:\Windows\system32\Oobfob32.exe
        161⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Oelolmnd.exe
        
        C:\Windows\system32\Oelolmnd.exe
        162⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Ohkkhhmh.exe
        
        C:\Windows\system32\Ohkkhhmh.exe
        163⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Omgcpokp.exe
        
        C:\Windows\system32\Omgcpokp.exe
        164⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Oeokal32.exe
        
        C:\Windows\system32\Oeokal32.exe
        165⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        166⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Olicnfco.exe
        
        C:\Windows\system32\Olicnfco.exe
        167⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Oogpjbbb.exe
        
        C:\Windows\system32\Oogpjbbb.exe
        168⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Omjpeo32.exe
        
        C:\Windows\system32\Omjpeo32.exe
        169⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        170⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Plkpcfal.exe
        
        C:\Windows\system32\Plkpcfal.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6684
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        172⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Pahilmoc.exe
        
        C:\Windows\system32\Pahilmoc.exe
        173⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Pdfehh32.exe
        
        C:\Windows\system32\Pdfehh32.exe
        174⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7008
        
        C:\Windows\SysWOW64\Plmmif32.exe
        
        C:\Windows\system32\Plmmif32.exe
        175⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        177⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Pdhbmh32.exe
        
        C:\Windows\system32\Pdhbmh32.exe
        178⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Phdnngdn.exe
        
        C:\Windows\system32\Phdnngdn.exe
        179⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Pkbjjbda.exe
        
        C:\Windows\system32\Pkbjjbda.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        181⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        182⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6532
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        184⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Pmcclm32.exe
        
        C:\Windows\system32\Pmcclm32.exe
        185⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        186⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Pdmkhgho.exe
        
        C:\Windows\system32\Pdmkhgho.exe
        187⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Pkgcea32.exe
        
        C:\Windows\system32\Pkgcea32.exe
        188⤵
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        189⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Qmepam32.exe
        
        C:\Windows\system32\Qmepam32.exe
        190⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Qemhbj32.exe
        
        C:\Windows\system32\Qemhbj32.exe
        191⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Qhkdof32.exe
        
        C:\Windows\system32\Qhkdof32.exe
        192⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7268
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        194⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Qmhlgmmm.exe
        
        C:\Windows\system32\Qmhlgmmm.exe
        195⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Qachgk32.exe
        
        C:\Windows\system32\Qachgk32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7396
        
        C:\Windows\SysWOW64\Qdbdcg32.exe
        
        C:\Windows\system32\Qdbdcg32.exe
        197⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        198⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Qklmpalf.exe
        
        C:\Windows\system32\Qklmpalf.exe
        199⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Aogiap32.exe
        
        C:\Windows\system32\Aogiap32.exe
        200⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        201⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        202⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Addaif32.exe
        
        C:\Windows\system32\Addaif32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7708
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        204⤵
        Modifies registry class
        
        PID:7748
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        205⤵
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Aojefobm.exe
        
        C:\Windows\system32\Aojefobm.exe
        206⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        207⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        208⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        209⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        210⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        211⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        212⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Aajohjon.exe
        
        C:\Windows\system32\Aajohjon.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8144
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:8188
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        215⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Akccap32.exe
        
        C:\Windows\system32\Akccap32.exe
        216⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        217⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        218⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Aehgnied.exe
        
        C:\Windows\system32\Aehgnied.exe
        219⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Ahgcjddh.exe
        
        C:\Windows\system32\Ahgcjddh.exe
        220⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        221⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        222⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Aaohcj32.exe
        
        C:\Windows\system32\Aaohcj32.exe
        223⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        224⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        225⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        226⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:8052
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        228⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Bdpaeehj.exe
        
        C:\Windows\system32\Bdpaeehj.exe
        229⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Bhkmec32.exe
        
        C:\Windows\system32\Bhkmec32.exe
        230⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        231⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Boeebnhp.exe
        
        C:\Windows\system32\Boeebnhp.exe
        232⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7432
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        234⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        235⤵
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        236⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Blielbfi.exe
        
        C:\Windows\system32\Blielbfi.exe
        237⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        238⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        239⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        240⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        241⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        242⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Bkobmnka.exe
        
        C:\Windows\system32\Bkobmnka.exe
        243⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        244⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7900
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        245⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        246⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        247⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        248⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8020
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        250⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        251⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        252⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        253⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7448
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        254⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        255⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        256⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        257⤵
        Drops file in System32 directory
        
        PID:8256
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        258⤵
        Modifies registry class
        
        PID:8308
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        259⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        260⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        261⤵
        Modifies registry class
        
        PID:8440
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        262⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Cdnmfclj.exe
        
        C:\Windows\system32\Cdnmfclj.exe
        263⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8572
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        265⤵
        System Location Discovery: System Language Discovery
        
        PID:8616
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        266⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        267⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:8748
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        269⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:8836
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        271⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:8924
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        273⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        274⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9056
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9100
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        277⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        278⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        279⤵
        Modifies registry class
        
        PID:8196
        
        C:\Windows\SysWOW64\Dmlkhofd.exe
        
        C:\Windows\system32\Dmlkhofd.exe
        280⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        281⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8436
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        283⤵
        Modifies registry class
        
        PID:8492
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8560
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8632
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        286⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        287⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8828
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        289⤵
        Modifies registry class
        
        PID:8920
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8960
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        291⤵
        Modifies registry class
        
        PID:9028
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        292⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        293⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        294⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        295⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        296⤵
        System Location Discovery: System Language Discovery
        
        PID:8432
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        297⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        298⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        299⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8756
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        300⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        301⤵
        Modifies registry class
        
        PID:9024
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        302⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        303⤵
        System Location Discovery: System Language Discovery
        
        PID:7956
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        304⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        305⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        306⤵
        Drops file in System32 directory
        
        PID:8760
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        307⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        308⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        309⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        310⤵
        Drops file in System32 directory
        
        PID:8672
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        311⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        312⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        313⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        314⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        315⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8408
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        316⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        317⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        318⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        319⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        320⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9268
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        321⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        322⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        323⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        324⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        325⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        326⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        327⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9596
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        328⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        329⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9692
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        330⤵
        Modifies registry class
        
        PID:9736
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        331⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9788
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        332⤵
        Modifies registry class
        
        PID:9840
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        333⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9972
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        335⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        336⤵
        Drops file in System32 directory
        
        PID:10108
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        337⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        338⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        339⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        340⤵
        System Location Discovery: System Language Discovery
        
        PID:9292
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        341⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        342⤵
        System Location Discovery: System Language Discovery
        
        PID:9480
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        343⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        344⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        345⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        346⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        347⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        348⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        349⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        350⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        351⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10200
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        352⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        353⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        354⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        355⤵
        System Location Discovery: System Language Discovery
        
        PID:9604
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        356⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        357⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        358⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        359⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        360⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        361⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        362⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        363⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        364⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        365⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        366⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        367⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        368⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        369⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        370⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9264
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        371⤵
        Modifies registry class
        
        PID:9532
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        372⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10016
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        373⤵
        
        PID:716
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        374⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        375⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        376⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        377⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        378⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        379⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        380⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        381⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        382⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        383⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10296
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        384⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        385⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        386⤵
        Modifies registry class
        
        PID:10428
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        387⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        388⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        389⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        390⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        391⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        392⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10692
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        393⤵
        Modifies registry class
        
        PID:10736
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        394⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        395⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        396⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        397⤵
        Drops file in System32 directory
        
        PID:10920
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        398⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        399⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        400⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11052
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        401⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        402⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11140
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        403⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        404⤵
        Modifies registry class
        
        PID:11228
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        405⤵
        Modifies registry class
        
        PID:10000
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        406⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        407⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10376
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        408⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        409⤵
        Drops file in System32 directory
        
        PID:10512
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        410⤵
        System Location Discovery: System Language Discovery
        
        PID:10576
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        411⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        412⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        413⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        414⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:10860
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        415⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        416⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        417⤵
        System Location Discovery: System Language Discovery
        
        PID:10972
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        418⤵
        Modifies registry class
        
        PID:11036
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        419⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        420⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        421⤵
        System Location Discovery: System Language Discovery
        
        PID:11236
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        422⤵
        Modifies registry class
        
        PID:10304
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        423⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        424⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        425⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10612
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        426⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        427⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10812
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        428⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        429⤵
        Drops file in System32 directory
        
        PID:10948
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        430⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        431⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        432⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        433⤵
        System Location Discovery: System Language Discovery
        
        PID:10436
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        434⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        435⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        436⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        437⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        438⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        439⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        440⤵
        Drops file in System32 directory
        
        PID:10620
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        441⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        442⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        443⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        444⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        445⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        446⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        447⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        448⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        449⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        450⤵
        System Location Discovery: System Language Discovery
        
        PID:11276
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        451⤵
        
        PID:11320
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        452⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        453⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        454⤵
        
        PID:11452
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        455⤵
        System Location Discovery: System Language Discovery
        
        PID:11496
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        456⤵
        
        PID:11540
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        457⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        458⤵
        Modifies registry class
        
        PID:11628
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        459⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11672
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        460⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        461⤵
        System Location Discovery: System Language Discovery
        
        PID:11756
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        462⤵
        
        PID:11800
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        463⤵
        
        PID:11844
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        464⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        465⤵
        
        PID:11932
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        466⤵
        
        PID:11976
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        467⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        468⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        469⤵
        
        PID:12108
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        470⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        471⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12196
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        472⤵
        
        PID:12244
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        473⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        474⤵
        Modifies registry class
        
        PID:11328
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        475⤵
        Modifies registry class
        
        PID:11396
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        476⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        477⤵
        System Location Discovery: System Language Discovery
        
        PID:11524
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        478⤵
        Drops file in System32 directory
        
        PID:11596
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        479⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11668
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        480⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        481⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        482⤵
        
        PID:11860
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        483⤵
        System Location Discovery: System Language Discovery
        
        PID:11920
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        484⤵
        System Location Discovery: System Language Discovery
        
        PID:11992
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        485⤵
        System Location Discovery: System Language Discovery
        
        PID:12060
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        486⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        487⤵
        System Location Discovery: System Language Discovery
        
        PID:12208
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        488⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        489⤵
        System Location Discovery: System Language Discovery
        
        PID:11348
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        490⤵
        
        PID:11460
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        491⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        492⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        493⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        494⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        495⤵
        
        PID:11988
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        496⤵
        System Location Discovery: System Language Discovery
        
        PID:12084
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        497⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        498⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        499⤵
        Modifies registry class
        
        PID:11484
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        500⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        501⤵
        
        PID:11852
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        502⤵
        System Location Discovery: System Language Discovery
        
        PID:12012
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        503⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        504⤵
        
        PID:11308
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        505⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        506⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        507⤵
        
        PID:12276
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        508⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        509⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        510⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        511⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        512⤵
        
        PID:12148
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        513⤵
        Modifies registry class
        
        PID:12052
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        514⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12300
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        515⤵
        
        PID:12336
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        516⤵
        Modifies registry class
        
        PID:12372
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        517⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:12408
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        518⤵
        
        PID:12444
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        519⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12480
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        520⤵
        
        PID:12516
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        521⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        522⤵
        Modifies registry class
        
        PID:12588
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        523⤵
        
        PID:12668
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        524⤵
        System Location Discovery: System Language Discovery
        
        PID:12740
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        525⤵
        
        PID:12776
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        526⤵
        
        PID:12812
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        527⤵
        Modifies registry class
        
        PID:12848
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        528⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:12888
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        529⤵
        Modifies registry class
        
        PID:12924
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        530⤵
        
        PID:12960
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        531⤵
        
        PID:13000
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        532⤵
        
        PID:13036
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        533⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        534⤵
        Drops file in System32 directory
        
        PID:13108
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        535⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        536⤵
        
        PID:13212
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        537⤵
        
        PID:13248
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        538⤵
        
        PID:13284
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        539⤵
        Modifies registry class
        
        PID:12292
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        540⤵
        
        PID:12360
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        541⤵
        
        PID:12428
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        542⤵
        
        PID:12488
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        543⤵
        Drops file in System32 directory
        
        PID:12544
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        544⤵
        
        PID:12604
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        545⤵
        
        PID:12680
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        546⤵
        
        PID:12704
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        547⤵
        
        PID:12748
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        548⤵
        
        PID:12808
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        549⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12884
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        550⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        551⤵
        
        PID:12996
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        552⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        553⤵
        
        PID:13128
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        554⤵
        
        PID:13160
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        555⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        556⤵
        
        PID:11960
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        557⤵
        Drops file in System32 directory
        
        PID:12368
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        558⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        559⤵
        Drops file in System32 directory
        
        PID:12584
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        560⤵
        
        PID:12652
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        561⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        562⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12872
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        563⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        564⤵
        
        PID:13104
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        565⤵
        
        PID:13232
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        566⤵
        
        PID:13272
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        567⤵
        
        PID:12468
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        568⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        569⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:11560
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        570⤵
        
        PID:12988
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        571⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:13164
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        572⤵
        
        PID:12436
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        573⤵
        
        PID:12784
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        574⤵
        
        PID:13056
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        575⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        576⤵
        
        PID:12916
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        577⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        578⤵
        
        PID:13320
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        579⤵
        
        PID:13356
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        580⤵
        
        PID:13396
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        581⤵
        
        PID:13432
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        582⤵
        System Location Discovery: System Language Discovery
        
        PID:13468
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        583⤵
        
        PID:13508
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        584⤵
        
        PID:13544
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        585⤵
        
        PID:13580
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        586⤵
        Drops file in System32 directory
        
        PID:13616
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        587⤵
        Drops file in System32 directory
        
        PID:13652
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        588⤵
        
        PID:13688
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        589⤵
        
        PID:13724
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        590⤵
        
        PID:13760
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        591⤵
        
        PID:13796
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        592⤵
        
        PID:13832
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        593⤵
        
        PID:13872
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        594⤵
        
        PID:13908
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        595⤵
        
        PID:13944
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        596⤵
        System Location Discovery: System Language Discovery
        
        PID:13980
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        597⤵
        
        PID:14016
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        598⤵
        Drops file in System32 directory
        
        PID:14052
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        599⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        600⤵
        
        PID:14124
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        601⤵
        
        PID:14168
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        602⤵
        Modifies registry class
        
        PID:14204
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        603⤵
        
        PID:14240
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        604⤵
        Drops file in System32 directory
        
        PID:14276
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        605⤵
        
        PID:14312
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        606⤵
        System Location Discovery: System Language Discovery
        
        PID:13316
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        607⤵
        
        PID:13384
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        608⤵
        
        PID:13464
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        609⤵
        Drops file in System32 directory
        
        PID:13516
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        610⤵
        
        PID:13576
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        611⤵
        
        PID:13640
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        612⤵
        
        PID:13708
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        613⤵
        
        PID:13780
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        614⤵
        
        PID:13840
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        615⤵
        
        PID:13896
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        616⤵
        
        PID:13976
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        617⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        618⤵
        
        PID:14096
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        619⤵
        Drops file in System32 directory
        
        PID:14152
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        620⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14236
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        621⤵
        Modifies registry class
        
        PID:14296
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        622⤵
        
        PID:13348
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        623⤵
        
        PID:13452
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        624⤵
        Modifies registry class
        
        PID:13568
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        625⤵
        
        PID:13696
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        626⤵
        
        PID:13828
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        627⤵
        System Location Discovery: System Language Discovery
        
        PID:13916
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        628⤵
        System Location Discovery: System Language Discovery
        
        PID:14004
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        629⤵
        Drops file in System32 directory
        
        PID:14132
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        630⤵
        Modifies registry class
        
        PID:14284
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        631⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        632⤵
        
        PID:13636
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        633⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        634⤵
        
        PID:14012
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        635⤵
        Drops file in System32 directory
        
        PID:14232
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        636⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13540
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        637⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:14044
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        638⤵
        
        PID:13572
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        639⤵
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        640⤵
        
        PID:14340
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        641⤵
        
        PID:14376
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        642⤵
        
        PID:14412
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        643⤵
        System Location Discovery: System Language Discovery
        
        PID:14448
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        644⤵
        System Location Discovery: System Language Discovery
        
        PID:14484
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        645⤵
        
        PID:14520
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        646⤵
        
        PID:14556
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        647⤵
        
        PID:14592
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        648⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14628
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        649⤵
        System Location Discovery: System Language Discovery
        
        PID:14664
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        650⤵
        
        PID:14704
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        651⤵
        
        PID:14740
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        652⤵
        
        PID:14784
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        653⤵
        
        PID:14832
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        654⤵
        
        PID:14868
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        655⤵
        
        PID:14896
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        656⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14932
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        657⤵
        
        PID:15008
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        658⤵
        Drops file in System32 directory
        
        PID:15068
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        659⤵
        
        PID:15112
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        660⤵
        
        PID:15156
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        661⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:15196
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        662⤵
        
        PID:15240
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        663⤵
        
        PID:15280
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        664⤵
        
        PID:15320
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        665⤵
        System Location Discovery: System Language Discovery
        
        PID:13428
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        666⤵
        
        PID:14396
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        667⤵
        
        PID:14456
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        668⤵
        
        PID:14528
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        669⤵
        
        PID:14580
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        670⤵
        
        PID:14656
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        671⤵
        
        PID:14700
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        672⤵
        
        PID:14764
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        673⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        674⤵
        
        PID:14928
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        675⤵
        
        PID:14972
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        676⤵
        
        PID:15052
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        677⤵
        
        PID:15120
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        678⤵
        
        PID:15188
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        679⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        680⤵
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        681⤵
        
        PID:15328
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        682⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        683⤵
        
        PID:14420
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        684⤵
        
        PID:14508
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        685⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        686⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        687⤵
        
        PID:14712
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        688⤵
        
        PID:14792
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        689⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        690⤵
        Drops file in System32 directory
        
        PID:14956
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        691⤵
        
        PID:15248
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        692⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        693⤵
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        694⤵
        
        PID:14696
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        695⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        696⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 400
        697⤵
        Program crash
        
        PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3552 -ip 3552
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aamknj32.exe

Filesize
55KB

MD5
a499508cd05336c34d74acf2658a0169

SHA1
e05d77505e19f3f5efcafcc96ac62ff229943446

SHA256
214cdbb93d98d6dd726b73e43d7540b416e40531183fabd052807f2a6452536a

SHA512
823181b388cf0551bd7aeb9747029c64f27740eac638cfd0572a43f5c4ecf1652127a3d07618b32c2c9725b63012377ed8a11c7967428f5fae8a364e42d7a56c

Download Submit
C:\Windows\SysWOW64\Ajmladbl.exe

Filesize
55KB

MD5
50a7caa0c95489fddab926c7cc2343f6

SHA1
84dfb43001363d38a20d8c38c9748e09397fa678

SHA256
a9baaa91472de46e89cc7f16bb1124e5189fe6fb0a499f24e8def24c66cfc628

SHA512
7c02c88ab2c89bb0e1d95691504298507d66b23cd3bf9887b571d2c64ebb15a6af475955d2567a93e4b2834b7e32acd29595dcf5cda8efd330e07ef716a06120

Download Submit
C:\Windows\SysWOW64\Anclbkbp.exe

Filesize
55KB

MD5
0225584b46026251ae0be49fe2e54a7a

SHA1
5e9edabe7ec246264ef324f6937b0ba95a8ab207

SHA256
26ba15e6e2d158a0d6919a59961a1d3b415642d77724b743551a487393a5a575

SHA512
0c9b7e075a2ef40d66b849c1078d5b48759ecb2b3fad1dea503e956357e72ebe15bdb357ac8a5c02107bc015642335ff2ae34c4a892bd68cd97c4d0799588125

Download Submit
C:\Windows\SysWOW64\Bakgoh32.exe

Filesize
55KB

MD5
7e69ddacf2c15cce640d301d2a4eafd0

SHA1
3d0f23204cb96189638985672d9d01bfcbd05a88

SHA256
419f82677567cb0671d8e1f1d3d801736a0af26264b542024ce277385ba058ae

SHA512
d7c175ee5f275183a3a79d5765edb83cf760d1d8ce92f7680f3e9b40d732fce7192e8ad2b1c7bc9bc07d0adec4ab2feb1f8624e7291629d39a386bb8ba3b3e64

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
55KB

MD5
0ef8aad739500c661ee57907c08f8fa4

SHA1
f190e78b4d16c08b0334d12e1269740f0b71df9c

SHA256
9c03a0331d0a22f131374207267b0f52dec74ab7412534e0c4913ed4e65419e7

SHA512
89216e07568bacaee603e872fd6613950bb779d6ba9cd196b3e09741741dcadbfb619c286e0e37f404d7ad70f3bdea5d3b023db1a4ff9a8ce21b258ba019ab43

Download Submit
C:\Windows\SysWOW64\Bkaobnio.exe

Filesize
55KB

MD5
025407b7437acb40de7a2d66316be7f2

SHA1
735dcd77aed1296c034584d1e4f2fcddaf9e2811

SHA256
b74a4480f827619ead9b7f3519b89ae0e9e5889e3318980d14199e42e7987726

SHA512
820fa8d749be9b2def72a55f7de8204fbad966590b71d9ccacf8932a7340753b6e461d43e5f0bdd73802bb4e45f1e2f977a9640b5812b0bc0bc72e5250ae2121

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
55KB

MD5
3b559c37ce75deffc26ed59b8df6c215

SHA1
b67f574b4d87e6330fb11482aa088746d2a304e4

SHA256
02da3e076e31e10bcb72674583c075bf26b2c7cba95109d54c171344449c9996

SHA512
b58f8cdc743b709a352482b46bc8e69f94885ecd875cb841f2de74120156425a9209ba484031cb40846153e9562a0cdcc3872297bb8b0b1d39758d83ceec93ff

Download Submit
C:\Windows\SysWOW64\Cfbcke32.exe

Filesize
55KB

MD5
c774c434b684e9a8f7db39128b7f24cd

SHA1
264ffff43db95dbd59a71a27a44b93ee367a71cd

SHA256
bb8992a83964946c646b162bdea4bc7d7739d442aaf97abdf298c44747da8c66

SHA512
c6ff037a1072067a96ff8288245695d906be4fd22d621fd5fe4600c8d1078fb25532822245aeb9c76905861c69b968ac07a932432d6687e58825e47927afe8d6

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
55KB

MD5
25a0669e5afc7b90eb9cadf6e5b2508b

SHA1
1f38b8b0e85a20099bd6e203bd6aabf81ed1fc09

SHA256
6c90406bc88e6a22ed9466e4d60d6f5016c778b656e8944580de8d4879163d67

SHA512
65007ca4cceb0f006ca9713c5566a0e3459a5250bc028ef4bb4f1e51c5d07dd50dcebadd76756dc93b4929580fbef1883067c70ce3e63ae5af574094ad80b3f8

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
55KB

MD5
e8710e5bc0868ec959a68e372e6833fa

SHA1
259555f7646ce4a19f1cab93caf0e516948045c5

SHA256
8362b420c9717179247c3d47a136811077030c54198d55c81ede3c04e2b91a8a

SHA512
7296899be269d00bf8b4b1d787d3e2de5303c0f50a55d0d097352281736e4c9e305db8e8adae9130d932ba3d84f9a2af3ae22ba95cf68e8068c034d3f60aab90

Download Submit
C:\Windows\SysWOW64\Dglkoeio.exe

Filesize
55KB

MD5
6433fd880c4298793340c59895458790

SHA1
2b6dfa74acdb8b3317e7db8d83ff8bc2101e6330

SHA256
f3f0ef31210e16c288328d8be87561e8feb3918693176424c2539a3afc57713b

SHA512
4eef67a5a8d9d0af0796d2e845f1f805631f4b64674277ba160cf7aa3c2b0265c3b4b531ef3ceb479895c14646809406bea3756d132bf346ee02c1ee480ee911

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
55KB

MD5
f4c9a16a76144f923f439a4a1adc4064

SHA1
3228b5ce046ecd118067684acc21e9a0a953d04a

SHA256
0256802e8b3c9689f2feaa96292b60eb5064584269a331615d8f075797e6d303

SHA512
fe584741c51f5a1b46bd0ee63d4d9cb0a12ee3a451bc3196fda5cd71496669309304185813aca2455b606eb92d565e249852e360b01278451974d4116511a504

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
55KB

MD5
640ceb6171eb95c2e8c05b9928a6411f

SHA1
a272dc6412be9fd1fcaa4a6394ecd737f8160dd0

SHA256
40a49577cd0a99fd174a2fb8352befeda3e52a80a5fe5e0c06b6b2651d7248c0

SHA512
09a004cea8b1d15ba3efea6bfa710f56d7aea03d88fee40ceb84df6a1a8c37e23959ad2a779197010098ad18b33caaaa98d05ce5a03c1967ef3d48b4379df54e

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
55KB

MD5
dfb3a1afdea89c11f9678b4017cc7671

SHA1
2553b30ac889278821c89ade35a4b6d3c2c107c9

SHA256
7717d2fa9b10e4c26fe97b91cf03de636c3455a344ff70b6f4e163272ef5920b

SHA512
f3564f97cb925d112a9b729e7dfe73684af1bf2863818406ad16f79e86f70e9e6f4661bdeccb6e2e4afb64030ab6a39792eda22ee007edf79a36c55dfce94d08

Download Submit
C:\Windows\SysWOW64\Eblpgjha.exe

Filesize
55KB

MD5
05ac9e8b9b3d177f4415dca9efa3eb73

SHA1
a24c6d1bcf1cf106ce05e6df0efaf616b7e25b22

SHA256
4183ad57ad024ab9ea0eb7b4e181bd6d344c62bb5f5a09ef17b608028c45c01f

SHA512
299861e3e69a878c0a0f50f46ff14bb55895fbb1a87b8081337518368970888430c09d3c574c2007e43f2fdacb703b003dc16f9398f3786b93599985535024d1

Download Submit
C:\Windows\SysWOW64\Ebommi32.exe

Filesize
55KB

MD5
ffb899f24a8900792d043967076052b0

SHA1
c6c236e0034e07964e26181e43cc66b24c4f72cf

SHA256
3d1013328d3183f188da32e36b29f18558b9aaebea15a5e8a38b5386f04bb095

SHA512
0130da4c928480651fd08683f9bf169feab09d8dda3794a10c362da7e04df35ed7d260148c979cdb6eedb097ec99572b74ecdf207067134568b1caf0df1c3e05

Download Submit
C:\Windows\SysWOW64\Ecefqnel.exe

Filesize
55KB

MD5
51511acaa8950bacf279f3c29d7e36eb

SHA1
e1e28d27435bde04f70f75696dd9185e6c5f6378

SHA256
cdbb7aab2ed0c4721745f5b1fee344b3a8593054540a9acbc11ad028a42a42e7

SHA512
c08f1b1513d138b10b6c7d374277acda07bf24d626cec9518c5c1aaef035bcb780c3f3aa0e7f13c3474901f3ebf7c25d0fbd1a1110353165d8791cd126ff3193

Download Submit
C:\Windows\SysWOW64\Efccmidp.exe

Filesize
55KB

MD5
602b9900e2f710b18e657994b52109c2

SHA1
81c49f93e89738d624103b28773cc03ae17f2c2a

SHA256
4f82851f8be2da0eed6e084424311dd5aee62b8d0e60c76395ad4c026b2d64ad

SHA512
38e81d7614872e2dda84d502e5d393a20d29bdce04b9c5b5d43cb34e94767d1eb9fe33d1af3660aa7c8a33fc4c6cc0dae17f03184b500166aa8313f820199da5

Download Submit
C:\Windows\SysWOW64\Efepbi32.exe

Filesize
55KB

MD5
7cab5afcaf3f4667d53a985c2668e088

SHA1
8b7403513afe723a15bd1719e1fbc53b9e354d46

SHA256
a13b1be0229080ddf61c07392462f08772defa5fb459e6570d33a345e6831f98

SHA512
6767f435b11d8a877c29d7a2fd78b5e7c7303d3977b60ed95a22481785f3a081ba1fe6b66624e39b5351674d970831e956da4a02871b816b94e784f2b6ca3b2c

Download Submit
C:\Windows\SysWOW64\Eiaoid32.exe

Filesize
55KB

MD5
a1412eba6e1ebe5997213eba8092ee41

SHA1
27bd4344703d316896d99cc6543d5667fe7588b3

SHA256
a276684d01acd36746841d59d2961ed163876b3c65ac2edb244f3e8ee7c2e220

SHA512
bb8e10f456a06a1b831d549da24c09cfdf07231292699fcd84f65b4471e9142ba24d32b662f92ccbdb8077e85225b66ea0ee67db9a40c820809a42fab5d2d388

Download Submit
C:\Windows\SysWOW64\Ejchhgid.exe

Filesize
55KB

MD5
8e05863507ffa72d9c38a90748de44af

SHA1
97697448112bb79b8701a279cb16050d05e42a47

SHA256
6016ec004dabfdcc0e14ca9d8dacb69c5bc12194dec8e313cdc328c7a082de6f

SHA512
7aef92ff30cf6d26dfec895107fa473c4d0cc82330f279f850e09374cc9cd556bc5d5b7be0948d017e41cf526a33249e35f7e616274e936285d0f433f8705204

Download Submit
C:\Windows\SysWOW64\Eleepoob.exe

Filesize
55KB

MD5
aa494703b77a40bb33eab65047241d45

SHA1
05b9e878bcfca2f0dbb3fe531e18abef700c8db8

SHA256
9d0df4a9345afb908cf038a75c6628d3165d13e143f3d32ac0f116bbc42ffefc

SHA512
0c66df1073ed7a9d823f5fe649cb67fa2785cc514583bdea4fab7c7ac85494ae8392215806731f922116726b600fa12ea3077a818667733d4cd955f81de81dfa

Download Submit
C:\Windows\SysWOW64\Elpkep32.exe

Filesize
55KB

MD5
90b4c17da5640af078de9e54b0324dce

SHA1
7c69b7ed0ec80503cedb2d1cc6195aa51563f846

SHA256
961261d4a60c5ce9089da939a73d60a13843cec4daf4f6c68f6e214278ddca0c

SHA512
434e5e78aa57f89b7b5f33ddd0eeb0d09246d54d863ffa62b01ee749e0aef8e3c0a7be4065239ee53c5220b44fef88911bc166774950f75a4f3fff307b0ba829

Download Submit
C:\Windows\SysWOW64\Emdajb32.exe

Filesize
55KB

MD5
56a9330bd811f405b7c3ae58b583df5e

SHA1
0b62abb0be8fd3322ba7b58bc5df1853eeb34eb7

SHA256
abe58978edc93d962d8adbb666d008ba127baf317d85adee47edc2c54d35d5c4

SHA512
77f45c193359036c18ef0ecd88f34cfec9762168afa70b741855af4b4a280ca8a276a79ec8e2c23ca586199bb5c86482111ae9dbcfdbbb83f8b8fdb93f2a9a0f

Download Submit
C:\Windows\SysWOW64\Emkndc32.exe

Filesize
55KB

MD5
27fb073cfbb0b610f1a8bd6d1dcea3d2

SHA1
7b6909e0f17b36848636bdf330848d8c74cd935b

SHA256
f4e2ffc01be8d93450b7da30a51f62b80ebf3badb2447a5951a64ae98bcb1540

SHA512
21395df0448f579e92ea17c60b94dc0ee5b3d0bee45ac2e4a4e8ab9f22e5c09e5d2965210f6a9985ec976cd4253a87dacc2095504abb4f7af5e3a47a6836ab2f

Download Submit
C:\Windows\SysWOW64\Emphocjj.exe

Filesize
55KB

MD5
ae3c53f3def393632aa9f56774576296

SHA1
9625cf4a465f18c1dd3a1c4531871c15c5790860

SHA256
6b9c49aae6b91a4f5f03f1a659c05fe79f7cf579b3647e454b42c1140366eec0

SHA512
7812e033718cf50b46daf8b473947e5d15ada4b30159af02dbc4855457e309a69ed603853048402523ece3836b80bebdb0ce97ed5b96264d7ac9589555bf772e

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
55KB

MD5
2c06d0cffd3af5840e9ce2ab3baee917

SHA1
125a83691867cab50a93d83b1b85b5c5e95e6365

SHA256
0392c36dde1a5c57b5b0a0a48519c7a30096327525500a049c3721dc9e515be0

SHA512
88fdeaccb6419cb6b8f2119e4816c8c580c2cc3c98a8f4739366a16d8358e835e57a774810f74cf860cc0ee2ce9b569e357244f61e45b6ecd98ed2d0594eaf83

Download Submit
C:\Windows\SysWOW64\Eojiqb32.exe

Filesize
55KB

MD5
81cf457c5fbe0a7fe4eb161ddb72f653

SHA1
6aea5da334644f882ef6b387533158ff3d75b2d6

SHA256
ad14d7bf14ffe3225b2f9537c0802d850de6a9a042d22c61ebed45d5f52b97a2

SHA512
7a740d6cbe59342b6969560948ef7318e2788e54b81614a9c0f9397a947226fe66015bb5669e9cc5dd0a12d69f5dfefc479bab996e4f96a2090c87985850ba72

Download Submit
C:\Windows\SysWOW64\Epndknin.exe

Filesize
55KB

MD5
942e4881aab6e1b35c8b3a70c6b936f6

SHA1
6e76dd13e51c365017710e28f2fd3e7f0983f758

SHA256
252fb9fa1ca90e1d340733aac8c9c37836a5642908ca504c650a3d5a47a2af1c

SHA512
bfe3c634afaf2ea0c6328414a3d8fc1a56b887cf819a5a28a542db9398a551a0fab70be933635648914fb329bd0c1c1d97bc45462fa0a1439f7dd2d69592a353

Download Submit
C:\Windows\SysWOW64\Eqncnj32.exe

Filesize
55KB

MD5
a0c2158701f351828e5efb0e903936c4

SHA1
f28fb4331f8ff567fd75911c2850a3c1ee449cc7

SHA256
bc3ff92c00a2afc15c86218d642fb802a83097212306bb2c7cfaae4d874e32f7

SHA512
7f248f1705dfb7b36a91ff6456426f949f3523a932eda25abf08195e74a7635ef2e622bdee0ff8c8d6161eae1965c97080f677fbc40592a3062d33179a6f25e5

Download Submit
C:\Windows\SysWOW64\Fbajbi32.exe

Filesize
55KB

MD5
1bca449fb861b385a1978bea43c67fa7

SHA1
0ecbdba07543fc00bf79ccbb87e710c86ba03d31

SHA256
a974a017025a4db5f51fd0eb1146a74d9d73370070874d80765dd48169307f20

SHA512
e8d316cb798493249e066002db794f77e39412e6bf8b159e6450d1a795b032fa5eef34e00f510cf93be2fec5124c3073f0596882154369cd723fb035265bb740

Download Submit
C:\Windows\SysWOW64\Fbcfhibj.exe

Filesize
55KB

MD5
39e4c292f0c9b40bd81c330ae928f88e

SHA1
dce682a702100b3dde02af918619e08c926b2a51

SHA256
91f6537bf0601f20717584fa16af1ce84fac93f88235d7fb0cbaa69e3a202d14

SHA512
53575650c66932373b1e01fca207c43df75e9368011f873c22361e0070529f79ff567cf0c198eacb7d61250328b08daadce7b74d43f5cbe79e420d87eea5beef

Download Submit
C:\Windows\SysWOW64\Fdglmkeg.exe

Filesize
55KB

MD5
5a149049a99be27f104957d75fc334c1

SHA1
abee8899deacb78cbcc733d9f44288b90f280404

SHA256
f06167a870ec8e72f2c99b4384bf3d4a353f541a3408af688e9c80d523f0ff5d

SHA512
ce60e1645629ddf02161ac0db1dc51efe50f0497b185cd24e1c889639bcec43b16ed62df6056bc9cc3c0139b08f588cd138db7d69af660c18dcc51cd0b52cad2

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
55KB

MD5
543dc9ac30937d6dcb7fc269939b151c

SHA1
99db444c9e16182c80279cf8b3e8fb88525f5db7

SHA256
a6873b021468d7c85ef8663386f7f62da5e29ad11beaba9cdeb8a04da4825881

SHA512
2bbe4b61555cdd2321c7f389b243aeb225f6dc6749a482197f5532bed2d0a2caa0df91c5c0d59eae403816f5a75ed43b3a725684aa9435743b2035c5f49a25ea

Download Submit
C:\Windows\SysWOW64\Ffclcgfn.exe

Filesize
55KB

MD5
2625a707c687d0a6cb16d3020d9eb34f

SHA1
8fe2c0ade896a018f581c6035c24c03619c658ae

SHA256
6a0cc930b6d4864c220538ed4c44f5eed2bf8b229402f4ee0dfcabbd0fee4e6d

SHA512
50e9e053b53aa4c7f5e1bf58e125ffbc71c216a2855ddc4a85b7dbec9c51160cec4ce73bf16233317593ebe45c1c96d306f9d6de558a418d21dbee70b46bec82

Download Submit
C:\Windows\SysWOW64\Ffnknafg.exe

Filesize
55KB

MD5
2c253f6089fc3a814537d6ea97e9d835

SHA1
85d3687752731e77e8fd05fa609992b49dacf1f0

SHA256
5ffb70acf990b88795d43d728d90886d0b1511056e6487d7dd78f41a9152100b

SHA512
d4fd7eb6c32acc41f1acde19d2cdd7c562a1c85a3cfa936b1730965aabcaa51b6e1a0974171a67527bf27fda077e0cab0b46a06b7b469d7cc1ec6e7bf3e8affe

Download Submit
C:\Windows\SysWOW64\Fimodc32.exe

Filesize
55KB

MD5
17b041f9707e5af0b1a47d9afa380e49

SHA1
83365582893df67bbae04c7fad934d1dbfe5dd47

SHA256
876c1775f2d4eddbd607d4876cc8c0f6ec21cc30706a8bd4f2042eceb46c54d1

SHA512
e81fbf875c439b4a1e268bd4fedd773c92d086f82c7fe8e6fa97e6d5354a869442adad40a53653f232da409945db596b738db7162484180517159fada5856bcb

Download Submit
C:\Windows\SysWOW64\Fjadje32.exe

Filesize
55KB

MD5
4802715f6074be5254a2eef219eda7c7

SHA1
a990048a63c4bde123bbf2461b7175badefe26be

SHA256
97c06d1df541082286ded724e9ffa7de5846f65b43541bb7525bfd3c30126572

SHA512
a5f242419228502e9def49ee86d63f9b46174e82630d9e9e73964edf71fde17525f43fe862abc94a084d2bffb1b5cb9f4de3d4c71ae238be79f06c2929be684f

Download Submit
C:\Windows\SysWOW64\Fjhacf32.exe

Filesize
55KB

MD5
185a3c515019f707fb38c590ce1114b7

SHA1
a02a8b4b6c96b37f02459246efebc9ec2b7576c8

SHA256
0382e6f2f04813f8be3bf54eba846b23aba4e36af319d8e5ce4ea14b1076e343

SHA512
bf478854a5628aaf93623476613d224f662db7fa13d2741d251440bf6e334372653f33b7bd6477fa5ff340c8c0535257e26b3a76da14d72603d5c882569cb80b

Download Submit
C:\Windows\SysWOW64\Fjmkoeqi.exe

Filesize
55KB

MD5
d91493f4dadaa5e24418e03324211b22

SHA1
4aaa8fa9703133cc93353f864746087fe9d1ce01

SHA256
98570b897f9f6f8136dd751f898ae0e32fa937d8d8ed3d0e59b35e51d27c7462

SHA512
70db4dde2501e06278516349e4ad944c1ac614237cf4ff4c4fd9a29b23cab82bc4077dba7ec8881d0b5bdc6f388a6921adcb54dfe85f81943ecfe1a6374e14ba

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
55KB

MD5
4c570e8d6a35aa1ca162acb237659749

SHA1
c174c5c291beef7ba07b99097b0c433b858b0421

SHA256
8ea616215b53834e60a31be9f83dfeee5605e036b5ed60851046376d2d48c0dc

SHA512
925584f4381fc032001f74cff9bc17bfcfe27d0e02e0fae03578adefe8e8195ecadbfd6e759f956cd29ca1e2123ab597039fc1af1b5e1b24ae8905ac4c6872b4

Download Submit
C:\Windows\SysWOW64\Flinkojm.exe

Filesize
55KB

MD5
2050cdd5d7e6f4fb554549752d5bccb2

SHA1
a21e48224225d8f1f3439078f9cbb2ad180de5a7

SHA256
a4cdec3cab59131798f59b1843d64f73804a0318f20511bb44948558c59c1693

SHA512
338a09263f5c260a97d47e62b04011a48e3585b4bb895ceb76b0157f722d0910bb2f63b235eee112580b7f04b0822a0e741e729773b0a2bec171ee7254fa00a4

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe

Filesize
55KB

MD5
8dd84a9557137ea9a2e765da630b1e6d

SHA1
ddbba29238cb74376fc0b6beff88251f727aea97

SHA256
f25ddefc767a929972925e6070d4ce992ddf0137e002a4ac6a30d9b49a1ed1d4

SHA512
f97ff1a55faaa47671576827f817930a0ff92cab37c4c162da9f05d3c936eeb5087f1a12257b3243c919e44f4d1a084958cd360f3cdb28e9dc9a9f579f5841fc

Download Submit
C:\Windows\SysWOW64\Fmndpq32.exe

Filesize
55KB

MD5
8bb9ae6bbb3909fd01badc578862b69f

SHA1
e7ed1a5fef941abc6baa0360443155ed5f7c6d78

SHA256
94a1d7ef7048c120eb17be79ac102abe4296ae6e44988a8427c737cb791e27cd

SHA512
440613a2a6b06e181479185ea18c86ae5b7030e5e738d5e4ceb2480eccb209a3f3768cd77f7fbda034716e5476669e8903b143d04b070fa2e3b2eddd42df109c

Download Submit
C:\Windows\SysWOW64\Fpggamqc.exe

Filesize
55KB

MD5
96d7bd882fa905ed838bb9108aaf3465

SHA1
3bb968a1a27e44f2423694bbb80bdd6912ee8c3d

SHA256
a13fdcbbb3ec8aee9b6056079be9edd437071723a7bdab0c42c469d551178ae9

SHA512
c5de886fc0feedff4725fd0de74e3982a3c55f09a274e6aa9ea02d4eb9e9dbebe09dbd4719b331b5f4f814826a15c8564851bf8f92dcfe43b04bee6b7bef4588

Download Submit
C:\Windows\SysWOW64\Gbbajjlp.exe

Filesize
55KB

MD5
6fcba8b174b35e9e925a700ea0658e66

SHA1
cd0d76bfd094b6ab8bfe7e0d636fcc3f2ba697ee

SHA256
fd084abeee2e28c995f1b57be113b1efcd391551c6e43c1a21ad0da99726caec

SHA512
bbd8aaee83652a377bcf824a8c4ef0a61aca291d0eb1c3e1fb783ee549ec75861f1b5d0e4f2fc5efb1b58fbd4227d268e5484dcd67187f5fe049162dbbba8dfc

Download Submit
C:\Windows\SysWOW64\Gbhhieao.exe

Filesize
55KB

MD5
27dc86f0f781ac1c0ba34608b2c0d86c

SHA1
824bc311e4267786b16c8cf57f7e23837029374f

SHA256
837fd0a893c73c3cc6726b09a0d08f55ecfd98dd217b9b25b381daedea92f3fc

SHA512
1a3032241296d589c3bee63a0ddb8bb6f27dce61f5db449f42a6f0fca21d0c64eb69d9f72ffb92fe0a2fbcc6de931576e10c9796075ecb447985287ce75c448e

Download Submit
C:\Windows\SysWOW64\Gbofcghl.exe

Filesize
55KB

MD5
4ec720f5bcfec734d10554be78658b4a

SHA1
b5fb57456feb94d74f037bccd2772647255e55f4

SHA256
71fa44b88a48193c766f3ef7188b4575cb59ea5f48e167cf5cfeb2257d097303

SHA512
9da693bb3d2387fa8ee64cd9d7981c982958a150f701d64ffe543faa7337bf44a4f54dcef3fa4a16af7f353509afe37e13faf177862efd114f6a7b15476d8472

Download Submit
C:\Windows\SysWOW64\Gdaociml.exe

Filesize
55KB

MD5
2bf8f416aadc4e11bd31f7ba437a1e3b

SHA1
26f4f59dc6384406a92bf39fe1ffe5d5a335afe5

SHA256
3df5c2565140978162817fc352b061b4f7c116c97d910c758f542f92c4cc24f8

SHA512
6f029704da97529ace5ddbcbb17595c4945a14f8127319b0f5fd2321d78c6bee24b64299454cba2f6db287c6760550642c73170a7e4a9eb6e060116f595a7a6d

Download Submit
C:\Windows\SysWOW64\Gdobnj32.exe

Filesize
55KB

MD5
a3340b3b63df4d14cfe04b71ca67654f

SHA1
c04721b0e40499c499312e70ff3f7e2c7755de8b

SHA256
23e66d9491f45e859f20b97c7c5b2487733fca2e3db1c85807b5dc82d52f1c17

SHA512
cb4544364060be88fdeee7e547115c0f1a6f4a0392d38255dfcd3d3e129f6db9016e86f3a3cbd470f2f67b3a7ac212f39c6d9faef26485b11e494a6bc93a2824

Download Submit
C:\Windows\SysWOW64\Gfmojenc.exe

Filesize
55KB

MD5
0bfecb5a54d2d7e7e253a92190a262c0

SHA1
4ff839b252ed53bfe1c1288f39ad577d4413e93f

SHA256
205c3ecbe64d2e50c8a62818540ee229a951092934e1ca407634946161284ca6

SHA512
dd9c6d310403ac47a2f36bfa4b98d835878d3c0281927b2730d20defacfc0d1a356bbdd9bfc9e25304c56f68c8538e4584d8a4e6de8a1ffefdec03cd161c5dfc

Download Submit
C:\Windows\SysWOW64\Gikkfqmf.exe

Filesize
55KB

MD5
6c4bd3ee95299e3b42f7ef7acb0e8fff

SHA1
5c082279ad83438330be3e4e64e36b3bb7e53f6e

SHA256
c5675945ac6b42e40f31ccf23673f37220972a90475412dcae09a2f13b042c53

SHA512
99d33bdf7ce33bdae79768f3304b3e7e0a44c938914572ab6b33bce7fdae8bbefadff1d738a768370340e5e8a7b13031077655fb50268d177e79e18ead7ce415

Download Submit
C:\Windows\SysWOW64\Gjfnedho.exe

Filesize
55KB

MD5
812ed973e9f3166d497c9820b88a1e36

SHA1
6f4a5ceb9f116bbf87b499885a29973ec3582544

SHA256
7296681a84a1722c18c69ec7d929912f284add2442853264677a19d1e26baa68

SHA512
8533b131854580f8a5c6303ebda11a2ad59110f3e11d6a658ff03e6a5b9a0548e5670924242f213357233509a4296160b4dc1cbced1db93d33db27ea68048672

Download Submit
C:\Windows\SysWOW64\Glengm32.exe

Filesize
55KB

MD5
a0868043ebdc07479f519eb4a8d22a22

SHA1
c8053df3e05e0a5e7fd661662379b893a248aa22

SHA256
7f76eee7f8b087bfae15bd8123626457f2d409144ac10cee654bcb4b5a3b7736

SHA512
dd287b716e6cfc9c4012b1d7516dd6c8f2120349289a4e7cec10e234f5b68ba27f3e4e5809ec838489adb46d3b0d02c9c26881625b7c0d1dc2fda8bfb37b1a6a

Download Submit
C:\Windows\SysWOW64\Gmdjapgb.exe

Filesize
55KB

MD5
ee040feb35d9193c4698860bef709e48

SHA1
1851bcc16de1db8d4a457234dee86c794dc0dc1c

SHA256
c3fa3cd130de8a6efbe0a7787e2d92fffa983f98e990c65028c3c37d9d604bd9

SHA512
fc222cba68d0d45737c2fb81bf7b468ba4a5307e0498d48b1712c6f8295a828b0761e2713c3f2d5beebdf0cf4c61120c85847ac43932faf1093cad64933bd47a

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
55KB

MD5
e06664748d3a91e9ce7716f766e4bf80

SHA1
a29198e453001fdd5186af88a13a435df10574e4

SHA256
189ac5c545f59a46e0011f28b5ebe8f2604d79a8201033765ea5d3ecf7d0b478

SHA512
f64b8fb9e86b69671bdff72a0a14936a714766baf24ec38b738e3442655936858ae6f601ced853cae11457370102bc714eac422f8fdd2cff0d049bdc004cd62b

Download Submit
C:\Windows\SysWOW64\Hdokdg32.exe

Filesize
55KB

MD5
62bb8eeda6500fb0bc45a10fad41f3ae

SHA1
46ed8e1025b86aab892af011e4ebcf8276e7be75

SHA256
fd83e863de735cd86e2261ff017b077923a20c65f8990dd52edb0eeb2d24cc92

SHA512
d5a72d111b8bac0a4a10abadec27a5f0379c776559905a23297ec4a03edb61d710a305c9f00ae9a15256a34afd347377228230f7d1f2630fdeae4d8b34dec8e7

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe

Filesize
55KB

MD5
909f277700ee5c4cec29d1fb3fbde9bf

SHA1
0cb406373332b6a79c1ab555c442a7fae64e6444

SHA256
86bfbde8e53a3da19b7674a886d9fa10744e349184473fd486445a5cef20b52c

SHA512
a4192393d6a945331a595c045826a4a33ef0661972a25fe0c69143edd9a9e4985c6144ebc95387ad750475762618b126a61fa220e769595a04d4a4bcb800e2f6

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe

Filesize
55KB

MD5
b6ee029a5155b6e87a6b68d84c932e41

SHA1
a24497401b5ae4970d2b9a3beb3c6a85fa29ebcf

SHA256
6524b814ed8b5ad6c103a2f45978456b3695fe350abeba5cc949c25322228b41

SHA512
df1b5795c25022b77ce3b7e8e82484137817b6ac8d65f5235c94dd0b6a3a8811da433f6d9fbc3c68f49a96ae1ff9955290f6f26366f40c111b70e79ceadfe250

Download Submit
C:\Windows\SysWOW64\Impliekg.exe

Filesize
55KB

MD5
9d0d047ca51edd41369bcc8a3955314e

SHA1
41e17498c01abb88f201d4e9bbb7e108b7ddbd5c

SHA256
a7e4362d198ef3d43f6831bc1690165587938be1ae870eb99aa12b1ec6be388c

SHA512
cb5601c35ec62990b8d06a44ba70a18eaa5a8fafc502169264481191d11a57ffb69d12369f33d39d5e2aeecd670b8feb63637a6d4d5b86be656b17858f233dfe

Download Submit
C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
55KB

MD5
5c1e1da18baa86d79adf9ff0e38c228d

SHA1
8245affa73369710045884ad7194e55c838dd7b3

SHA256
01b1c1ad1f9b7c322e5325a9a35ede7f43816771e56c36865813604dc050329b

SHA512
67c565441a230cd220b680466b33524d85dee8ad2e95f2cb03ce884f8e033f80881704a5f35a4fb54897d4e6bcc94e53385e9193e082600e63d2d2d1bdaa6c5e

Download Submit
C:\Windows\SysWOW64\Jgbchj32.exe

Filesize
55KB

MD5
529ba6f64737495986a69779aecb3a4e

SHA1
1bfd4f5a045715fed512497529890aef92672900

SHA256
817e9c5b6236c5ade49e6c0751e915977629d517228ad772682b04fab9c4abe8

SHA512
1a3a76596073f842ffc7af2acdc4927330e045ef55a045fdc5212d7ded832d0eff8e54f360ed00ba95750b73a6c27d18f86bab4da5fe671ea57e0807286d351d

Download Submit
C:\Windows\SysWOW64\Jgbjbp32.exe

Filesize
55KB

MD5
5bf1deb4fcedcbd30018da77f020b3a9

SHA1
8955ca241d740dd7eb8ab8d48487fb5fd94adb78

SHA256
39191af9a64b4487eea78a66374545817432a854229d763e435317d82c9cb7aa

SHA512
4669266f5715a680cd61c11fe022c952f7b60f912f54e2682f40bbc6e37387244785aa1d0d0daf7f8534af2235ce176f4e008f0441f37858afdb32b578aa4e9d

Download Submit
C:\Windows\SysWOW64\Jljbeali.exe

Filesize
55KB

MD5
b0b8df7826aa0e4046d644aa795b4a6f

SHA1
ff0c8e496588a5dbf9c904c3398c55e908ff5a29

SHA256
743df4e182f8a1f504a869622317f507262d23a2f093f70f02a5efa319780b57

SHA512
5e6073111aa38806a289d26c7fc103cedc11c3e62d50c020d941070c488dff546a8bc804c45cf1ae2233d3747ec40c72da1bc4c843ee1a01aeb468c2879e8618

Download Submit
C:\Windows\SysWOW64\Khgbqkhj.exe

Filesize
55KB

MD5
794737014766298fe4a8af7ec75b2bce

SHA1
9dcdcf0acb32e25c50e17ca2fdb0ef153f6983dd

SHA256
5ba51621c6097bdd685d679c0d31f3ce32b1faf2fc70594c70ef9c03b74f4ce0

SHA512
535e09001d6fc4af10f8eeb966019fa862b0c17ef273627408007e8b952aff7a69d7e240de9d606323509808d06d71019e7e6d164bdafd40efc122e7d52bc56e

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe

Filesize
55KB

MD5
b4e02360a95b6a919ce1182c82bf7277

SHA1
59fc36549d0bb82ede753a7695d57ece0c35674d

SHA256
faa414dd7744737d597c15a60ae61a229f2592af2341d6bf2ddda1f0e046b863

SHA512
1be6e48db12fb155ae0937b5f464b749ab2fcc0969c48477bc6f0b56c63f95aeea378bbfb595a9144a3717ec5d5ec837ff91f91ce44e53ea53acb129c9b9c3eb

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
55KB

MD5
fa35858c599ca7544112576e44741dec

SHA1
98efe4fd6ff2724f848dab622ee415cdc4d0cbf4

SHA256
3bb8f2741519e59ae2a57539dafb08c2905549aadd20667f179958825f9cfd82

SHA512
fa13691047fb285e10c8225bc4f4da9113e024667afc157da4cb7e4babbc260403fbfbe020c6461a6eb116ed9eb477de53d8a49323f27da3f3b15708b9c11736

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
55KB

MD5
2776d0c183afe34c73d83ed38bae7a65

SHA1
3683d45bdaa2fb6363c24bfd12dce4dae713e18d

SHA256
b61920ba6c967a214dd758876eedb84d38e96a30ba751eb33c0d714fe34c77ae

SHA512
985b69142f5ffb9284b3608afe4bd61984b84fbeead435aceda851025ac3234c4deffeb0f139deaa82c466eabdc98e42d882d2388a5ffd35a1a9fa65fccaa2bc

Download Submit
C:\Windows\SysWOW64\Lgdidgjg.exe

Filesize
55KB

MD5
d0ed49fb2f1b4ab0515165ddc5635dd9

SHA1
1df9312be01e7becc04b58b988829d68018fc2d8

SHA256
0bfe3dace0f116bdd7f970eac79672599d25eb1e7e0897dbfa2bb1a7a312c432

SHA512
831a26127adee19d4bf1be28e9cb8e8e7e57992c5ae829aaf71f2911b6cbd832d9d7b633488dc1a62d048c569068f3931b8eb46beb60d7367ec251ac289a8501

Download Submit
C:\Windows\SysWOW64\Lhcali32.exe

Filesize
55KB

MD5
bb5d8e9cfd9bff39f03493d2acceab96

SHA1
4de99c23cf11d04a01213dd16cca77150dabfdda

SHA256
695d79b3308995d4488e6073d4343ddc9aa794ba7c2e8026856167c24a31bfe2

SHA512
447f481d28d86b507cf1b7219a5832969d053ecbb1c87056097acb44d46895b133aae514a6131d4d9d82543f0985fed38ad4024710bda3055fdf05458b19c36c

Download Submit
C:\Windows\SysWOW64\Loighj32.exe

Filesize
55KB

MD5
d54f346ce22d8af6fcb9449f200a32bc

SHA1
2281aac06f2c9fddc41c17c62e2c52ce6aaca19a

SHA256
f87538d1824030ae6349991c6627be59fd606918de47796bbff1c306a8592f10

SHA512
1b97ca3f33294c3f9fb45578afdbe73e9d609d90985d90117763acb6f77784dfa4727f585862c5b92eac6cc0003069d1b932c3a94b72c3671c3593f5790c4bca

Download Submit
C:\Windows\SysWOW64\Mbdiknlb.exe

Filesize
55KB

MD5
afab06830f8a156208582fac1e0a8662

SHA1
3697d15adc87a177f14f03029c5b4914747f74a1

SHA256
1bca290d288f3ef3c0f6423e35a70dc1d45c2df13a0bffd96a0e2bd0c758802d

SHA512
029ee98deec1197af534ccc777cccf5a47cc4829cfd990038ff1ebe0e6dd8caffaa5249026d791c068978f7de297eaf6364a271f6bacbd6aa1d8cde5bb4e9b7e

Download Submit
C:\Windows\SysWOW64\Mhckcgpj.exe

Filesize
55KB

MD5
c1e7ab238fc182c61e44a2155bfa57dd

SHA1
c062d8d95b78a50173edf4050924a648df6fe47b

SHA256
5bdc7e749c510c423e9c87f0d6626f4857f0e2e31f9a9642cc73c7646b84c105

SHA512
0274ee592e6ea6b504ad7759883492b9e146852e0e6228054402d3a4d2df26a427f100437be0c093c1156074b6a080dcd76631ca0e1f4bcb9f8d65319f68d0c8

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
55KB

MD5
3ea9b0dbfab03e46962f6a38b11a76ca

SHA1
c34f6f94e19269cef04effa69c008139b54f5813

SHA256
bd718c9469347f3935a1c921bf53c9f2a2ce807df07bfa75b22c574a78b1aedc

SHA512
7f40c1809e83e8d49ae6556217de9f4f52274e7a3103b73fe58439998cadb299a13c22f450846dba5ecef10746e9c8c9a9c6c30bd47186f51ef8e15044302631

Download Submit
C:\Windows\SysWOW64\Moipoh32.exe

Filesize
55KB

MD5
d46cb5800a497952d847945e81c9cdc9

SHA1
329d0365f886c590e7b504a4d095b6df254a1e9a

SHA256
41a24cc48a4873a8cc2988b7da5ad94221267e14a08fbe6fc04471d8dd7e4da8

SHA512
a0b67aed6084e6a8f8876bcdd1e665bc88cc24fe4541cffb0b47a4f5f02a158c2d1c9ac3f52ffc14a70bac8583bb01160173c8db6c499d34e510191aac85f9e8

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
55KB

MD5
9732f649f4d792ff0e8e7d0f9edaac9a

SHA1
e98c727325a56bc49bff42315a07283850a087f2

SHA256
670347f33149afbdcaffb610df74e74edbd3ac7ee448aef3870b6be6df7876f9

SHA512
c9f7f69284aae09b40af3286fe0cc8d6c14d78bf360a0055cec9b74d3a75821a09c17954525f5eba08710b1661965fd9b0be84ea563a649f531aab3d692e733b

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
55KB

MD5
e0923dcc2bb082395b1baa58eb1681c9

SHA1
44c1dcd62ccc2a2068dde938e59f3db71247e945

SHA256
998050644e7f205f2392af82868a707dccf1099ac673f5bdb70d48a1b62fb757

SHA512
6ff262f6dba2495641513d8725ab0cd73b9bd911c0cf7cd810e550e0dcb275e67892758b74af35a3a18c885e88c7415e3054a220f6a907743e3a57e363713e05

Download Submit
C:\Windows\SysWOW64\Oeehkn32.exe

Filesize
55KB

MD5
e23d6ebe97a05335611a677102445f82

SHA1
0f8b3e0d8e4891fd7a2aa457e78d23883d0c0d1a

SHA256
95efd416b9acf15ead7968187f08548dff8d09b111b868a080f3089c830d5927

SHA512
f0b75066f1fc89e167ba8bf7886efbfa1a0ec64fdf9d1035f6a33294bb4f6a4a84fac822f4f47fd59e8f6661ee7d69ff5c56f85e9a5cdd5fdee2e63e90786248

Download Submit
C:\Windows\SysWOW64\Ofgdcipq.exe

Filesize
55KB

MD5
49c34240d6b2705cd829e5a4b54b37c1

SHA1
3e6baf70239d37f3c2bb8f058be77565bb010b61

SHA256
581bff50e1e10026f7325bef89c5a979c6f54d230c7579d645afb4ff192f0134

SHA512
46664cb59f21117b3ef7cda4bb949f40267094145a70c645c38baabb1c3bc358c77628a4a09e9076771b32b80c2499b9ecb898c949acab00c9f8ecba1563cabe

Download Submit
C:\Windows\SysWOW64\Oflmnh32.exe

Filesize
55KB

MD5
e301bc32054d9cdda0a51723b852a4b3

SHA1
01de32d563ee02232b6cf241096c794c5bf22798

SHA256
fd0b2c25bcb296ec2e948b42befb82b8418898ef439d25aeeef04fb16d706d14

SHA512
210c696a8ed543cea9dc7c860f128c9984bfee048ec6db2d23246b11c236a7e152c911c1dcbfb536025806b1118c31c0709efafa643ab7a87c631d12f04d9b6c

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
55KB

MD5
d98b25b070e854ecdc8b10c87bc0fd95

SHA1
5913cb0e7327cafb7fc8294d099c0afc169df8fd

SHA256
66828fbe122867c27fb430fb809c4ec581da4738753df8d69850a926664b9313

SHA512
33ce2407cb04703aaefcc327f32eaecb9865d2d836004b3087e19c02a5ff7bdb90fb392bee15a3177255e95830ba040bcac82d0f592f51be32083efb1a8d1315

Download Submit
C:\Windows\SysWOW64\Oldjcg32.exe

Filesize
55KB

MD5
62acc1e077906efe0fb88025afd0b4f8

SHA1
1f7a67c7d127ee86b8fc7b83b6b3a2c79a0d5423

SHA256
476f48ffd13ad2c9de242b31b89e7eefd38b8e9a76cf0759e47b5c45ba56b196

SHA512
4e60c6835e9dea7ce469c5b2a9022d8eed5e66da994884e2485e13adf5d2d90c264c034a9322706ea15ecf8cda8fff8f2d84cfb236bc2e3eae254893cf532b29

Download Submit
C:\Windows\SysWOW64\Omjpeo32.exe

Filesize
55KB

MD5
6075dfd249812f488bf87ec25ff1d548

SHA1
84933f05c1c6c40213eff54e3b405cb9a67c2e87

SHA256
bdf371825210be2e8c50d318c0dbc3af9901c4600f43d44dfff38a72560fb7c8

SHA512
58d94e447be3665160319262f4a00f3b340e403d470ac8bcb379b22abba5c3483c5b0cc3dd3a53ce502a6cdee9710e9b3b591b31d89f3a7d8f29de9caeec46a0

Download Submit
C:\Windows\SysWOW64\Pciqnk32.exe

Filesize
55KB

MD5
8c8ed32bb747d360c8a5eb8d67dc9422

SHA1
757be2f149a3cb7e45af16e2186a70c8d5fadd7b

SHA256
cc9b0f13af54fe6347bd09148637e8038660cef23b5ba51bcbe25b10654dbeff

SHA512
ed91073c25852ddf3b510390f50e2217323d31ab0dc427cfe5d23f0cef8e1c42f07a8cad3b6375a68fc7cac4b2ac3ff79b1cb4bb1af7156cd0325a20a4620e93

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
55KB

MD5
8f9c678b0cd4e58d83abcc2091589c86

SHA1
481dc9b9488b9241b48ffd4bd48b7612062aeb73

SHA256
72631133086e98cd8d04b0eb62d2a606f94b5fbcb074786d592d83aec59e6b21

SHA512
89ed3d8934dc3ce49c1b57386a50cf843a37e89d06c05c5a40d6298c4fec9213bbaf6f0b2ca7496890503e0850c0e04a409635afa4f49cadf7f639afc4cc6a20

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
55KB

MD5
0b33c8ac83d07029b4cd51e1dd85ac22

SHA1
0436fe082491a34e775aa4877ba56adc694ac932

SHA256
a373ec5431b93c3a9607b5a2f377781c4e50d8a2cf645670dcd5fd755d891db3

SHA512
f73785a6c166af2d95f561fa81980db372933353c2660c42d6f1701ca734fb1fddf3dd8a7240f0674f016b8cc4e79b906ec4c418cfaf790873c16ded85a6bfa8

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
55KB

MD5
440509e3068679c1201123c4e4a3bd73

SHA1
ccb81764ec198f82dbe47a7fb57dd3c3ef8c0767

SHA256
808cc81a29d23d3305f0b91972da103d0828db945d0916b9e1612b3906b350bd

SHA512
fa5f51f1ddcdd6bbcd19f32ce920320e90cf1c9f92097a7223ccbc6ef9e2b0cc58fc7449a56523f4dd058cf52717664a3097504a746f8c2c986612be246132a3

Download Submit
C:\Windows\SysWOW64\Qfjjpf32.exe

Filesize
55KB

MD5
ddc806d14dbac3e38a1fe10efa778928

SHA1
287e3bcda22a2dbf00ed82f48c4c1e208a98eab6

SHA256
58cb4ac2cba8536d8b56db8beeefa4afea3ff1d18639fc45da3fb81791515529

SHA512
4ddda357abb464b5a8dc68a26f7e7fc322c30769df2a03cda7fbf6b7906ed8f7d6289a451b2b7df435d02e67ba9daca2ccdee350b85373cc688a2398b5a35c31

Download Submit
memory/392-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/488-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2020-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5228-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5308-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5364-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads