berbew | 7fb43a04d75cfaf29239067fa05c08a0ea9793c7441b3d9ddf233d8f5d139b5a

Analysis

max time kernel
92s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fb43a04d75cfaf29239067fa05c08a0ea9793c7441b3d9ddf233d8f5d139b5a.exe
Size

123KB
MD5

b0c2aceab566af9b9b9a27836366057b
SHA1

1ae779fbe0d0672d3890bc0a07616620e70f7e2d
SHA256

7fb43a04d75cfaf29239067fa05c08a0ea9793c7441b3d9ddf233d8f5d139b5a
SHA512

b49f53a4805e014d02c805e7b31ca3b1f40ce684d68889a4845750de11c16796490ce0e324c628ab4e0c24f36cd0b93ebe7256e81a0155430dc931dc8ecf30e3
SSDEEP

3072:0b4yMqfCMLFZtXQDcors7lRRYSa9rR85DEn5k7r8:QKMCM9gcors7lR4rQD85k/8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhahaiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkipkani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gimqajgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbdoof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blielbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiloco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofgpikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggahedjn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knchpiom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgninn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcjmel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkegpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeodhjmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoalgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gikkfqmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Badanigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcanll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glgjlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpfepf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knfeeimj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkgcea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adikdfna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jilfifme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odhifjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oeokal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aefjii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgicgca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nenbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkoch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjlmclqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldipha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkjnfkma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmenca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eppqqn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emdajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkadfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgjndno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oelolmnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkpmdbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbfgkffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbpjaeoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijqmhnko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnjpfcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmojkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klahfp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3916	Efhlhh32.exe
5960	Embddb32.exe
5776	Eppqqn32.exe
2164	Emdajb32.exe
4056	Fbajbi32.exe
5804	Fmfnpa32.exe
2508	Fbcfhibj.exe
5592	Fimodc32.exe
4624	Fpggamqc.exe
3436	Gjdaodja.exe
5272	Gmbmkpie.exe
3288	Gpqjglii.exe
5724	Gfkbde32.exe
5276	Gjfnedho.exe
3076	Gmdjapgb.exe
3696	Glgjlm32.exe
4912	Gdobnj32.exe
4376	Gbabigfj.exe
336	Gkhkjd32.exe
5552	Gikkfqmf.exe
4936	Gljgbllj.exe
2240	Gpecbk32.exe
5204	Gdaociml.exe
3904	Gbdoof32.exe
1384	Gfokoelp.exe
2468	Gkkgpc32.exe
1700	Gmiclo32.exe
1580	Glldgljg.exe
4824	Gphphj32.exe
5264	Gdcliikj.exe
4848	Gbfldf32.exe
3748	Ggahedjn.exe
2484	Gipdap32.exe
1604	Hmlpaoaj.exe
2352	Hloqml32.exe
1260	Hpjmnjqn.exe
2036	Hbhijepa.exe
5172	Hgdejd32.exe
5060	Hibafp32.exe
2664	Iinqbn32.exe
1416	Idcepgmg.exe
1204	Ijqmhnko.exe
4972	Iciaqc32.exe
5288	Igdnabjh.exe
6112	Innfnl32.exe
5560	Idhnkf32.exe
4432	Ilccoh32.exe
4888	Idkkpf32.exe
1012	Igigla32.exe
5436	Jlfpdh32.exe
5872	Jgkdbacp.exe
4380	Jlhljhbg.exe
1280	Jcbdgb32.exe
1444	Jjlmclqa.exe
3016	Jpfepf32.exe
3532	Jklinohd.exe
3008	Jqhafffk.exe
5816	Jknfcofa.exe
2932	Jjafok32.exe
2396	Jgeghp32.exe
3880	Kmaopfjm.exe
2604	Kdkdgchl.exe
5244	Knchpiom.exe
4552	Kcpahpmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nagpeo32.exe	Nnicid32.exe
File created	C:\Windows\SysWOW64\Cfipef32.exe	Ckclhn32.exe
File created	C:\Windows\SysWOW64\Eiloco32.exe	Dijbno32.exe
File created	C:\Windows\SysWOW64\Iljekoej.dll	Eppqqn32.exe
File opened for modification	C:\Windows\SysWOW64\Innfnl32.exe	Igdnabjh.exe
File created	C:\Windows\SysWOW64\Kbopqlen.dll	Phigif32.exe
File created	C:\Windows\SysWOW64\Qachgk32.exe	Qoelkp32.exe
File created	C:\Windows\SysWOW64\Hfjjlc32.dll	Fneggdhg.exe
File created	C:\Windows\SysWOW64\Gnepna32.exe	Glgcbf32.exe
File created	C:\Windows\SysWOW64\Mccfdmmo.exe	Madjhb32.exe
File created	C:\Windows\SysWOW64\Mkadfj32.exe	Mcjmel32.exe
File created	C:\Windows\SysWOW64\Mfgdjh32.dll	Odhifjkg.exe
File created	C:\Windows\SysWOW64\Oogpjbbb.exe	Olicnfco.exe
File opened for modification	C:\Windows\SysWOW64\Gmdcfidg.exe	Gemkelcd.exe
File created	C:\Windows\SysWOW64\Fmfnpa32.exe	Fbajbi32.exe
File created	C:\Windows\SysWOW64\Mmbanbmg.exe	Mjdebfnd.exe
File created	C:\Windows\SysWOW64\Olfghg32.exe	Ohkkhhmh.exe
File created	C:\Windows\SysWOW64\Emcnmpcj.dll	Geohklaa.exe
File created	C:\Windows\SysWOW64\Balenlhn.dll	Odmbaj32.exe
File created	C:\Windows\SysWOW64\Bffcpg32.exe	Bnoknihb.exe
File created	C:\Windows\SysWOW64\Gbnoiqdq.exe	Gmafajfi.exe
File created	C:\Windows\SysWOW64\Lfmmaj32.dll	Gimqajgh.exe
File created	C:\Windows\SysWOW64\Hbhboolf.exe	Gbeejp32.exe
File created	C:\Windows\SysWOW64\Onkidm32.exe	Nagiji32.exe
File opened for modification	C:\Windows\SysWOW64\Mkhapk32.exe	Mcqjon32.exe
File created	C:\Windows\SysWOW64\Eleeje32.dll	Ldgccb32.exe
File created	C:\Windows\SysWOW64\Icinkkcp.dll	Dbicpfdk.exe
File created	C:\Windows\SysWOW64\Fnlmhc32.exe	Fbelcblk.exe
File created	C:\Windows\SysWOW64\Gmafajfi.exe	Gblbca32.exe
File created	C:\Windows\SysWOW64\Gflhoo32.exe	Gnepna32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcaknbi.exe	Iohejo32.exe
File opened for modification	C:\Windows\SysWOW64\Klahfp32.exe	Jnlkedai.exe
File created	C:\Windows\SysWOW64\Ffnknafg.exe	Feoodn32.exe
File opened for modification	C:\Windows\SysWOW64\Gfokoelp.exe	Gbdoof32.exe
File created	C:\Windows\SysWOW64\Ohkkhhmh.exe	Oelolmnd.exe
File opened for modification	C:\Windows\SysWOW64\Ekodjiol.exe	Ekmhejao.exe
File created	C:\Windows\SysWOW64\Imkbnf32.exe	Iipfmggc.exe
File opened for modification	C:\Windows\SysWOW64\Jknfcofa.exe	Jqhafffk.exe
File created	C:\Windows\SysWOW64\Kbgbpn32.dll	Mkmkkjko.exe
File created	C:\Windows\SysWOW64\Bnkbcj32.exe	Blielbfi.exe
File opened for modification	C:\Windows\SysWOW64\Ffceip32.exe	Fnlmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Jinboekc.exe	Jilfifme.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	Pjdpelnc.exe
File opened for modification	C:\Windows\SysWOW64\Gmbmkpie.exe	Gjdaodja.exe
File created	C:\Windows\SysWOW64\Bcflijmh.dll	Lmbhgd32.exe
File created	C:\Windows\SysWOW64\Mbnnhndk.dll	Pdhbmh32.exe
File created	C:\Windows\SysWOW64\Ekamnhne.dll	Kfnfjehl.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Blickdlj.dll	Efhlhh32.exe
File created	C:\Windows\SysWOW64\Gphphj32.exe	Glldgljg.exe
File opened for modification	C:\Windows\SysWOW64\Aolblopj.exe	Alnfpcag.exe
File created	C:\Windows\SysWOW64\Eieijp32.dll	Jiglnf32.exe
File created	C:\Windows\SysWOW64\Jilfifme.exe	Jcanll32.exe
File created	C:\Windows\SysWOW64\Enjgeopm.dll	Ngjkfd32.exe
File created	C:\Windows\SysWOW64\Plikcm32.dll	Bmeandma.exe
File opened for modification	C:\Windows\SysWOW64\Gdaociml.exe	Gpecbk32.exe
File opened for modification	C:\Windows\SysWOW64\Lgqfdnah.exe	Kdbjhbbd.exe
File created	C:\Windows\SysWOW64\Ncofplba.exe	Napjdpcn.exe
File created	C:\Windows\SysWOW64\Ddnfmqng.exe	Dbpjaeoc.exe
File created	C:\Windows\SysWOW64\Glgcbf32.exe	Gmdcfidg.exe
File opened for modification	C:\Windows\SysWOW64\Lcnfohmi.exe	Ljeafb32.exe
File opened for modification	C:\Windows\SysWOW64\Mqkiok32.exe	Mqimikfj.exe
File created	C:\Windows\SysWOW64\Iocbnhog.dll	Mqimikfj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9840	9548	WerFault.exe	475

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfokoelp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lggldm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nndjndbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onnmdcjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkgje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnlkedai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkpmdbfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfipef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgbdbqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljeafb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacjdbch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igigla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnmkfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napjdpcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glgcbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfodeohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqimikfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpggamqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjafok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbanbmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olanmgig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olicnfco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbnoiqdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfnfjehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpqjglii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgeghp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgjijmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnicid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omegjomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhbmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aolblopj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnjqmpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpmbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnqjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqkiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngjkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onapdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agimkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhnbhok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahippdbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemqih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iohejo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jinboekc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaldccip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glgjlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggahedjn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhahaiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkgcea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Impliekg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llmhaold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnldla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgloefco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqpamb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpjlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efgemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hibafp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njfagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qachgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mchppmij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffceip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkpophj.dll"	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbopphio.dll"	Plbfdekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieijp32.dll"	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekpedip.dll"	Fimodc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmlpaoaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll"	Nnbnhedj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkgcea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodlnfco.dll"	Nccokk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnkpnclp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pddhbipj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phaahggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Plbfdekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobkpkdh.dll"	Ddligq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmdcfidg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbcfhibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemlnm32.dll"	Ggahedjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghghj32.dll"	Lgqfdnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moehgcil.dll"	Adikdfna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aoalgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakdmb32.dll"	Fpggamqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maiccajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjdebfnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlfnaicd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jknfcofa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcjmel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjodaqj.dll"	Ffceip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjfon32.dll"	Knhakh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmpdhboj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diinlj32.dll"	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll"	Njfkmphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjamidgd.dll"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnbidcgp.dll"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lqikmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fneggdhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpejkd32.dll"	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljekoej.dll"	Eppqqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkchelci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nabfjpak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahici32.dll"	Bemqih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbfgkffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efgemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmbhgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmenca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabmaqlh.dll"	Olfghg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Coegoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbfldf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idhnkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmnhcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klplbbaq.dll"	Oelolmnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddligq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 3916	3184	7fb43a04d75cfaf29239067fa05c08a0ea9793c7441b3d9ddf233d8f5d139b5a.exe	88
PID 3184 wrote to memory of 3916	3184	7fb43a04d75cfaf29239067fa05c08a0ea9793c7441b3d9ddf233d8f5d139b5a.exe	88
PID 3184 wrote to memory of 3916	3184	7fb43a04d75cfaf29239067fa05c08a0ea9793c7441b3d9ddf233d8f5d139b5a.exe	88
PID 3916 wrote to memory of 5960	3916	Efhlhh32.exe	89
PID 3916 wrote to memory of 5960	3916	Efhlhh32.exe	89
PID 3916 wrote to memory of 5960	3916	Efhlhh32.exe	89
PID 5960 wrote to memory of 5776	5960	Embddb32.exe	90
PID 5960 wrote to memory of 5776	5960	Embddb32.exe	90
PID 5960 wrote to memory of 5776	5960	Embddb32.exe	90
PID 5776 wrote to memory of 2164	5776	Eppqqn32.exe	91
PID 5776 wrote to memory of 2164	5776	Eppqqn32.exe	91
PID 5776 wrote to memory of 2164	5776	Eppqqn32.exe	91
PID 2164 wrote to memory of 4056	2164	Emdajb32.exe	92
PID 2164 wrote to memory of 4056	2164	Emdajb32.exe	92
PID 2164 wrote to memory of 4056	2164	Emdajb32.exe	92
PID 4056 wrote to memory of 5804	4056	Fbajbi32.exe	93
PID 4056 wrote to memory of 5804	4056	Fbajbi32.exe	93
PID 4056 wrote to memory of 5804	4056	Fbajbi32.exe	93
PID 5804 wrote to memory of 2508	5804	Fmfnpa32.exe	94
PID 5804 wrote to memory of 2508	5804	Fmfnpa32.exe	94
PID 5804 wrote to memory of 2508	5804	Fmfnpa32.exe	94
PID 2508 wrote to memory of 5592	2508	Fbcfhibj.exe	95
PID 2508 wrote to memory of 5592	2508	Fbcfhibj.exe	95
PID 2508 wrote to memory of 5592	2508	Fbcfhibj.exe	95
PID 5592 wrote to memory of 4624	5592	Fimodc32.exe	96
PID 5592 wrote to memory of 4624	5592	Fimodc32.exe	96
PID 5592 wrote to memory of 4624	5592	Fimodc32.exe	96
PID 4624 wrote to memory of 3436	4624	Fpggamqc.exe	97
PID 4624 wrote to memory of 3436	4624	Fpggamqc.exe	97
PID 4624 wrote to memory of 3436	4624	Fpggamqc.exe	97
PID 3436 wrote to memory of 5272	3436	Gjdaodja.exe	98
PID 3436 wrote to memory of 5272	3436	Gjdaodja.exe	98
PID 3436 wrote to memory of 5272	3436	Gjdaodja.exe	98
PID 5272 wrote to memory of 3288	5272	Gmbmkpie.exe	99
PID 5272 wrote to memory of 3288	5272	Gmbmkpie.exe	99
PID 5272 wrote to memory of 3288	5272	Gmbmkpie.exe	99
PID 3288 wrote to memory of 5724	3288	Gpqjglii.exe	100
PID 3288 wrote to memory of 5724	3288	Gpqjglii.exe	100
PID 3288 wrote to memory of 5724	3288	Gpqjglii.exe	100
PID 5724 wrote to memory of 5276	5724	Gfkbde32.exe	101
PID 5724 wrote to memory of 5276	5724	Gfkbde32.exe	101
PID 5724 wrote to memory of 5276	5724	Gfkbde32.exe	101
PID 5276 wrote to memory of 3076	5276	Gjfnedho.exe	102
PID 5276 wrote to memory of 3076	5276	Gjfnedho.exe	102
PID 5276 wrote to memory of 3076	5276	Gjfnedho.exe	102
PID 3076 wrote to memory of 3696	3076	Gmdjapgb.exe	103
PID 3076 wrote to memory of 3696	3076	Gmdjapgb.exe	103
PID 3076 wrote to memory of 3696	3076	Gmdjapgb.exe	103
PID 3696 wrote to memory of 4912	3696	Glgjlm32.exe	104
PID 3696 wrote to memory of 4912	3696	Glgjlm32.exe	104
PID 3696 wrote to memory of 4912	3696	Glgjlm32.exe	104
PID 4912 wrote to memory of 4376	4912	Gdobnj32.exe	105
PID 4912 wrote to memory of 4376	4912	Gdobnj32.exe	105
PID 4912 wrote to memory of 4376	4912	Gdobnj32.exe	105
PID 4376 wrote to memory of 336	4376	Gbabigfj.exe	106
PID 4376 wrote to memory of 336	4376	Gbabigfj.exe	106
PID 4376 wrote to memory of 336	4376	Gbabigfj.exe	106
PID 336 wrote to memory of 5552	336	Gkhkjd32.exe	107
PID 336 wrote to memory of 5552	336	Gkhkjd32.exe	107
PID 336 wrote to memory of 5552	336	Gkhkjd32.exe	107
PID 5552 wrote to memory of 4936	5552	Gikkfqmf.exe	108
PID 5552 wrote to memory of 4936	5552	Gikkfqmf.exe	108
PID 5552 wrote to memory of 4936	5552	Gikkfqmf.exe	108
PID 4936 wrote to memory of 2240	4936	Gljgbllj.exe	109

C:\Users\Admin\AppData\Local\Temp\7fb43a04d75cfaf29239067fa05c08a0ea9793c7441b3d9ddf233d8f5d139b5a.exe
"C:\Users\Admin\AppData\Local\Temp\7fb43a04d75cfaf29239067fa05c08a0ea9793c7441b3d9ddf233d8f5d139b5a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\SysWOW64\Efhlhh32.exe
  C:\Windows\system32\Efhlhh32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\Embddb32.exe
    C:\Windows\system32\Embddb32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5960
  - - C:\Windows\SysWOW64\Eppqqn32.exe
      C:\Windows\system32\Eppqqn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5776
    - - C:\Windows\SysWOW64\Emdajb32.exe
        
        C:\Windows\system32\Emdajb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\SysWOW64\Fbajbi32.exe
        
        C:\Windows\system32\Fbajbi32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Fmfnpa32.exe
        
        C:\Windows\system32\Fmfnpa32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5804
        
        C:\Windows\SysWOW64\Fbcfhibj.exe
        
        C:\Windows\system32\Fbcfhibj.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Fimodc32.exe
        
        C:\Windows\system32\Fimodc32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5592
        
        C:\Windows\SysWOW64\Fpggamqc.exe
        
        C:\Windows\system32\Fpggamqc.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Gjdaodja.exe
        
        C:\Windows\system32\Gjdaodja.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Gmbmkpie.exe
        
        C:\Windows\system32\Gmbmkpie.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5272
        
        C:\Windows\SysWOW64\Gpqjglii.exe
        
        C:\Windows\system32\Gpqjglii.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Gfkbde32.exe
        
        C:\Windows\system32\Gfkbde32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5724
        
        C:\Windows\SysWOW64\Gjfnedho.exe
        
        C:\Windows\system32\Gjfnedho.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5276
        
        C:\Windows\SysWOW64\Gmdjapgb.exe
        
        C:\Windows\system32\Gmdjapgb.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Glgjlm32.exe
        
        C:\Windows\system32\Glgjlm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Gdobnj32.exe
        
        C:\Windows\system32\Gdobnj32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Gbabigfj.exe
        
        C:\Windows\system32\Gbabigfj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Gkhkjd32.exe
        
        C:\Windows\system32\Gkhkjd32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Gikkfqmf.exe
        
        C:\Windows\system32\Gikkfqmf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5552
        
        C:\Windows\SysWOW64\Gljgbllj.exe
        
        C:\Windows\system32\Gljgbllj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Gpecbk32.exe
        
        C:\Windows\system32\Gpecbk32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Gdaociml.exe
        
        C:\Windows\system32\Gdaociml.exe
        24⤵
        Executes dropped EXE
        
        PID:5204
        
        C:\Windows\SysWOW64\Gbdoof32.exe
        
        C:\Windows\system32\Gbdoof32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Gfokoelp.exe
        
        C:\Windows\system32\Gfokoelp.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Gkkgpc32.exe
        
        C:\Windows\system32\Gkkgpc32.exe
        27⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Gmiclo32.exe
        
        C:\Windows\system32\Gmiclo32.exe
        28⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Gphphj32.exe
        
        C:\Windows\system32\Gphphj32.exe
        30⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Gdcliikj.exe
        
        C:\Windows\system32\Gdcliikj.exe
        31⤵
        Executes dropped EXE
        
        PID:5264
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ggahedjn.exe
        
        C:\Windows\system32\Ggahedjn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Gipdap32.exe
        
        C:\Windows\system32\Gipdap32.exe
        34⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Hmlpaoaj.exe
        
        C:\Windows\system32\Hmlpaoaj.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Hloqml32.exe
        
        C:\Windows\system32\Hloqml32.exe
        36⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Hpjmnjqn.exe
        
        C:\Windows\system32\Hpjmnjqn.exe
        37⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\Hbhijepa.exe
        
        C:\Windows\system32\Hbhijepa.exe
        38⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Hgdejd32.exe
        
        C:\Windows\system32\Hgdejd32.exe
        39⤵
        Executes dropped EXE
        
        PID:5172
        
        C:\Windows\SysWOW64\Hibafp32.exe
        
        C:\Windows\system32\Hibafp32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        41⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Idcepgmg.exe
        
        C:\Windows\system32\Idcepgmg.exe
        42⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\Iciaqc32.exe
        
        C:\Windows\system32\Iciaqc32.exe
        44⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Igdnabjh.exe
        
        C:\Windows\system32\Igdnabjh.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Innfnl32.exe
        
        C:\Windows\system32\Innfnl32.exe
        46⤵
        Executes dropped EXE
        
        PID:6112
        
        C:\Windows\SysWOW64\Idhnkf32.exe
        
        C:\Windows\system32\Idhnkf32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        48⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        49⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Igigla32.exe
        
        C:\Windows\system32\Igigla32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Jlfpdh32.exe
        
        C:\Windows\system32\Jlfpdh32.exe
        51⤵
        Executes dropped EXE
        
        PID:5436
        
        C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        52⤵
        Executes dropped EXE
        
        PID:5872
        
        C:\Windows\SysWOW64\Jlhljhbg.exe
        
        C:\Windows\system32\Jlhljhbg.exe
        53⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Jcbdgb32.exe
        
        C:\Windows\system32\Jcbdgb32.exe
        54⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\SysWOW64\Jjlmclqa.exe
        
        C:\Windows\system32\Jjlmclqa.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Jpfepf32.exe
        
        C:\Windows\system32\Jpfepf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        57⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Jknfcofa.exe
        
        C:\Windows\system32\Jknfcofa.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Jjafok32.exe
        
        C:\Windows\system32\Jjafok32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Jgeghp32.exe
        
        C:\Windows\system32\Jgeghp32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Kmaopfjm.exe
        
        C:\Windows\system32\Kmaopfjm.exe
        62⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Kdkdgchl.exe
        
        C:\Windows\system32\Kdkdgchl.exe
        63⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Knchpiom.exe
        
        C:\Windows\system32\Knchpiom.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5244
        
        C:\Windows\SysWOW64\Kcpahpmd.exe
        
        C:\Windows\system32\Kcpahpmd.exe
        65⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Knfeeimj.exe
        
        C:\Windows\system32\Knfeeimj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3720
        
        C:\Windows\SysWOW64\Kdpmbc32.exe
        
        C:\Windows\system32\Kdpmbc32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Kgninn32.exe
        
        C:\Windows\system32\Kgninn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1188
        
        C:\Windows\SysWOW64\Knhakh32.exe
        
        C:\Windows\system32\Knhakh32.exe
        69⤵
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Kdbjhbbd.exe
        
        C:\Windows\system32\Kdbjhbbd.exe
        70⤵
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        71⤵
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        72⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        73⤵
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        74⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Lknojl32.exe
        
        C:\Windows\system32\Lknojl32.exe
        75⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Lnmkfh32.exe
        
        C:\Windows\system32\Lnmkfh32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        77⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Ljclki32.exe
        
        C:\Windows\system32\Ljclki32.exe
        79⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Lmbhgd32.exe
        
        C:\Windows\system32\Lmbhgd32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Ldipha32.exe
        
        C:\Windows\system32\Ldipha32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2504
        
        C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Lkchelci.exe
        
        C:\Windows\system32\Lkchelci.exe
        83⤵
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Lnadagbm.exe
        
        C:\Windows\system32\Lnadagbm.exe
        84⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Lqpamb32.exe
        
        C:\Windows\system32\Lqpamb32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\Lcnmin32.exe
        
        C:\Windows\system32\Lcnmin32.exe
        86⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Lgjijmin.exe
        
        C:\Windows\system32\Lgjijmin.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        88⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Lndagg32.exe
        
        C:\Windows\system32\Lndagg32.exe
        89⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Lqbncb32.exe
        
        C:\Windows\system32\Lqbncb32.exe
        90⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Mcqjon32.exe
        
        C:\Windows\system32\Mcqjon32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        92⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Mnfnlf32.exe
        
        C:\Windows\system32\Mnfnlf32.exe
        93⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\Madjhb32.exe
        
        C:\Windows\system32\Madjhb32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Mccfdmmo.exe
        
        C:\Windows\system32\Mccfdmmo.exe
        95⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Mkjnfkma.exe
        
        C:\Windows\system32\Mkjnfkma.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4688
        
        C:\Windows\SysWOW64\Mnhkbfme.exe
        
        C:\Windows\system32\Mnhkbfme.exe
        97⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Mmkkmc32.exe
        
        C:\Windows\system32\Mmkkmc32.exe
        98⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Mcecjmkl.exe
        
        C:\Windows\system32\Mcecjmkl.exe
        100⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Mkmkkjko.exe
        
        C:\Windows\system32\Mkmkkjko.exe
        101⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Mjokgg32.exe
        
        C:\Windows\system32\Mjokgg32.exe
        102⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        103⤵
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Maiccajf.exe
        
        C:\Windows\system32\Maiccajf.exe
        104⤵
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Mchppmij.exe
        
        C:\Windows\system32\Mchppmij.exe
        105⤵
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Mkohaj32.exe
        
        C:\Windows\system32\Mkohaj32.exe
        106⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        107⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        108⤵
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Malpia32.exe
        
        C:\Windows\system32\Malpia32.exe
        109⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Mcjmel32.exe
        
        C:\Windows\system32\Mcjmel32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Mkadfj32.exe
        
        C:\Windows\system32\Mkadfj32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3540
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        114⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Nclikl32.exe
        
        C:\Windows\system32\Nclikl32.exe
        115⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Njfagf32.exe
        
        C:\Windows\system32\Njfagf32.exe
        116⤵
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Nnbnhedj.exe
        
        C:\Windows\system32\Nnbnhedj.exe
        117⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        120⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        121⤵
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        123⤵
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Nenbjo32.exe
        
        C:\Windows\system32\Nenbjo32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Nhmofj32.exe
        
        C:\Windows\system32\Nhmofj32.exe
        125⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        126⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Naecop32.exe
        
        C:\Windows\system32\Naecop32.exe
        127⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Nccokk32.exe
        
        C:\Windows\system32\Nccokk32.exe
        128⤵
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Njmhhefi.exe
        
        C:\Windows\system32\Njmhhefi.exe
        129⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Nagpeo32.exe
        
        C:\Windows\system32\Nagpeo32.exe
        131⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Nhahaiec.exe
        
        C:\Windows\system32\Nhahaiec.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        133⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Nmnqjp32.exe
        
        C:\Windows\system32\Nmnqjp32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Oeehkn32.exe
        
        C:\Windows\system32\Oeehkn32.exe
        135⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Odhifjkg.exe
        
        C:\Windows\system32\Odhifjkg.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Oloahhki.exe
        
        C:\Windows\system32\Oloahhki.exe
        137⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Onnmdcjm.exe
        
        C:\Windows\system32\Onnmdcjm.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6296
        
        C:\Windows\SysWOW64\Oeheqm32.exe
        
        C:\Windows\system32\Oeheqm32.exe
        139⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Ohfami32.exe
        
        C:\Windows\system32\Ohfami32.exe
        140⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Olanmgig.exe
        
        C:\Windows\system32\Olanmgig.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6428
        
        C:\Windows\SysWOW64\Onpjichj.exe
        
        C:\Windows\system32\Onpjichj.exe
        142⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        143⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Odmbaj32.exe
        
        C:\Windows\system32\Odmbaj32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6644
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6696
        
        C:\Windows\SysWOW64\Omegjomb.exe
        
        C:\Windows\system32\Omegjomb.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:6740
        
        C:\Windows\SysWOW64\Oelolmnd.exe
        
        C:\Windows\system32\Oelolmnd.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Ohkkhhmh.exe
        
        C:\Windows\system32\Ohkkhhmh.exe
        149⤵
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Olfghg32.exe
        
        C:\Windows\system32\Olfghg32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Oodcdb32.exe
        
        C:\Windows\system32\Oodcdb32.exe
        151⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Oeokal32.exe
        
        C:\Windows\system32\Oeokal32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        153⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Olicnfco.exe
        
        C:\Windows\system32\Olicnfco.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7056
        
        C:\Windows\SysWOW64\Oogpjbbb.exe
        
        C:\Windows\system32\Oogpjbbb.exe
        155⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Paelfmaf.exe
        
        C:\Windows\system32\Paelfmaf.exe
        156⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        157⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Plkpcfal.exe
        
        C:\Windows\system32\Plkpcfal.exe
        158⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        159⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Pmlmkn32.exe
        
        C:\Windows\system32\Pmlmkn32.exe
        160⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Pahilmoc.exe
        
        C:\Windows\system32\Pahilmoc.exe
        161⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Pecellgl.exe
        
        C:\Windows\system32\Pecellgl.exe
        162⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        163⤵
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        165⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Pajeam32.exe
        
        C:\Windows\system32\Pajeam32.exe
        166⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Pdhbmh32.exe
        
        C:\Windows\system32\Pdhbmh32.exe
        167⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6928
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        168⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Ponfka32.exe
        
        C:\Windows\system32\Ponfka32.exe
        169⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Palbgl32.exe
        
        C:\Windows\system32\Palbgl32.exe
        170⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        172⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Popbpqjh.exe
        
        C:\Windows\system32\Popbpqjh.exe
        174⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        175⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Pdmkhgho.exe
        
        C:\Windows\system32\Pdmkhgho.exe
        176⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Phigif32.exe
        
        C:\Windows\system32\Phigif32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Pkgcea32.exe
        
        C:\Windows\system32\Pkgcea32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        179⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Qaalblgi.exe
        
        C:\Windows\system32\Qaalblgi.exe
        180⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Qdphngfl.exe
        
        C:\Windows\system32\Qdphngfl.exe
        181⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Qhkdof32.exe
        
        C:\Windows\system32\Qhkdof32.exe
        182⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Qkipkani.exe
        
        C:\Windows\system32\Qkipkani.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        184⤵
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Qachgk32.exe
        
        C:\Windows\system32\Qachgk32.exe
        185⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Qdbdcg32.exe
        
        C:\Windows\system32\Qdbdcg32.exe
        187⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        188⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Qklmpalf.exe
        
        C:\Windows\system32\Qklmpalf.exe
        189⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Amjillkj.exe
        
        C:\Windows\system32\Amjillkj.exe
        190⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        191⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Aojefobm.exe
        
        C:\Windows\system32\Aojefobm.exe
        192⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        193⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:7176
        
        C:\Windows\SysWOW64\Aajohjon.exe
        
        C:\Windows\system32\Aajohjon.exe
        195⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7264
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7308
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        198⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Aonoao32.exe
        
        C:\Windows\system32\Aonoao32.exe
        199⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        200⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:7484
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        202⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7572
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        204⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:7660
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        206⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        207⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7748
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        208⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7836
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        210⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Blielbfi.exe
        
        C:\Windows\system32\Blielbfi.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        212⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        213⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Bhpfqcln.exe
        
        C:\Windows\system32\Bhpfqcln.exe
        214⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Bkobmnka.exe
        
        C:\Windows\system32\Bkobmnka.exe
        215⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        216⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        217⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        218⤵
        Drops file in System32 directory
        
        PID:7280
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        219⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        220⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7436
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:7492
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        222⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        223⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        224⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7760
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:7824
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        227⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        228⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        229⤵
        Modifies registry class
        
        PID:8072
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8124
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        231⤵
        Drops file in System32 directory
        
        PID:7188
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        232⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        233⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        234⤵
        Modifies registry class
        
        PID:7512
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7624
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        236⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        237⤵
        Drops file in System32 directory
        
        PID:7844
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7952
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5084
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        240⤵
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        241⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        242⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        243⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        244⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7272
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        245⤵
        Drops file in System32 directory
        
        PID:7448
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        246⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        247⤵
        Drops file in System32 directory
        
        PID:7776
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        248⤵
        Drops file in System32 directory
        
        PID:7936
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        249⤵
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        250⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8156
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        252⤵
        Drops file in System32 directory
        
        PID:7348
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        253⤵
        Drops file in System32 directory
        
        PID:7540
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:7808
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        255⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7368
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        257⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        258⤵
        Drops file in System32 directory
        
        PID:7848
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        259⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        260⤵
        Drops file in System32 directory
        
        PID:8264
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:8296
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8356
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        263⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        264⤵
        Drops file in System32 directory
        
        PID:8448
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        265⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        266⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        267⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        268⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8668
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        270⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        271⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8796
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        273⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        274⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8884
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8928
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:8972
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        277⤵
        Drops file in System32 directory
        
        PID:9016
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        278⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        279⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        280⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:9200
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        282⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        283⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8312
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        284⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7816
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8528
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:8608
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        288⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        289⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8760
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8824
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        291⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        292⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        293⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9032
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        294⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        295⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        296⤵
        System Location Discovery: System Language Discovery
        
        PID:9180
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:8620
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        298⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        299⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        300⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        301⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8940
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        303⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        304⤵
        System Location Discovery: System Language Discovery
        
        PID:9160
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        305⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        306⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        307⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        308⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        309⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        310⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8892
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        311⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9068
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        312⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        313⤵
        Modifies registry class
        
        PID:8416
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        314⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8736
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        315⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        316⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        317⤵
        Drops file in System32 directory
        
        PID:8384
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        318⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        319⤵
        Modifies registry class
        
        PID:9008
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        320⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        321⤵
        Modifies registry class
        
        PID:8856
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        322⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        323⤵
        System Location Discovery: System Language Discovery
        
        PID:8680
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        324⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        325⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        326⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        327⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9336
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        328⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        329⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        330⤵
        Drops file in System32 directory
        
        PID:9472
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        331⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        332⤵
        System Location Discovery: System Language Discovery
        
        PID:9560
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        333⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9648
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        335⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        336⤵
        Modifies registry class
        
        PID:9736
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        337⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9780
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        338⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9824
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        339⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        340⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9912
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        341⤵
        System Location Discovery: System Language Discovery
        
        PID:9956
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        342⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        343⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10044
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        344⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        345⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10136
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        346⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:10180
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        347⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        348⤵
        Modifies registry class
        
        PID:9260
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        349⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9328
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        350⤵
        Modifies registry class
        
        PID:9392
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        351⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9460
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        352⤵
        System Location Discovery: System Language Discovery
        
        PID:9528
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        353⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        354⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        355⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        356⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        357⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        358⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9932
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        359⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        360⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        361⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10128
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        362⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        363⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        364⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9332
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        365⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        366⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        367⤵
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        368⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        369⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9724
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        370⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        371⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        372⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9972
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        373⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        374⤵
        Drops file in System32 directory
        
        PID:10168
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        375⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9232
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        376⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        377⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        378⤵
        System Location Discovery: System Language Discovery
        
        PID:9708
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        379⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        380⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        381⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9548 -s 412
        382⤵
        Program crash
        
        PID:9840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 9548 -ip 9548
1⤵
PID:9616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
123KB

MD5
b98c87540d7df5513d20055d89faafca

SHA1
35f2728a024f448f5840f0acb658211335c91934

SHA256
410f4a10d2930c56a0718f9de1dcc0de21e76657b01e1f758cb3ec8cdb56bd95

SHA512
3f9b3c91302a58db585253cd8b1850fa7b88fc0386ae8779e851e3fb28d07160053e983051a28dcef2f19fb64a90614f0b4886f1d202e19fcc77c0b7057f4113

Download Submit
C:\Windows\SysWOW64\Adhdjpjf.exe

Filesize
123KB

MD5
a9b0d0f462bb8fcc66b5936f03a47aab

SHA1
a0eb966d9cd724eec58388ecfb0a321604788975

SHA256
f2d4fbb8eee80bb9ed2bdafe12124516cd84a87b6119ba535d5d9f51725da49f

SHA512
e4190a1d6c5d27610f327420ad7a024f9d3910da08d2751ff2375a2fd42c0d3bf21d8aafb2a848a9e8968c46ac53fd3d9001d83a84e69130cac7e0f89517530d

Download Submit
C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
123KB

MD5
e5b03aaad636f2d4c20d0bc92b02d276

SHA1
cdb3477f6337f3a1c7e5c09b2ed5243b6ab1d9a4

SHA256
fd8d197d79ece895ff69663df6f85251fc5b91489514e420c9f5b656e14c6831

SHA512
46b3daa6089dca4ae90ee1ce852d0e7627b3addb9f6804992e6f6de499c1400f51ab6b99f5564eb320e535b82624bb81237c5ba39e951afc9de0a86337337df5

Download Submit
C:\Windows\SysWOW64\Ahippdbe.exe

Filesize
123KB

MD5
ec56174c915e5d1cc7ddc133408a915f

SHA1
c7d353eea7e1e3ee9971a8ea33c46d498561ca3d

SHA256
9c02ae6221ccd5ba91379da9c78f49d4f8c2d3113120e53c5c716510e3d255f6

SHA512
a8d9b3f22ffc4f927b9af632e8f7eee5072705752ebe027e99c59c150dec50cecc253ed7fd6a97ae8779f910bc355ea3ff238902e11b92276a786093800e5b94

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
123KB

MD5
97128f7f02139101c746f679476fd84a

SHA1
8f3cd4b540d3dda8889bde816f1288a48c114dc8

SHA256
9c5feff5755f9a4073c21e5b1e2d5983e9877ff9f59b7e3aae1f8741365e1e05

SHA512
f2ffd31cac9603b89518a5f975fd385406cc9c05a9e5f11ea9434a0536c3394d2a494d06dd2e2a20e0cdf28733b582358e85aa594debd782099fa0138ec29b6a

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
123KB

MD5
964c12d284471fe893a7917cafb04a3c

SHA1
5fa3cd3dab4f42ad8953e0d43a2255e70bebe454

SHA256
7bfcbab290ba5ef8f089faf5502904cdb254f6a5639a77dcc72ef813626b9a64

SHA512
a847318935f106d8381b0091dbcd582d224f1fe0f9be342412539d720bc8f712fde3cf797172d2d7edc14658db95dc125a83137569cdbc914c5b8c52ed43addc

Download Submit
C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
123KB

MD5
c2475598277f1ecd5f7ad7f17db44ae1

SHA1
6b9c62034ecf85ea7433cc535336c52c12162255

SHA256
6b745bfb0eea5aba67c217ebc880ad8484f242537c9a913f20979a4938875e71

SHA512
1bece18dc8aabca17cfafc7f079c13bfc465af723a11ee58a1665a50cc74b2ea994951c9ef2bce7ba56b33250038f71fc0d4ca703ce8043fd0065652ec29aaf4

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
123KB

MD5
c69673c98b7444f0a686762cd567a197

SHA1
6b2a77285984854c0a8d2689b2afd6e0385c9d90

SHA256
0e9c792486581ab9388d57daf208f143b2d77fe62c328ccefc8aee2a8a588196

SHA512
729692d45d62bd2f8cb1959609bb0e2b0f9505ed6e1bbe78f675f95015454c92bbee261af151ca1ff32edaab25093e8e705e55a0cf7e29c78a814db0de517293

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
123KB

MD5
30fb53dcb1f2edc47665f0a05a930d1f

SHA1
521ae00ce23e7eed682d44c7a00a9fbd3eb6d92c

SHA256
a68e5b9a7e147d3af10f75b26c2830ad2ec7191059c100eaf46f1c4a9e92d2d8

SHA512
a39ca39bf125721a6b2e82a3f605ab70674d1be7ef857399dd8aa7db6cf20bf7eb1e4e5bae41801177f8a06af5a94f4bfd7df412aac39d51d2dc81d481f49429

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
123KB

MD5
99b8f21a9d7bf9219de170555c638f83

SHA1
88fae3788ed2db6566fc9c0da13d90e6e51736bd

SHA256
af392d7a74b1e7c3dcf899b5c9fe2c0cb9fabfd35a75e75a16c23c40991d6617

SHA512
dbe8db19d6535bc93db5699fdeae1410141038f45564ab7c32886dc2a307480f006c0c14ecaeece613602ae3dd1e23eaa4f8592d8a36cd00620f9f6c37cf23b2

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
123KB

MD5
d2f9e49c4d589d69280928d44f59b8f5

SHA1
c196453e22826b5f5cb01c2128ec0f6022f800f3

SHA256
318d848f06d026a88a1390d94eeffc191b3c835f559025a18090ef025228f844

SHA512
bf5403446a8b478b07baf14a43dc930f3f68661ba45bc123e74ded28709e5190f2e8c44e733de092c6020dd1a98233b01b272a66b2a15abcf901f45b8d3e10be

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
123KB

MD5
87115f73701ba975112516a6010dfb41

SHA1
ba1ff4fe9271d3cd5340304a92cf881419930ed2

SHA256
f27da6d5da3f587cf4c78cc37d88a508956aacfe919e92ebd10642a45927536f

SHA512
6118c8e320076fcc38feb514fd83ad65314e0e5456acb2994d4d5b46ca9fdc156dc169763c929335e484ee46ad4d0055f9a4f8207564d7621695cf6246f00ab6

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
123KB

MD5
12974335873fed328091f251c963dd2e

SHA1
a99055c71b70210afebf844ff32ec5ab6511ac02

SHA256
7da2dcd3a124eba37c8d7e6f8e7d7a012602156bed43131cdc1a24347fd18d79

SHA512
e221ccf26abb161d6e3886d77e6f8aa4eba84e12592b23001b7ad4cc4bbaf4e00d82529c21068ebc743b6a36289f3ee40c57bb660f89998790df647703bf5d0b

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
123KB

MD5
c535f3fbfdd0003896760f36531b6d2a

SHA1
ca05166a893664f319bae30440c5a380244e0a7a

SHA256
f3ebae637b4c3424991123815954e214b41f51c99c9b84bfce61aa60de07cbe6

SHA512
fd7d60f4d17775f1da4f60966ab72c9a4bddddff9664a109a5dde1730ed29b030072b2b7aafb61dfa11c6d29462f31fbd882ad3cbe098eb9c0429516e32f851d

Download Submit
C:\Windows\SysWOW64\Dbkqfe32.exe

Filesize
123KB

MD5
3a286645d21d5ce6efbebe55894faa55

SHA1
ba1e4bccf5ec38d458ce231505245e5c2c4d15a4

SHA256
8f3ce4f2438014823c02059fd772304efba548b741ce3e4da5b3e04f362ca833

SHA512
39fed2e0e7936fee6e10110d36705438fd37bd9f4cdc9adc368637ff1202d7e7a963d5e42cc37e92f0e15249f0b77220a9fa1c315f8cc915113119528a6baecb

Download Submit
C:\Windows\SysWOW64\Dbpjaeoc.exe

Filesize
123KB

MD5
3517085ad2d59bcafbf6cc7755e929cb

SHA1
0630b39e6f9c0a8bf3feb3e1decdeaaad1cb6d3e

SHA256
d1cc3e4a85c8cc73fa153f730da3bb1c805e2046e42a91ea6591a08a7bbb85b1

SHA512
7526ae13bedfca19925066f2e0370a58e2454a6b91c65bbc6a37a5ecac26f1bdd26bed03723e751773b6986adb91e3e9dc62f1cc19116e63d235ae6eee815084

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
123KB

MD5
3ec536e3887bdbe00a2b38bd7c083171

SHA1
a8a2c7cd462c319649457fb59aad5bbaf892390f

SHA256
60f0a356cfb82795d9257676c020801c2b6602d9137b6876bb5fa6164a2d63dd

SHA512
31a7f8da3815f8e081bface3a9eb14486dc621b2b9b5eaf56146ffc12fdab8724a56d0f03c79850a694ce55d07ff15c7ad6c9a1b70b7004b511f26d05bf7ba14

Download Submit
C:\Windows\SysWOW64\Efgemb32.exe

Filesize
123KB

MD5
434bfc51a5b9cf0d90a30a38b756299f

SHA1
002d8fd355b8cd09bfe7a12c5884ca294fa5e491

SHA256
27993ca0c37c7bda28913f5e6f5c9bf2e9f52accbfa7da3afc1f9f971ac7d752

SHA512
5e3c614fb4a17ce3683002ab1ae985be95f4799fcd5f255635c1ecb28c27382981ce5ae9f0287a9c8566ec13b5f3ac56623b73bc5fda432733fb9c8ce45d8c52

Download Submit
C:\Windows\SysWOW64\Efhlhh32.exe

Filesize
123KB

MD5
2a4a8f7d0b5201cf209ede317ce4602f

SHA1
784b1178f0078fbb3392faf9e8adbc7243f75c03

SHA256
7f215093822beb03f89018f0e4bcbfe623f654a0e46ffc801c20a8aad135279e

SHA512
0c579007bd2198e839bdc0900a6d527ea3d2f57f39020b35475fef37cb8c389f5fc600d8eaf1473fc6c8213496efc074b69824e8c30484a3a7b7a66878c5ddb0

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

Filesize
123KB

MD5
a237b724cf0a726e8ec6b98fbdbf09ae

SHA1
4a50696ead12b523836dd7407d49dbb917962c84

SHA256
7900ebd5fb6262bf64652d03b1cc40f3599099893baca8fa1f50561f0c8d96a1

SHA512
85400581c9e72ce328891893b4de178e5d15cd2ce8977986cc56cb8e3f8c8ddf7710cc8074762304c0e70a56638d441f1abf2d44ad8ec92b5a25f7c533fc79d0

Download Submit
C:\Windows\SysWOW64\Embddb32.exe

Filesize
123KB

MD5
0e3fb714a8ad6cb76252e1ad460de962

SHA1
8205ad113cddd968870226a6618b1c2d05f37b06

SHA256
5293496e43c5d4c37acd8f530cadc78f5251ed287606704bf6c9f6617984641a

SHA512
047427a3f0cbf30041dfa5094fea1b3631cdbdb2ed233a2079755ff65469a7358cf80a1fc0ed8640138253473087e8a938b5dd843cf2a3a4340c6edbed105927

Download Submit
C:\Windows\SysWOW64\Emdajb32.exe

Filesize
123KB

MD5
87c5352840511ad2f0f268c0d89d2646

SHA1
9d89d0b3d74b2da4bb216b674b3b62129136fe86

SHA256
7d826db7973ed0fd83e7b61d7a0e23a9391dcb98ac825030fb8ca6aa087da6ff

SHA512
69aa79104a14c0bb2c6f938350edd58b5f3ee268ea66d0b998ee559d7341077be9d23647f33148c93d41b33f7a3a02baafb2295d9aef915d1ea7d3a738d67cae

Download Submit
C:\Windows\SysWOW64\Eppqqn32.exe

Filesize
123KB

MD5
af8d9e48da0f306477e3e127d3d2b218

SHA1
f20a82430f2e067b318613f1a2545c47f7bc2d86

SHA256
a6ec10909f8c1c1305458f61745c51c0a6e0eae57c675723a55d1b709e533448

SHA512
bcf67af97df2286bb39cf893ded041f451dda58e433a87708079b31e77957b0039b5799cf0dfc6c34d7797948cac4054ab50cc8b4bd111eea3001b820b211a1b

Download Submit
C:\Windows\SysWOW64\Fbajbi32.exe

Filesize
123KB

MD5
090d118bd7fb63d3498d5d27c947019a

SHA1
ef613a72a19eaa4f78de5381c4f3fd5f7dcd5252

SHA256
6632aeced95c91930c3d9abbbeabacbd789cd8aa4c6dc99180e45dbf5b59d36c

SHA512
b46396dd07823147491b1d1f80057ae204bb2da7346eff422857213254709ba809591aee533e227373b97a2d5ab073203d0db3c172b073cb221382697c1a4a87

Download Submit
C:\Windows\SysWOW64\Fbcfhibj.exe

Filesize
123KB

MD5
4a51144c921df9115de19b3b80d75053

SHA1
b8539a49156da95cc0060924958276de70216edb

SHA256
37e9f7b43ef420cf498c326a5f6aeca34345264d14446c7de23c3e4b05d8cf64

SHA512
f0aa311cc1a0e0f864c345bf17bb328335e87be641f21ef56bd1348313abe63d103cf53cf15c43d65fe3de12c82f2718b48ac0b7860fe8748b0e76e394d361c9

Download Submit
C:\Windows\SysWOW64\Ffceip32.exe

Filesize
123KB

MD5
8ddae868784e1770bba33c94a258c9d4

SHA1
cb5c28927b6cfb644e50d6c6b4426897e0d18866

SHA256
c783251fd2031843898a773ac80d2d06d0b23cc5e02bb423eaa930b4191ea50b

SHA512
eeabbd062ecea097a912363f2923084589b29847d68e29eed426c43b7ef810a3d1bac7f0bb255cda3a08ec6298ba629feb63c0f518caaf7e548cda5cbe36eaee

Download Submit
C:\Windows\SysWOW64\Fimodc32.exe

Filesize
123KB

MD5
7610290966ab61a921a1f5ff49cfa3e5

SHA1
a42c463588bec4073d6660e70694251f7feb7bed

SHA256
36e951817c9ca4eb71f6997be5f6bdaa7774a9951b374f8d3dece293e4a44a0a

SHA512
bf7980cbe53462be89e8c8518c40855bc68127db464febde043d33a385c32fa1fd8999944c6042e95746a7a0550470cbf4a00da7ba4fa3ef7fca242f3a3d4516

Download Submit
C:\Windows\SysWOW64\Fmfnpa32.exe

Filesize
123KB

MD5
2c1f094d1a2e4ae600f4c1a106c05f7d

SHA1
b11737f7895cecca4d28c982479bf502459fe64d

SHA256
bad4efb551470a1e8dd1d5b081f05166e3908f686f5ae8271f73c4f69afe7bc4

SHA512
7e376041b4d587693eb9fd3e5f8c478c0422eb043c1970bc65b0062b87a44d95db82860d38ac3c9167493ca5cce130b985610abc655852448dfabe7d775d46b5

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
123KB

MD5
c8cda5f7f0e38d820b603cd6b3754865

SHA1
03af6eee76f317a543126bfc0d191d229995f0eb

SHA256
46faf5651a4c662a7f2e91fae5ec02cd5533c7c101179c38b675581cf66f401f

SHA512
e0b7294a8601e0d9cae33af2d723f1318723011c0738cadea1cd26ab77d1b6a2195ca2fe050ec245e51282d96b4183d9ef62828149c8d16f2cad5c30430d5204

Download Submit
C:\Windows\SysWOW64\Fpggamqc.exe

Filesize
123KB

MD5
9a19a763eb5b096fb4dae861ed3f04a9

SHA1
69d014d595bb9c2df3e6e3c7039edbb61ecc84c2

SHA256
17e60776ae22e66ce2703a5ddd1a228850e522697eba4091f34af17ab56381a4

SHA512
6218db4932d70e8f36070b5fc041f213d065733622a1ff44f3d82533f09c1f4aa2ff9aec629f52b2f59d82206665ab773508a5811f587a2c804681140bc93563

Download Submit
C:\Windows\SysWOW64\Gbabigfj.exe

Filesize
123KB

MD5
a1902c167ea2faf2daafd95370e73e30

SHA1
7dee74d9fa14a529d44d387af521d84a1c627111

SHA256
d4b769574371aa8b8dba1d3edb0a87824a45025c5e7ed3c71df9e2cfb0058ad9

SHA512
899ea717e3d4aeeebfe400c49938442f1d8f5f0e27ccce936c383d550d7e78f5fd1f0598e5378e93ca01bf09f95f6c4fd80af8c41e16fb16d875ed17cc992e58

Download Submit
C:\Windows\SysWOW64\Gbdoof32.exe

Filesize
123KB

MD5
15839f7582ae174d69e8134619776b2e

SHA1
009ce01bd17e500ae7aa034930e90ccfa639b18e

SHA256
bb83237ee1670573eea09f910b9a9283b0f8c4c03566c954788e1e353d6f2824

SHA512
293286eaa106cb1f2702b28015c9fc822bf92834e75fa4146d9f7b6d6d57d808fcb27c19bc80dbb7a82671b6e3a6a47b44c7de3de5e2a6f1295669eaeb02e590

Download Submit
C:\Windows\SysWOW64\Gbfldf32.exe

Filesize
123KB

MD5
b77422dde597f28f0984be17ae41fd68

SHA1
01be332cfb97df4616a200e6c2ebf4319d3cc732

SHA256
9fe23859959e36628ee32ca1995d68d94dca9afe309f77dab0c425952ecf90c8

SHA512
1589bca2cf5e53c14fc286b8a645610e0aa339edbdb5f1759467672b8abd0edf29f15676fcad9b23bb45ce51c3cabf2feef082918ce885e66410f3319d29d682

Download Submit
C:\Windows\SysWOW64\Gdaociml.exe

Filesize
123KB

MD5
8a58c04dd3674d18eead67f684aad95a

SHA1
e81f9fecd5dba2e65ae4187a94143f38cc87c93a

SHA256
74055f115d4d0fd21245dffbee2b948f8d86d93680bfa462e5bdf369724742a4

SHA512
1bb2d7f3a89cf766af0500c1780f86229d118acddb8fc1cab7d9c9d473e35e8b0fca95985b54afad365cf3ff3a6b93a6222c8699ba56e89024f67c58ec7723aa

Download Submit
C:\Windows\SysWOW64\Gdcliikj.exe

Filesize
123KB

MD5
0ccb9c2654ee733cd77b653e3e83d3cf

SHA1
9e9363429a126c18c8fe37f4266c5c200d207f41

SHA256
860eaded1cda9da61b588723a3997da660e725d68c04ef8ba6a2566eb3dd0b68

SHA512
a69beb5a7cacaf8ed631b8d7558ca145d2cbab563c1f0847b8899308008817855ac9891d4b901cda44583b85422cbb081548247b4f6996403337b5669918d4db

Download Submit
C:\Windows\SysWOW64\Gdobnj32.exe

Filesize
123KB

MD5
8a38841932b73d902e9b3cb77aa01501

SHA1
552c1b390aa9e9ce8303be706b24489080e8fb5d

SHA256
4f1fd0363b4caf6009d416dca0921cfc826e029b90ea4851db2591885afff0d4

SHA512
45affac5cfaab576fcb44ca72ed988072a4e7b8d68087135ff794ec157db1bb6e4d5abe49fffba0cb5d7c9473f3f5cc9ae1402eb2707954752636ad1814a322e

Download Submit
C:\Windows\SysWOW64\Gfkbde32.exe

Filesize
123KB

MD5
fb3c82941586ed8e12d3aa45f3b380ed

SHA1
34eaa29397b4bd00fea890d58019eed7b3672977

SHA256
f65405b38b6b498be9bdcdde850607debf50560ab00c18ddb0fdedf737e0199d

SHA512
692635c2cac052dbb2f0a95b1d0606ca56e556c628b03dfe378f83036dca66cb5c9032649fa1b1a28f2a1f5ab146ba1247bf630415a9d74d7438144f626159c2

Download Submit
C:\Windows\SysWOW64\Gfokoelp.exe

Filesize
123KB

MD5
3b454b228addb8f7b15fb84d98ab314f

SHA1
017b3141fbe3284720d127477fea4c57242dafc7

SHA256
3ee15936a40b4f72e0844eb7b057c5b382d826cf7672370d8bec3f948e3302f4

SHA512
3c41baa397ebf354ddc7d8b7c993d3ea8577b6d4e36c84752e4c6a45847262cbf8acd3c1ba05554f36443db69c0802fd72403913076b3acdbffcddfc12b8cf78

Download Submit
C:\Windows\SysWOW64\Ggahedjn.exe

Filesize
123KB

MD5
2990c547adf1fbee9be68d44692add73

SHA1
c16e2b1a4d7263d3a63cf5ee1e6ef9ff221b1df8

SHA256
d1c97addcdd141a27d6ae795871ba12b372753964a1df03bd6e8f983252d9f31

SHA512
ef6f92c7f8c51462b5dc4ad4cb73ed1cc493c3805c814eb2b140fba61fd6fd6236f77789092490e504433dc62725f75e258b83a8dcf5a6d5f9f217faaa36bc6a

Download Submit
C:\Windows\SysWOW64\Gikkfqmf.exe

Filesize
123KB

MD5
4715b46b118d25964c142c3f3532e72f

SHA1
239d6fb745f16a9dd61395b9f3debc003d41b2c3

SHA256
6837dd7ef625fe8351cc8fa6c6bfdad95445858d0e183d35e96154bae40dc8dd

SHA512
b645994406864e71a9dbe2aa7508ba21b39fc5412814739e132d43cc3263cafb3b76884385f58cbfcab2da282385029ce33c5d2b32fa8127170dd67f6d3e061b

Download Submit
C:\Windows\SysWOW64\Gjdaodja.exe

Filesize
123KB

MD5
dc76b9b76d1e56b8ff027d053ecac0ac

SHA1
f98473c82afa9f2792d3b2f3e1e1c1dd73316b74

SHA256
02371b4d883db7949293362773caacbd115b7a14572e30f16fab99d73a495f09

SHA512
7095090f1b68f8e6a1294da439e3f2289f69ca49c51a9d26865651c04342080bf152b487d4965ff221c6bbb3138918dc9fdfd3cba4dcfa508aab2293c902d743

Download Submit
C:\Windows\SysWOW64\Gjfnedho.exe

Filesize
123KB

MD5
3c24d3e853e8d6c5c6a94357b4d1153d

SHA1
cb70120694c1cc682b49b4890baa1dd7a4f89efa

SHA256
9cfd7447d521dc8124e037944c4c8de53483c1bf243c45c30ca1fc874c23f414

SHA512
2283a230aeca013543e9e4230873bbe9413daecb0bd34d984b419b7069cb8e342d27f467c6e71b6db64bf378a1be3bcefc1e7f52b3c07f57864273f989efb0c6

Download Submit
C:\Windows\SysWOW64\Gkhkjd32.exe

Filesize
123KB

MD5
2b7e18162a17148718d407f18a6a8370

SHA1
5b526bd38bcfcbb3fdd697510b1804847b379a1f

SHA256
ce5873788a9d4c91f433914b93389c198538e49f0d607f27d3f53fa7909f9ae7

SHA512
df77e0e0a2e75b5e9cf84da0e42b030c2bc881b5fca6abd7b2630aa80d40b30532e10b3b0373ff2130861a17f1dc76b16ea54089181c85089cd01c45ff0b1d6b

Download Submit
C:\Windows\SysWOW64\Gkkgpc32.exe

Filesize
123KB

MD5
c7f6b80b0f419d99cc9403968f6f9361

SHA1
3b348801a8706c462d1f02cc2daa703783791425

SHA256
da4371442adab39013bd1a7991805d51734e9287a46124a231aa0792ba51e409

SHA512
5a89f37a6f3c83acc531ad91aee13b4d833ba4ae0c73e78b8e791d22eb8ab2491c88a0a2d20586ef0f1d57deacf9899e706a2a4fce1b2584725004b2bef02356

Download Submit
C:\Windows\SysWOW64\Glgjlm32.exe

Filesize
123KB

MD5
4e5d488ddcb8b089d20e6ed33badf60e

SHA1
22759979fe6f70200ecd8be6073eb7b912effd76

SHA256
629f4543e6fb69aba1f90f01527559cae6b0f13961869a73652b9c83bf8cf7e0

SHA512
13ff33deb65189ea6af909680883e4afd72d296a5ab878384277774404c4c254f37e526ed9eef09a211136ee8d4c38fee0fd2b09a2e83c3b87e5775e4dd75ad9

Download Submit
C:\Windows\SysWOW64\Gljgbllj.exe

Filesize
123KB

MD5
3f7284c534cc89bc80689c133e71fbd0

SHA1
0e445229244ff116fe5afcfa1bb5316b8d16a99e

SHA256
cf5c2f8f984ab2c659d4bbddf207bdd1391721ea0c762411d908981d99197099

SHA512
182b4b30cc86a5f47bffb0ee0af8c70d0c899f52def15bd95fef6746688cba087f5048e14b08edefcb276e61298531662bb60d68592ad2f792254ffc96bf38b5

Download Submit
C:\Windows\SysWOW64\Glldgljg.exe

Filesize
123KB

MD5
8e5e552a8228c38d2b2f44a4f2169920

SHA1
2ffdfaf601bb6b694c7361fb6f7512d865fa7096

SHA256
273334b90499e926a60e49166fc53b51afa6c7e126fcba69331a71a0a864fc57

SHA512
d62e7177b2af75e616086d296baf15cd006e725e56aba12d5e838b976450d20fb3afb08ed30a15b59e157d1f49e9a0936948d8546bf2579b000e2623a136799c

Download Submit
C:\Windows\SysWOW64\Gmbmkpie.exe

Filesize
123KB

MD5
80b8cadf69c9c20f65d94356c20b84c2

SHA1
fc9d3e365e72ad2aeef365e475cd0119e87e1b74

SHA256
3ef9887fd31580a140f7c7e26057dbeb5c89de013504a182a2c1dad2a4578af8

SHA512
d24eefd11ebbeef08803ccca272654b2376fc50683fd5f9b3c1ca3a41513ed11a3e7a3cddcc68eabdd9973bde66f3e3e4561307d8b81ed9ea484925d122a2a42

Download Submit
C:\Windows\SysWOW64\Gmdjapgb.exe

Filesize
123KB

MD5
22b655d92cb26216f2c1b7d14fe54f58

SHA1
40e5bb02799f6c88aa24a0caf93d3697830b3076

SHA256
243f20b31dd47b5418f188c8ddb10aa95d0d000e7abca918d2e7a528001ddf46

SHA512
4a5ffb1033dd1e426ea47af13ecefe102075999aab0f90774d7cf364366c5ea30932a89ddd55a5778c6bce1fc7b0ee935b16a40c509885b2637e001b466268aa

Download Submit
C:\Windows\SysWOW64\Gmiclo32.exe

Filesize
123KB

MD5
120fe0af1c97b026d6da3568848556f0

SHA1
e2e8c2fef65dd0a571cd90332c11c29c75a28fb5

SHA256
786c64f06c33c9e95edbf806653c39bb39557d8c0d8d954688dbbad04bd353ec

SHA512
3c641e1f6c946b95cb2436df66ceab73c6850038322fd15dc478a7cd46804312371fb2448e7090745208718b79c6c2e8184e111b0a1bffca7b75633740c2c49d

Download Submit
C:\Windows\SysWOW64\Gmojkj32.exe

Filesize
123KB

MD5
ec7200a2b73fd33ee0a08fe5d59a7df9

SHA1
e57998aaba2766891e63ec67b349c3dc3ca4aa02

SHA256
58129be80318a66eec4cc1c1cde1da4f4ce62c42764b6ecfa6705650a28b2c78

SHA512
3abf70cc7c6b71135ee14dab06ddc2f8c443e7ee113b8381c33e490a8cb138609c4e1fe33f8695d5d561ae0510f5999af016cb946707fe59c63bea152d0573c8

Download Submit
C:\Windows\SysWOW64\Gpecbk32.exe

Filesize
123KB

MD5
b6f8b8509c0fb561d858b48b4bb6fc89

SHA1
524914f6929ec6b9fa059357dad1283a2353d0bd

SHA256
c2bdf9d7bd92749a4e8ab3b35b1f7e8137f9959198069638c13df62d0130cb59

SHA512
d6611091356cf8ffb273da14380a86e692caebf327bbf40b0e82edc3ab6146781438ba7952e9f6e1eaff93dc656821b89c371bd9bc85618f9a11e07647198fbb

Download Submit
C:\Windows\SysWOW64\Gphphj32.exe

Filesize
123KB

MD5
e4f3c227fd12f6fd5912c4a4464be9fc

SHA1
88e0d18e921285028c3009dc47b70436b16171c4

SHA256
ab4bc23670ce4d9195c67061e01958b69bfef35892a182782ad9a1f6c30bf29f

SHA512
d1ab3f4ed147ea13585e035955bf8fea71a2ffcf40e43758b4d3bb7a3a83622ac07624c9ca1c9e4cf47fe6257f7cfcc6937422dd9747f909531d1cfde44227f0

Download Submit
C:\Windows\SysWOW64\Gpqjglii.exe

Filesize
123KB

MD5
6744825e05f56666b8068f2eda8b2ff4

SHA1
7b35e6f9e91370cbf1ce70551d4101c8bc96f9a9

SHA256
4f5fdbd4ec188323e8b704bc53ce567336cccd39d154f55dde7ff7954445578e

SHA512
32505c91313bbd5d7fd0239b314c0c589fc2a6f4b56a50b1be381e6f534fbac9b773c5137de86d23afc2d92017d7e8584c25bfdaadacd350a110b7265023a877

Download Submit
C:\Windows\SysWOW64\Hbhboolf.exe

Filesize
123KB

MD5
29c4a864187906558b3a7c5f19157b24

SHA1
1f99a004306a39ffdb2570b5d1cdddf108340813

SHA256
de3979de4e67ddeef5d21aafd6bd4c91457706ed8090b28278cecbd15098cd3f

SHA512
b573976b6b8f819ada5f47ba2f5c4186fe01a5c8608e96d634cb42a5bd4e8f3bbe6c6f407a42139d28fe3bf4e1d2f3dadab72e12902bf6e0d0627fa9367a112c

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
123KB

MD5
b8af00e99ef76576a72b0365d97785e8

SHA1
4c6163b0b53d0dffdd44a97f10ea6ed0aeab18ee

SHA256
432cd597cf4d1e43e40c8195b73e05880242d8bdeee5371a79f0c63c701e5ecb

SHA512
31072161d20dc291bb551d454cfebb03af3e9d380c695d3297de119c86f83cad7caa539e890e14146b219c8d2ad615396266ed3291b60bbc58dec6e0ed098b49

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe

Filesize
123KB

MD5
914f87e2d595d0898d2b640131c39cc2

SHA1
f38d6fc498b01e015baeae5e23e503100167620c

SHA256
0fcc44422360c50162c39be2025871cda1bcc79c68484f4b600f3ff0b9cc28d2

SHA512
a2cf9b147e808a9f85acaa2fd2d9aba85f99f12110ae3e2ff88521f513075af4fddba4e35e18d7a1ba4d758fec9cb26f79ece1fea90f92cf379f41afd2839257

Download Submit
C:\Windows\SysWOW64\Impliekg.exe

Filesize
123KB

MD5
59481f401136e24a86f544af08a91ac5

SHA1
04624447a9d4148813dc14d14b7bd3afdb9ba3ec

SHA256
2c4ddef6b334fc35f105851d6d9f0440be470cec222c4a7f05e6912919e4ca9d

SHA512
0ce3e16339649a865ddd1567ec2e3f0a8cf6293bc6431a983a3d8a1531c14dabe770ab883b9f5ecd4941079f3be327eab6734481524c13d7555821ed00a33314

Download Submit
C:\Windows\SysWOW64\Jiglnf32.exe

Filesize
123KB

MD5
16d1715dc3bce9c833df5af26471e9a6

SHA1
d3cb7aa664a01bc69995f734166260fd9097d23d

SHA256
57310461d86e1bb820207d6bcc3eab35aa7a8e8703d273b136ef2dee139438a0

SHA512
e126b3ef92531992923cb0c2efeb98fd7ac9546ac19d8b87970f962b95d96af933efc10b87d3fcb06038879c945e555391a1ecbd9f2940aac107c09f6c0157a7

Download Submit
C:\Windows\SysWOW64\Jilfifme.exe

Filesize
123KB

MD5
55dd246887d556e36b529a6feb30a9ea

SHA1
940aacfb4447027e10904878915bdda3cece0a59

SHA256
0a7e8df92e21bb32092f3caa9549e9dda8d8b3c8604a7834165cbee5548d9873

SHA512
2694ee35fdfd180ea49d6b23b20c9202522b0232507b5a186b9e278f9abdd51cb38a3c7a24397db06f19864544b46d92475b77322cd7c92c02937ad4a4765758

Download Submit
C:\Windows\SysWOW64\Jnlkedai.exe

Filesize
123KB

MD5
72eb9acec7abc9bf73340c7611c74633

SHA1
0047a81d6669e1a662f7e7765b4abded10f27be7

SHA256
a8ea1db8a783efce59e1aadb2f4295ebdc3d5a45bb00b1739d4f0bc277ea4b53

SHA512
190bce5e2b137663b9a036ac06f5a15f55ef51378b4a0168d828bb66c374bcc2d14197fcc5a58fef4bfad288fd48a0822cdd608b94dcba528d366a2d3fa5b7a9

Download Submit
C:\Windows\SysWOW64\Kdkdgchl.exe

Filesize
123KB

MD5
8a053e4615479bebbd540a7abb3a6395

SHA1
733eee5dc005bd762fbcb449bc1106962a9db2db

SHA256
f57247230808a9ef8e5fa5ffc359ba4aacc984b1773bf1dea73d819066d299d3

SHA512
258a4a78c283305ff9a96dc31af69ba4205ef6621867ddab5a82f7d23f1cedb10db6283d089e87bc1a1aa58c961467631cecc854c63b85a4d602f6cb6011a3eb

Download Submit
C:\Windows\SysWOW64\Kfnfjehl.exe

Filesize
123KB

MD5
439757881f662f6abbcf6e274c1db254

SHA1
e6afdd3122ff16a25fdb32be2fd4f8d1400b8ad9

SHA256
cb7b44422233e0d028b06884339f97708df32572959d1c68143729d579d46774

SHA512
da0999dd41156be3b044b3040b8eeb89decde3071f5de1e74b3fbd98c689578c329b9aa19cf4a27185f61da940efa34afa67be188754a87adcce0c7df2d78f4b

Download Submit
C:\Windows\SysWOW64\Lcnfohmi.exe

Filesize
123KB

MD5
df963aebbc6b9697b01ee464c8e7efd4

SHA1
bb138c7051db312e7ae0770355ad90ca834532c6

SHA256
0accd6d6a7f565f697bcd88db1a5eccaaee02439412709b48a35a584e0772bba

SHA512
10c2ef08fd9e0fee7df255ed3dc42559c8106f831adff84e038761d5b373fbb0245ebb43f024c7a64acfb0f3dffaeb24388e3d5b45d5f2be95cb5abdf9226b56

Download Submit
C:\Windows\SysWOW64\Ldgccb32.exe

Filesize
123KB

MD5
05af54d82ffe544c3b0193a6b14fbbcc

SHA1
9d57bb9b3ad996dfc37be8c0f8a78977c8acd549

SHA256
27627893c5371d981daf60d1ef682b506ab7c185e5011b937728e3ba56f17974

SHA512
b9e3ab8c9677d87bb80c05fdda946e2944922628d81482397fbe659b5beeca19e0d9b72da400709f55cb1eccc91c3dbaa0e7001b7a468ee33b6e0104b8807c41

Download Submit
C:\Windows\SysWOW64\Llmhaold.exe

Filesize
123KB

MD5
742174943c232cf27c11280fa9f93950

SHA1
9c041273ac8bb9bb0b3974a6d91b9b0040069659

SHA256
b00032639feb4b611bd3af53e3c6f152586e369ea9d4bb5bf1f6f009c4fcc8fa

SHA512
65689abc8ee91d950636dd6d84437b6fb818bc5ba93ed543f87d6b135dd5df5aa54a39d2fdabd680078916b3e339da79e9b0b8a3fe2f4930bc29b51ce97acf7b

Download Submit
C:\Windows\SysWOW64\Lomqcjie.exe

Filesize
123KB

MD5
8bcbd1169371f97dbc212de1e20fcc34

SHA1
74afce32443d7d61c571906dbf7d55b3cfe34697

SHA256
a82a9c424d2b531b987cb820434c1ff17f7c2e522c1e249a2cd814cad26540d3

SHA512
43d3a61a1fee74436d5a07ca72283e2805c7e3998be512917c05894f86b2e084b018cc2c966b61651f57eab6fcd0834bccf94e0cd3d841fd065150bd1b301603

Download Submit
C:\Windows\SysWOW64\Lqbncb32.exe

Filesize
123KB

MD5
eee1f91a67a1afda5ec6c5c9b255c905

SHA1
8a0a5cbfb9887d8db49fed21abe4ce4e641e0b83

SHA256
3db51594b406e73c9bad72fafc6e3ea5cd248a19aee7e10c02825c3adb3216b9

SHA512
86d3aa63997f3170dc2258c07e4c5bdbaf17af205a2400576f780aa5dbf16a335cf3c01d2e845fd1cb97c9bab45d5741e8ddd9a5ff95fb749f3a1687a1bed172

Download Submit
C:\Windows\SysWOW64\Madjhb32.exe

Filesize
123KB

MD5
9b20967f3c709f81c42a003291ab6191

SHA1
b54638b67578caef7f8a49ef24547dd934da833a

SHA256
6f8481d720062064e3ef8d2c3dc5361449ea8fc0b204e02c58b49a84074d0daa

SHA512
b85202242c13f1f79df05592bd00296f52a1821e048bbeaa807c04351e1bb14c20883269defed505dbce5d56fdcdaa0f6921ab74f0e6e1984f78cda9b8f8f216

Download Submit
C:\Windows\SysWOW64\Mkjnfkma.exe

Filesize
123KB

MD5
20051bde398796e84ac1b60ef16680fa

SHA1
fe8c1bee2ab31bec19b919ba98d86b5dd619695c

SHA256
f45d90d7f74008e6701e9c39dc7aa1a32c04e66b3fe5742f2b3af065f141d7bf

SHA512
2744a08747968fb08f87000617f405c0236dd63661572b9773d13986920397b884bdee33847b0ecb52a688b666748d2a55d08e034d5e899a0f008b089d893c2d

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
123KB

MD5
a855f0a4a06c26fa717629b2060d1374

SHA1
c65a4caa8bcb8a08cdda7ff0f4a316a23ac06bcd

SHA256
e148005e9514102b3eff898e19e88295ae070ce576b1842a3614eaa56e485732

SHA512
9f03a5e5a8691d8cd1b11a2b1daabf0798f36ca40a7f9f10b9dcdefe704a6a1fc6d73dd5872510502683491a5033995ed20144829ac4dddfdfcf0b081ead209d

Download Submit
C:\Windows\SysWOW64\Mqimikfj.exe

Filesize
123KB

MD5
7bad2ed78933942ecea12be8bc90b618

SHA1
f61af76e5c495bc5639fc73d7d1794a81904962c

SHA256
971f45373e890fc90b8fc908de97eeb2d3a957b608be6993f07f4ce8389b7a43

SHA512
1187a8e32ef7ef6c555e63ca0089c9b613767f2d5fc6c36998b1d515f507aa51fc6a4505bda9bc1e20ea4a781e4b04544656a6444ba1b6a902b11fe2fdcca9fc

Download Submit
C:\Windows\SysWOW64\Naecop32.exe

Filesize
123KB

MD5
f630ebd72c2c8993b391ba83e843d826

SHA1
a2894cab8c5f7ddaeb104569ec1a413caa0dd4b7

SHA256
553ee519c3928daac7bb24318b4ddb7c8a9bd1fafc4ee4539535fc84753042c1

SHA512
4b25517e9d2fa16eb199d1165bdaebb70d90e5bec89ebd1c68147eff63121b71bb87504318e4d017f9ddfacb07a384bcf1d035cfa7a999013ee72e2308228bdc

Download Submit
C:\Windows\SysWOW64\Ncofplba.exe

Filesize
123KB

MD5
d42853903e71275c58006987e9639d94

SHA1
b78d8db0b0335018e133654c21b9e6baaa41de8c

SHA256
45d989f17d10325e8e8f959c075c470c1a5b75fe240c1fac604a5edd2f9da508

SHA512
3f3f2f513893662618999cb662c1405a3c754f710d67a03806fad24f4ffe4c481881631c76dc096775ef896a673cbacfde497b6b223b06305cca9e757675e38c

Download Submit
C:\Windows\SysWOW64\Nhmofj32.exe

Filesize
123KB

MD5
21957b4a96fa3da8841bc6b824df468e

SHA1
9f1904b42fb9f31d6f82a39e24ef4fba490f9040

SHA256
b857c26fbea0614a73dcfabf1f9a4bf58068f709530cd4834ae9d6e0160e25bc

SHA512
92e69dc2917c87a3cf7c3092cbe5dab1f57f3502262328d4febdbe23d0576e3a2f9f8574d07eb523aecd4b01257b9f4a39be54e11f7d00926c1a79c7bef74796

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
123KB

MD5
22fb58fb73c01db03d6e4fe02a1eeab4

SHA1
12cfd8179ffb9d74ef7d053a7200ef4b1afd7d0d

SHA256
2a5d67729d32fff2bc5b66e0979f1807ebb738d154108e0f52905e8fadde6513

SHA512
501a7f2fb81f2c972fac03d2761047f7bfe0ce91ed270edff9a1b32d8aac1e80e6c2c0df764f0609451ecaf921e5fdbc70f8d51d5e116c70e60d1cdac9cd0a24

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
123KB

MD5
6e6133d2256aeb81c1ab2130f1d3e188

SHA1
4a369b1321853b99f6b72ad2ad23a4bc9e45dc33

SHA256
be97435a6f4e5ba7babe2878bd5e9a0fa2304dbd6e5b4f1abfce82e580fff5fa

SHA512
334a31863d13e064d0dcd48096e002ca144477c7b1caf9ffc960d80c929b68bf9ff01184fcd7bf52a3fa81140c8e85b05a443e17f28d342aa4ff3113b7deabc0

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
123KB

MD5
9b3ba635c9177782f5e6276f4c511622

SHA1
7abe237e3bfdb5deb38dea3ff267deb734acd7c3

SHA256
df8a9f29b00549e02dad8fffa0eaa197f72600f689499c560aba78e77e485727

SHA512
0aced149d5629be8eca8d7af51dee67cf491848722cef4355c96a1ea1066a5b9ea542650d7cd80a120db7bc8e014f09c5d2cebdf55c499a9c563265beaf82706

Download Submit
C:\Windows\SysWOW64\Ofcmimpk.dll

Filesize
7KB

MD5
178465e5e115ec1ae4b00a196301fec8

SHA1
b7626b25cb885f515c9fc693a3174a2d91dc140c

SHA256
68b19e306e47840fa9db89f77eb087153cb63b31f3004bab57958300dd09261d

SHA512
66e47f30db9c875e86ccc8e0430b4059a7454ddc13ac8aa5d0876fd4b49a2dadd30e24c531b3b8bebfbbe331fd8a20e049cbb2a50efa912cabc43215880b922c

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
123KB

MD5
8d3c935e2e4e310155762dc2321e50a6

SHA1
6e3967c283eeb6f5ef68ddb31f41c5e702163ec7

SHA256
c03c3c644f804e67189f794b62e355f8db89e7550be49b42f5e984177a784306

SHA512
a204e0c6aa84282ee39615ac87298f80001a5d3ec447fd5f49280f9762fff85aeb6bec420cdb3ff0c5449a3d73f1d1ea59f28ee4c837bce3408c94172337cf11

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
123KB

MD5
48b482476017e2685816c9610ea88a9c

SHA1
db72c1a9a1ab2423fd91bdb9429db362e536c0a4

SHA256
f45aa5f68ddb15d585fbbb280ed179bed4d51e2efded89a7923f5e8ce182084a

SHA512
6efd0614c177d921571c5c4ac103856aa5c0b876db992edf4cdef348fe76c6a61c22ffc95fd89c215f9666bf9b61ee8e4c3110c41ede460d185339fa4a2fba7e

Download Submit
C:\Windows\SysWOW64\Phigif32.exe

Filesize
123KB

MD5
d6fb538252ea1be6530dd56be26cba7d

SHA1
18ce50aff6a067203725629df42e6b9071bf8562

SHA256
4ed1aae85a18982a8037adee29f5975fbb3d245913ad9418e7d46aff610b2ee9

SHA512
4dc19b07a167f12bd4b1f905298525669954cf8769ec5f0980f59f2913c79690670a4768d94a2a2b189cdb08c9f7f9de7e209bd978140b7bfe54c5750253b7c9

Download Submit
C:\Windows\SysWOW64\Pocpfphe.exe

Filesize
123KB

MD5
fc5eab58254b4756fc3271a076c5997d

SHA1
4a10fed3174e58008984a4d85bd519716faaf831

SHA256
0189008de429ff1e85211c450f48ad315d43855bd2faad7342b7881e4b717ad3

SHA512
604da2a19aecdaa607ba4c5e16ab7a412a1526773e38f4109ed83de353b81a901831c5d27285179bd065ee4f698d89a88db75a70e26aaebd07b0bdd2a2767ef7

Download Submit
C:\Windows\SysWOW64\Ponfka32.exe

Filesize
123KB

MD5
9fcc6f90ced5ad56892348c364c7e329

SHA1
b270df8eb732604b3642902567acf62563318947

SHA256
e5db51cf4d8af84867b169d073dc280ad041b21f038649c735608dd57bc6fc6a

SHA512
6faae4f3a0f9848fbaf38fd71ccb814ed994c1fed9644e7a06d1f95c8b7d180d7cc737b9c87b40fd2052d5169e7f574533a65315043392a46e5ed24907bea0cd

Download Submit
C:\Windows\SysWOW64\Qdbdcg32.exe

Filesize
123KB

MD5
77dc1e0d8a35e1171b702125578f479d

SHA1
15c6c92891230fef077c35f3a30cbe76d7479b59

SHA256
c8ac024b7d3a0f508b4a6f8fb0294e5e8f8db22351c2032d175826e2a5b2a3c3

SHA512
9871a405ab852d6153bde2003f45355514f1a64111c688330b9ae068804602d89959d7aac8ffd8c761e8959e18acf75fc96d4530cfd3681ac507d00eae1d5fc4

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
123KB

MD5
5e89de312a2b01dc195ef06a8d3f5da4

SHA1
f91beb9a63242cab902da2d370640d213c630c02

SHA256
6760ff968f9b26a126d68a325b55dc045bc8b17812f821ba1ce31ebad8b0451a

SHA512
5765bf5507f223f3b0e77d0c0019d7f294266ab517f622326edeb086018592766ec75c8a078f2447eb71ceaf302b6a985f67c7ad709491ae3a89c603ef145a34

Download Submit
C:\Windows\SysWOW64\Qhkdof32.exe

Filesize
123KB

MD5
d26eb693cefcd22033c8c9acaa1e9702

SHA1
b50f6406057c1917437241410915f92c5daa79f4

SHA256
1fced2674eb1cc35c4b20f1be1edc37e121c050eeaa00d2c141a8bbc030c17ae

SHA512
c84161ea6cfa61a35fb6d85ee51f27cc2bead24cb13d59ee9b48342473faa6cbcb139263c8266613b37e06b183a8a89f4260976ce3cad9e21e28625ed4d8dd4e

Download Submit
memory/336-279-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1012-439-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1012-370-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1204-324-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1204-390-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1260-297-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1280-467-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1280-398-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1384-286-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1416-383-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1416-317-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1444-474-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1444-405-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1580-289-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1604-295-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1700-288-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2036-298-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2164-300-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2164-31-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2240-282-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2352-296-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2396-447-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2468-287-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2484-294-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2508-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2508-316-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2604-461-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2664-376-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2664-310-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2932-440-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3008-426-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3016-412-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3016-481-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3076-271-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3184-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3184-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3288-350-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3288-98-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3436-337-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3436-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3532-419-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3532-488-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3696-272-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3720-482-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3748-293-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3880-454-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3904-285-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3916-94-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3916-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4040-493-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4056-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4056-302-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4376-274-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4380-391-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4380-460-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4432-357-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4432-425-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4552-475-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4624-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4624-330-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4824-290-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4848-292-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4888-432-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4888-363-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4912-273-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4936-281-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-397-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-331-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5060-369-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5060-303-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5172-299-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5204-284-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5244-468-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5264-291-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5272-95-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5276-301-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5288-404-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5288-338-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5436-446-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5436-377-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5552-280-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5560-351-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5560-418-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5592-63-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5592-323-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5724-270-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5776-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5776-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5804-309-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5804-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5816-433-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5872-384-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5872-453-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5960-20-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6112-344-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6112-411-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads