berbew | aaaabad5622f2007c2a6e41f5dcd12d9d4721ee282da18fb1cf9b4338be9c456

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaaabad5622f2007c2a6e41f5dcd12d9d4721ee282da18fb1cf9b4338be9c456.exe
Size

96KB
MD5

8463d8fcf9751d2edeec759e7f538330
SHA1

76eed986b631ba78580667e99b7857df3b053b4e
SHA256

aaaabad5622f2007c2a6e41f5dcd12d9d4721ee282da18fb1cf9b4338be9c456
SHA512

7373a333c373e70d9c925befe10d8e527250e5e3bb04756fe8ab13be9dac548af26900f97096af070d229662b0587e9c52aa428032f089a41c4b892d5dc9ad68
SSDEEP

3072:5MTvXh0L0ZMPPPPPPPPPPPPPPhdaClUUWaeN:5MTXh0L1PPPPPPPPPPPPPPDaCWU0

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bohbhmfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akccap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geldkfpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knooej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcegi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbpjaeoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafbmgad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phigif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqikmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohcegi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhpao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffclcgfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilafiihp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oobfob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmohno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doaneiop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpjlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgqfdnah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmechmip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlfnaicd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnknafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Popbpqjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglhld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknojl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlhkgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cofnik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnblnlhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdaociml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ponfka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgcjddh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbnmke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebimgcfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkalbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfcmhpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phaahggp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhnjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qobhkjdi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023dd3-249.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
4808	Ejlbhh32.exe
1208	Emkndc32.exe
4384	Ebhglj32.exe
1396	Emmkiclm.exe
2044	Eplgeokq.exe
2192	Efepbi32.exe
3296	Elbhjp32.exe
2704	Efhlhh32.exe
5016	Eifhdd32.exe
488	Eclmamod.exe
3896	Ejfeng32.exe
1460	Emdajb32.exe
2620	Ffmfchle.exe
1932	Flinkojm.exe
464	Fdqfll32.exe
4936	Ffobhg32.exe
4020	Fmikeaap.exe
4556	Fbfcmhpg.exe
220	Ffaong32.exe
5104	Flngfn32.exe
1264	Fpjcgm32.exe
3832	Ffclcgfn.exe
1908	Fplpll32.exe
652	Fffhifdk.exe
624	Fmpqfq32.exe
4612	Gdjibj32.exe
4964	Gjdaodja.exe
4604	Glengm32.exe
5100	Gdlfhj32.exe
4960	Gfkbde32.exe
1640	Giinpa32.exe
2112	Gbabigfj.exe
3620	Gmggfp32.exe
4060	Gdaociml.exe
3468	Gbdoof32.exe
4948	Gmiclo32.exe
3968	Hplicjok.exe
4240	Hgfapd32.exe
4376	Hienlpel.exe
460	Hlcjhkdp.exe
4660	Hdjbiheb.exe
4528	Hkdjfb32.exe
1272	Higjaoci.exe
528	Hlegnjbm.exe
2396	Hdmoohbo.exe
2076	Hkfglb32.exe
4696	Hmechmip.exe
492	Hdokdg32.exe
3668	Hgmgqc32.exe
4500	Hildmn32.exe
1560	Ingpmmgm.exe
5084	Idahjg32.exe
5080	Igpdfb32.exe
548	Iinqbn32.exe
3564	Ilmmni32.exe
1364	Iphioh32.exe
1604	Icfekc32.exe
3080	Ijqmhnko.exe
1524	Inlihl32.exe
2688	Idfaefkd.exe
4184	Igdnabjh.exe
636	Ijcjmmil.exe
484	Ilafiihp.exe
3772	Icknfcol.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Giinpa32.exe	Gfkbde32.exe
File opened for modification	C:\Windows\SysWOW64\Qemhbj32.exe	Qaalblgi.exe
File created	C:\Windows\SysWOW64\Lfmmaj32.dll	Gimqajgh.exe
File opened for modification	C:\Windows\SysWOW64\Clchbqoo.exe	Chglab32.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Aagkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Gdaociml.exe	Gmggfp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncabfkqo.exe	Nabfjpak.exe
File created	C:\Windows\SysWOW64\Dbicpfdk.exe	Cdecgbfa.exe
File opened for modification	C:\Windows\SysWOW64\Mgloefco.exe	Modgdicm.exe
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Oifoah32.dll	Enhpao32.exe
File created	C:\Windows\SysWOW64\Heffebak.dll	Iiopca32.exe
File created	C:\Windows\SysWOW64\Lmdnbn32.exe	Lnangaoa.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bfaigclq.exe
File opened for modification	C:\Windows\SysWOW64\Jjjpnlbd.exe	Jgkdbacp.exe
File created	C:\Windows\SysWOW64\Bdpkjpdi.dll	Ljclki32.exe
File opened for modification	C:\Windows\SysWOW64\Akqfkp32.exe	Ahbjoe32.exe
File created	C:\Windows\SysWOW64\Mjjkejin.dll	Jikoopij.exe
File opened for modification	C:\Windows\SysWOW64\Binhnomg.exe	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Eacdhhjj.dll	Fggdpnkf.exe
File opened for modification	C:\Windows\SysWOW64\Igpdfb32.exe	Idahjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mmpdhboj.exe	Mjahlgpf.exe
File created	C:\Windows\SysWOW64\Fkikinpo.dll	Dqbcbkab.exe
File opened for modification	C:\Windows\SysWOW64\Mgobel32.exe	Mccfdmmo.exe
File created	C:\Windows\SysWOW64\Gmigpf32.dll	Qlgpod32.exe
File opened for modification	C:\Windows\SysWOW64\Ffqhcq32.exe	Fnipbc32.exe
File created	C:\Windows\SysWOW64\Idkkpf32.exe	Ilccoh32.exe
File created	C:\Windows\SysWOW64\Ljhefhha.exe	Lcnmin32.exe
File opened for modification	C:\Windows\SysWOW64\Nndjndbh.exe	Nlfnaicd.exe
File created	C:\Windows\SysWOW64\Bohbhmfm.exe	Blielbfi.exe
File created	C:\Windows\SysWOW64\Cboeai32.dll	Dkhnjk32.exe
File created	C:\Windows\SysWOW64\Jofalmmp.exe	Jenmcggo.exe
File created	C:\Windows\SysWOW64\Oanokhdb.exe	Ombcji32.exe
File opened for modification	C:\Windows\SysWOW64\Omjpeo32.exe	Okkdic32.exe
File created	C:\Windows\SysWOW64\Ncqlkemc.exe	Npepkf32.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Aiffheej.dll	Bojomm32.exe
File created	C:\Windows\SysWOW64\Dokmlmhl.dll	Hlcjhkdp.exe
File opened for modification	C:\Windows\SysWOW64\Njhgbp32.exe	Ngjkfd32.exe
File created	C:\Windows\SysWOW64\Ieagmcmq.exe	Ipdndloi.exe
File opened for modification	C:\Windows\SysWOW64\Gkcigjel.exe	Gclafmej.exe
File created	C:\Windows\SysWOW64\Dnbokg32.dll	Hdjbiheb.exe
File created	C:\Windows\SysWOW64\Mmjpbc32.dll	Blnoga32.exe
File created	C:\Windows\SysWOW64\Dfnbgc32.exe	Dkhnjk32.exe
File created	C:\Windows\SysWOW64\Figmglee.dll	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Pekihfdc.dll	Johggfha.exe
File created	C:\Windows\SysWOW64\Gahamgib.dll	Dbnmke32.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Jnakbdid.dll	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Gajlgpic.dll	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Gmiclo32.exe	Gbdoof32.exe
File created	C:\Windows\SysWOW64\Lqndhcdc.exe	Lnohlgep.exe
File created	C:\Windows\SysWOW64\Ckclhn32.exe	Bheplb32.exe
File created	C:\Windows\SysWOW64\Cfidbo32.dll	Imkbnf32.exe
File opened for modification	C:\Windows\SysWOW64\Adkqoohc.exe	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Ojcpdg32.exe	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Dckoia32.exe	Dcibca32.exe
File opened for modification	C:\Windows\SysWOW64\Bnfihkqm.exe	Bochmn32.exe
File created	C:\Windows\SysWOW64\Hildmn32.exe	Hgmgqc32.exe
File created	C:\Windows\SysWOW64\Aobbbd32.dll	Igpdfb32.exe
File created	C:\Windows\SysWOW64\Akglloai.exe	Ahippdbe.exe
File created	C:\Windows\SysWOW64\Hlepcdoa.exe	Hfhgkmpj.exe
File created	C:\Windows\SysWOW64\Fgeaiknl.dll	Klfaapbl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1460	14708	WerFault.exe	786

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgdeppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqnejaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Higjaoci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpfqcln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekaapi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlalkmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnohlgep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqndhcdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmlddqem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohfami32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anobgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eoideh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glkmmefl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjpode32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phodcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plbfdekd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hahokfag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laiipofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Giinpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pldcjeia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikoopij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookoaokf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hienlpel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhokljge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plmmif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiigadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlkgmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfaigclq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecdbop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igigla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknojl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knenkbio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckeimm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kodnmkap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgloefco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcngpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqpcjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmpqfq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jinboekc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnifekmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmipdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgipcogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knchpiom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akqfkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blielbfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbalopbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glipgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaebef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioolkncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modgdicm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olicnfco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emmkiclm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffobhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ingpmmgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icknfcol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nccokk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbpchb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ombcji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccdbf32.dll"	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqkihfg.dll"	Nhmofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmfbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejfeng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbklgfdh.dll"	Iliinc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebkbbmqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffmfchle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmcclm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qachgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clgbmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eclmamod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikikigb.dll"	Cfpffeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiqnh32.dll"	Bafndi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iplkpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eojiqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahippdbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdgged32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglkdbfn.dll"	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfllfd32.dll"	Kjjiej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eomffaag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhqlkph.dll"	Kjccdkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mccfdmmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micgbemj.dll"	Clgbmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndoell32.dll"	Glipgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbhoeid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kofkbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohlkq32.dll"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfkp32.dll"	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlbcnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkhnd32.dll"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnakbdid.dll"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgkdbacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlgdjg32.dll"	Joahqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmdfonj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacdhhjj.dll"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffpdd32.dll"	Popbpqjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebimgcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqknkedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglmfnhm.dll"	Bemqih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblamanm.dll"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	aaaabad5622f2007c2a6e41f5dcd12d9d4721ee282da18fb1cf9b4338be9c456.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnipccc.dll"	Gbabigfj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4808	1488	aaaabad5622f2007c2a6e41f5dcd12d9d4721ee282da18fb1cf9b4338be9c456.exe	86
PID 1488 wrote to memory of 4808	1488	aaaabad5622f2007c2a6e41f5dcd12d9d4721ee282da18fb1cf9b4338be9c456.exe	86
PID 1488 wrote to memory of 4808	1488	aaaabad5622f2007c2a6e41f5dcd12d9d4721ee282da18fb1cf9b4338be9c456.exe	86
PID 4808 wrote to memory of 1208	4808	Ejlbhh32.exe	87
PID 4808 wrote to memory of 1208	4808	Ejlbhh32.exe	87
PID 4808 wrote to memory of 1208	4808	Ejlbhh32.exe	87
PID 1208 wrote to memory of 4384	1208	Emkndc32.exe	88
PID 1208 wrote to memory of 4384	1208	Emkndc32.exe	88
PID 1208 wrote to memory of 4384	1208	Emkndc32.exe	88
PID 4384 wrote to memory of 1396	4384	Ebhglj32.exe	89
PID 4384 wrote to memory of 1396	4384	Ebhglj32.exe	89
PID 4384 wrote to memory of 1396	4384	Ebhglj32.exe	89
PID 1396 wrote to memory of 2044	1396	Emmkiclm.exe	90
PID 1396 wrote to memory of 2044	1396	Emmkiclm.exe	90
PID 1396 wrote to memory of 2044	1396	Emmkiclm.exe	90
PID 2044 wrote to memory of 2192	2044	Eplgeokq.exe	91
PID 2044 wrote to memory of 2192	2044	Eplgeokq.exe	91
PID 2044 wrote to memory of 2192	2044	Eplgeokq.exe	91
PID 2192 wrote to memory of 3296	2192	Efepbi32.exe	92
PID 2192 wrote to memory of 3296	2192	Efepbi32.exe	92
PID 2192 wrote to memory of 3296	2192	Efepbi32.exe	92
PID 3296 wrote to memory of 2704	3296	Elbhjp32.exe	93
PID 3296 wrote to memory of 2704	3296	Elbhjp32.exe	93
PID 3296 wrote to memory of 2704	3296	Elbhjp32.exe	93
PID 2704 wrote to memory of 5016	2704	Efhlhh32.exe	94
PID 2704 wrote to memory of 5016	2704	Efhlhh32.exe	94
PID 2704 wrote to memory of 5016	2704	Efhlhh32.exe	94
PID 5016 wrote to memory of 488	5016	Eifhdd32.exe	95
PID 5016 wrote to memory of 488	5016	Eifhdd32.exe	95
PID 5016 wrote to memory of 488	5016	Eifhdd32.exe	95
PID 488 wrote to memory of 3896	488	Eclmamod.exe	96
PID 488 wrote to memory of 3896	488	Eclmamod.exe	96
PID 488 wrote to memory of 3896	488	Eclmamod.exe	96
PID 3896 wrote to memory of 1460	3896	Ejfeng32.exe	97
PID 3896 wrote to memory of 1460	3896	Ejfeng32.exe	97
PID 3896 wrote to memory of 1460	3896	Ejfeng32.exe	97
PID 1460 wrote to memory of 2620	1460	Emdajb32.exe	98
PID 1460 wrote to memory of 2620	1460	Emdajb32.exe	98
PID 1460 wrote to memory of 2620	1460	Emdajb32.exe	98
PID 2620 wrote to memory of 1932	2620	Ffmfchle.exe	99
PID 2620 wrote to memory of 1932	2620	Ffmfchle.exe	99
PID 2620 wrote to memory of 1932	2620	Ffmfchle.exe	99
PID 1932 wrote to memory of 464	1932	Flinkojm.exe	100
PID 1932 wrote to memory of 464	1932	Flinkojm.exe	100
PID 1932 wrote to memory of 464	1932	Flinkojm.exe	100
PID 464 wrote to memory of 4936	464	Fdqfll32.exe	101
PID 464 wrote to memory of 4936	464	Fdqfll32.exe	101
PID 464 wrote to memory of 4936	464	Fdqfll32.exe	101
PID 4936 wrote to memory of 4020	4936	Ffobhg32.exe	102
PID 4936 wrote to memory of 4020	4936	Ffobhg32.exe	102
PID 4936 wrote to memory of 4020	4936	Ffobhg32.exe	102
PID 4020 wrote to memory of 4556	4020	Fmikeaap.exe	103
PID 4020 wrote to memory of 4556	4020	Fmikeaap.exe	103
PID 4020 wrote to memory of 4556	4020	Fmikeaap.exe	103
PID 4556 wrote to memory of 220	4556	Fbfcmhpg.exe	104
PID 4556 wrote to memory of 220	4556	Fbfcmhpg.exe	104
PID 4556 wrote to memory of 220	4556	Fbfcmhpg.exe	104
PID 220 wrote to memory of 5104	220	Ffaong32.exe	106
PID 220 wrote to memory of 5104	220	Ffaong32.exe	106
PID 220 wrote to memory of 5104	220	Ffaong32.exe	106
PID 5104 wrote to memory of 1264	5104	Flngfn32.exe	107
PID 5104 wrote to memory of 1264	5104	Flngfn32.exe	107
PID 5104 wrote to memory of 1264	5104	Flngfn32.exe	107
PID 1264 wrote to memory of 3832	1264	Fpjcgm32.exe	108

C:\Users\Admin\AppData\Local\Temp\aaaabad5622f2007c2a6e41f5dcd12d9d4721ee282da18fb1cf9b4338be9c456.exe
"C:\Users\Admin\AppData\Local\Temp\aaaabad5622f2007c2a6e41f5dcd12d9d4721ee282da18fb1cf9b4338be9c456.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\Ejlbhh32.exe
  C:\Windows\system32\Ejlbhh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\Emkndc32.exe
    C:\Windows\system32\Emkndc32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\SysWOW64\Ebhglj32.exe
      C:\Windows\system32\Ebhglj32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Windows\SysWOW64\Emmkiclm.exe
        
        C:\Windows\system32\Emmkiclm.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\SysWOW64\Eplgeokq.exe
        
        C:\Windows\system32\Eplgeokq.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Efepbi32.exe
        
        C:\Windows\system32\Efepbi32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Elbhjp32.exe
        
        C:\Windows\system32\Elbhjp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Efhlhh32.exe
        
        C:\Windows\system32\Efhlhh32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Eifhdd32.exe
        
        C:\Windows\system32\Eifhdd32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Eclmamod.exe
        
        C:\Windows\system32\Eclmamod.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\SysWOW64\Ejfeng32.exe
        
        C:\Windows\system32\Ejfeng32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Emdajb32.exe
        
        C:\Windows\system32\Emdajb32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ffmfchle.exe
        
        C:\Windows\system32\Ffmfchle.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Flinkojm.exe
        
        C:\Windows\system32\Flinkojm.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Fdqfll32.exe
        
        C:\Windows\system32\Fdqfll32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Ffobhg32.exe
        
        C:\Windows\system32\Ffobhg32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Fmikeaap.exe
        
        C:\Windows\system32\Fmikeaap.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Fbfcmhpg.exe
        
        C:\Windows\system32\Fbfcmhpg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Ffaong32.exe
        
        C:\Windows\system32\Ffaong32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Flngfn32.exe
        
        C:\Windows\system32\Flngfn32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Fpjcgm32.exe
        
        C:\Windows\system32\Fpjcgm32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Ffclcgfn.exe
        
        C:\Windows\system32\Ffclcgfn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\Fplpll32.exe
        
        C:\Windows\system32\Fplpll32.exe
        24⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        25⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\Fmpqfq32.exe
        
        C:\Windows\system32\Fmpqfq32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Gdjibj32.exe
        
        C:\Windows\system32\Gdjibj32.exe
        27⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Gjdaodja.exe
        
        C:\Windows\system32\Gjdaodja.exe
        28⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Glengm32.exe
        
        C:\Windows\system32\Glengm32.exe
        29⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Gdlfhj32.exe
        
        C:\Windows\system32\Gdlfhj32.exe
        30⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Gfkbde32.exe
        
        C:\Windows\system32\Gfkbde32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Giinpa32.exe
        
        C:\Windows\system32\Giinpa32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Gbabigfj.exe
        
        C:\Windows\system32\Gbabigfj.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Gmggfp32.exe
        
        C:\Windows\system32\Gmggfp32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Gdaociml.exe
        
        C:\Windows\system32\Gdaociml.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Gbdoof32.exe
        
        C:\Windows\system32\Gbdoof32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Gmiclo32.exe
        
        C:\Windows\system32\Gmiclo32.exe
        37⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Hplicjok.exe
        
        C:\Windows\system32\Hplicjok.exe
        38⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Hgfapd32.exe
        
        C:\Windows\system32\Hgfapd32.exe
        39⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Hienlpel.exe
        
        C:\Windows\system32\Hienlpel.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Hlcjhkdp.exe
        
        C:\Windows\system32\Hlcjhkdp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Hdjbiheb.exe
        
        C:\Windows\system32\Hdjbiheb.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Hkdjfb32.exe
        
        C:\Windows\system32\Hkdjfb32.exe
        43⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Higjaoci.exe
        
        C:\Windows\system32\Higjaoci.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Hlegnjbm.exe
        
        C:\Windows\system32\Hlegnjbm.exe
        45⤵
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\Hdmoohbo.exe
        
        C:\Windows\system32\Hdmoohbo.exe
        46⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Hkfglb32.exe
        
        C:\Windows\system32\Hkfglb32.exe
        47⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\Hmechmip.exe
        
        C:\Windows\system32\Hmechmip.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Hdokdg32.exe
        
        C:\Windows\system32\Hdokdg32.exe
        49⤵
        Executes dropped EXE
        
        PID:492
        
        C:\Windows\SysWOW64\Hgmgqc32.exe
        
        C:\Windows\system32\Hgmgqc32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Hildmn32.exe
        
        C:\Windows\system32\Hildmn32.exe
        51⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Ingpmmgm.exe
        
        C:\Windows\system32\Ingpmmgm.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Idahjg32.exe
        
        C:\Windows\system32\Idahjg32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Igpdfb32.exe
        
        C:\Windows\system32\Igpdfb32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        55⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Ilmmni32.exe
        
        C:\Windows\system32\Ilmmni32.exe
        56⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        57⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Icfekc32.exe
        
        C:\Windows\system32\Icfekc32.exe
        58⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        59⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Inlihl32.exe
        
        C:\Windows\system32\Inlihl32.exe
        60⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Idfaefkd.exe
        
        C:\Windows\system32\Idfaefkd.exe
        61⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Igdnabjh.exe
        
        C:\Windows\system32\Igdnabjh.exe
        62⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Ijcjmmil.exe
        
        C:\Windows\system32\Ijcjmmil.exe
        63⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:484
        
        C:\Windows\SysWOW64\Icknfcol.exe
        
        C:\Windows\system32\Icknfcol.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\Ikbfgppo.exe
        
        C:\Windows\system32\Ikbfgppo.exe
        66⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        67⤵
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        68⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Igigla32.exe
        
        C:\Windows\system32\Igigla32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Jjgchm32.exe
        
        C:\Windows\system32\Jjgchm32.exe
        70⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Jdmgfedl.exe
        
        C:\Windows\system32\Jdmgfedl.exe
        71⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Jjjpnlbd.exe
        
        C:\Windows\system32\Jjjpnlbd.exe
        73⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Jlhljhbg.exe
        
        C:\Windows\system32\Jlhljhbg.exe
        74⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Jcbdgb32.exe
        
        C:\Windows\system32\Jcbdgb32.exe
        75⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\Jjlmclqa.exe
        
        C:\Windows\system32\Jjlmclqa.exe
        76⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\Jpfepf32.exe
        
        C:\Windows\system32\Jpfepf32.exe
        77⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Jgpmmp32.exe
        
        C:\Windows\system32\Jgpmmp32.exe
        78⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Jjoiil32.exe
        
        C:\Windows\system32\Jjoiil32.exe
        79⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Jlmfeg32.exe
        
        C:\Windows\system32\Jlmfeg32.exe
        80⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Jgbjbp32.exe
        
        C:\Windows\system32\Jgbjbp32.exe
        81⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Jqknkedi.exe
        
        C:\Windows\system32\Jqknkedi.exe
        82⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Jdfjld32.exe
        
        C:\Windows\system32\Jdfjld32.exe
        83⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        84⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Knooej32.exe
        
        C:\Windows\system32\Knooej32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Kqmkae32.exe
        
        C:\Windows\system32\Kqmkae32.exe
        86⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Knalji32.exe
        
        C:\Windows\system32\Knalji32.exe
        87⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Kqphfe32.exe
        
        C:\Windows\system32\Kqphfe32.exe
        88⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Kgipcogp.exe
        
        C:\Windows\system32\Kgipcogp.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        90⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Knchpiom.exe
        
        C:\Windows\system32\Knchpiom.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Kqbdldnq.exe
        
        C:\Windows\system32\Kqbdldnq.exe
        92⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Kcpahpmd.exe
        
        C:\Windows\system32\Kcpahpmd.exe
        93⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Kkgiimng.exe
        
        C:\Windows\system32\Kkgiimng.exe
        94⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Kjjiej32.exe
        
        C:\Windows\system32\Kjjiej32.exe
        95⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Kmieae32.exe
        
        C:\Windows\system32\Kmieae32.exe
        96⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Kdpmbc32.exe
        
        C:\Windows\system32\Kdpmbc32.exe
        97⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Kgninn32.exe
        
        C:\Windows\system32\Kgninn32.exe
        98⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        99⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Knhakh32.exe
        
        C:\Windows\system32\Knhakh32.exe
        100⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Kqfngd32.exe
        
        C:\Windows\system32\Kqfngd32.exe
        101⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        103⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        105⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Lknojl32.exe
        
        C:\Windows\system32\Lknojl32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Lnmkfh32.exe
        
        C:\Windows\system32\Lnmkfh32.exe
        107⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        108⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Lcjcnoej.exe
        
        C:\Windows\system32\Lcjcnoej.exe
        109⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ljclki32.exe
        
        C:\Windows\system32\Ljclki32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Lnohlgep.exe
        
        C:\Windows\system32\Lnohlgep.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Lqndhcdc.exe
        
        C:\Windows\system32\Lqndhcdc.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Lclpdncg.exe
        
        C:\Windows\system32\Lclpdncg.exe
        113⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        114⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Lnadagbm.exe
        
        C:\Windows\system32\Lnadagbm.exe
        115⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Lqpamb32.exe
        
        C:\Windows\system32\Lqpamb32.exe
        116⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Lcnmin32.exe
        
        C:\Windows\system32\Lcnmin32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        118⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Mglfplgk.exe
        
        C:\Windows\system32\Mglfplgk.exe
        119⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Mjkblhfo.exe
        
        C:\Windows\system32\Mjkblhfo.exe
        120⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Madjhb32.exe
        
        C:\Windows\system32\Madjhb32.exe
        121⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Mccfdmmo.exe
        
        C:\Windows\system32\Mccfdmmo.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mgobel32.exe
        
        C:\Windows\system32\Mgobel32.exe
        123⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Mnhkbfme.exe
        
        C:\Windows\system32\Mnhkbfme.exe
        124⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Mmkkmc32.exe
        
        C:\Windows\system32\Mmkkmc32.exe
        125⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        126⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Mgaokl32.exe
        
        C:\Windows\system32\Mgaokl32.exe
        127⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Mjokgg32.exe
        
        C:\Windows\system32\Mjokgg32.exe
        128⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        129⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Maiccajf.exe
        
        C:\Windows\system32\Maiccajf.exe
        130⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Mchppmij.exe
        
        C:\Windows\system32\Mchppmij.exe
        131⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Mgclpkac.exe
        
        C:\Windows\system32\Mgclpkac.exe
        132⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        133⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        134⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Malpia32.exe
        
        C:\Windows\system32\Malpia32.exe
        135⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Mgehfkop.exe
        
        C:\Windows\system32\Mgehfkop.exe
        136⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        137⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        138⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Manmoq32.exe
        
        C:\Windows\system32\Manmoq32.exe
        139⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Nclikl32.exe
        
        C:\Windows\system32\Nclikl32.exe
        140⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        141⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Njfagf32.exe
        
        C:\Windows\system32\Njfagf32.exe
        142⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        143⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        144⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        145⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        147⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        148⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Ncabfkqo.exe
        
        C:\Windows\system32\Ncabfkqo.exe
        149⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Nhmofj32.exe
        
        C:\Windows\system32\Nhmofj32.exe
        150⤵
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Nlhkgi32.exe
        
        C:\Windows\system32\Nlhkgi32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7128
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        152⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Nmigoagp.exe
        
        C:\Windows\system32\Nmigoagp.exe
        153⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Nccokk32.exe
        
        C:\Windows\system32\Nccokk32.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:6264
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:6340
        
        C:\Windows\SysWOW64\Nlkgmh32.exe
        
        C:\Windows\system32\Nlkgmh32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        157⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Nmlddqem.exe
        
        C:\Windows\system32\Nmlddqem.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\Nagpeo32.exe
        
        C:\Windows\system32\Nagpeo32.exe
        159⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Ndflak32.exe
        
        C:\Windows\system32\Ndflak32.exe
        160⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Nlmdbh32.exe
        
        C:\Windows\system32\Nlmdbh32.exe
        161⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        162⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Nmnqjp32.exe
        
        C:\Windows\system32\Nmnqjp32.exe
        163⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Najmjokc.exe
        
        C:\Windows\system32\Najmjokc.exe
        164⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7112
        
        C:\Windows\SysWOW64\Ojbacd32.exe
        
        C:\Windows\system32\Ojbacd32.exe
        166⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Omqmop32.exe
        
        C:\Windows\system32\Omqmop32.exe
        167⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Oeheqm32.exe
        
        C:\Windows\system32\Oeheqm32.exe
        168⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Ohfami32.exe
        
        C:\Windows\system32\Ohfami32.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:6456
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        170⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Oanfen32.exe
        
        C:\Windows\system32\Oanfen32.exe
        171⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Oejbfmpg.exe
        
        C:\Windows\system32\Oejbfmpg.exe
        172⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        173⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        174⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Oobfob32.exe
        
        C:\Windows\system32\Oobfob32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Oaqbkn32.exe
        
        C:\Windows\system32\Oaqbkn32.exe
        176⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Oelolmnd.exe
        
        C:\Windows\system32\Oelolmnd.exe
        177⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Ohkkhhmh.exe
        
        C:\Windows\system32\Ohkkhhmh.exe
        178⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Olfghg32.exe
        
        C:\Windows\system32\Olfghg32.exe
        179⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Oodcdb32.exe
        
        C:\Windows\system32\Oodcdb32.exe
        180⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Omgcpokp.exe
        
        C:\Windows\system32\Omgcpokp.exe
        181⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        182⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        183⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Olicnfco.exe
        
        C:\Windows\system32\Olicnfco.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:7160
        
        C:\Windows\SysWOW64\Okkdic32.exe
        
        C:\Windows\system32\Okkdic32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Omjpeo32.exe
        
        C:\Windows\system32\Omjpeo32.exe
        186⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        187⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        188⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Phodcg32.exe
        
        C:\Windows\system32\Phodcg32.exe
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:6560
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        190⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Pmlmkn32.exe
        
        C:\Windows\system32\Pmlmkn32.exe
        191⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Pecellgl.exe
        
        C:\Windows\system32\Pecellgl.exe
        192⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7276
        
        C:\Windows\SysWOW64\Plmmif32.exe
        
        C:\Windows\system32\Plmmif32.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:7312
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        195⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Pefabkej.exe
        
        C:\Windows\system32\Pefabkej.exe
        196⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Pdhbmh32.exe
        
        C:\Windows\system32\Pdhbmh32.exe
        197⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        198⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Ponfka32.exe
        
        C:\Windows\system32\Ponfka32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7536
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        200⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Palbgl32.exe
        
        C:\Windows\system32\Palbgl32.exe
        201⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        202⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:7708
        
        C:\Windows\SysWOW64\Popbpqjh.exe
        
        C:\Windows\system32\Popbpqjh.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7752
        
        C:\Windows\SysWOW64\Pmcclm32.exe
        
        C:\Windows\system32\Pmcclm32.exe
        205⤵
        Modifies registry class
        
        PID:7796
        
        C:\Windows\SysWOW64\Pejkmk32.exe
        
        C:\Windows\system32\Pejkmk32.exe
        206⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Phigif32.exe
        
        C:\Windows\system32\Phigif32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7884
        
        C:\Windows\SysWOW64\Pldcjeia.exe
        
        C:\Windows\system32\Pldcjeia.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:7928
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        209⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Qaalblgi.exe
        
        C:\Windows\system32\Qaalblgi.exe
        210⤵
        Drops file in System32 directory
        
        PID:8012
        
        C:\Windows\SysWOW64\Qemhbj32.exe
        
        C:\Windows\system32\Qemhbj32.exe
        211⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Qhkdof32.exe
        
        C:\Windows\system32\Qhkdof32.exe
        212⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        213⤵
        Drops file in System32 directory
        
        PID:8144
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        214⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Qachgk32.exe
        
        C:\Windows\system32\Qachgk32.exe
        215⤵
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        216⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Qhmqdemc.exe
        
        C:\Windows\system32\Qhmqdemc.exe
        217⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        218⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Qklmpalf.exe
        
        C:\Windows\system32\Qklmpalf.exe
        219⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Aogiap32.exe
        
        C:\Windows\system32\Aogiap32.exe
        220⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        221⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Addaif32.exe
        
        C:\Windows\system32\Addaif32.exe
        222⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        223⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Alkijdci.exe
        
        C:\Windows\system32\Alkijdci.exe
        224⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        225⤵
        Modifies registry class
        
        PID:7912
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        226⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Aednci32.exe
        
        C:\Windows\system32\Aednci32.exe
        227⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        228⤵
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:8132
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        231⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        232⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        233⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Akccap32.exe
        
        C:\Windows\system32\Akccap32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7608
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        235⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        236⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        237⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Ahgcjddh.exe
        
        C:\Windows\system32\Ahgcjddh.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8108
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        239⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        240⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        241⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Aaohcj32.exe
        
        C:\Windows\system32\Aaohcj32.exe
        242⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        243⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        244⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8024
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        245⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        246⤵
        Drops file in System32 directory
        
        PID:7272
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        247⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        248⤵
        Modifies registry class
        
        PID:7984
        
        C:\Windows\SysWOW64\Bdpaeehj.exe
        
        C:\Windows\system32\Bdpaeehj.exe
        249⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        250⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Boeebnhp.exe
        
        C:\Windows\system32\Boeebnhp.exe
        251⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        252⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        253⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        254⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Blielbfi.exe
        
        C:\Windows\system32\Blielbfi.exe
        255⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7440
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7996
        
        C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        257⤵
        Modifies registry class
        
        PID:7676
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        258⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Bhpfqcln.exe
        
        C:\Windows\system32\Bhpfqcln.exe
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:8268
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        260⤵
        Drops file in System32 directory
        
        PID:8312
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        261⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        262⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        263⤵
        Modifies registry class
        
        PID:8444
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        264⤵
        Drops file in System32 directory
        
        PID:8488
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        265⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        266⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        267⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        268⤵
        Drops file in System32 directory
        
        PID:8660
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        269⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        270⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        271⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        272⤵
        Drops file in System32 directory
        
        PID:8836
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        273⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:8920
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        275⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        276⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:9052
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        278⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        279⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        280⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8040
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        282⤵
        Modifies registry class
        
        PID:8264
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8340
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        284⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        285⤵
        Modifies registry class
        
        PID:8472
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        286⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        287⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        288⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        289⤵
        Drops file in System32 directory
        
        PID:8756
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        290⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        291⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8972
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        293⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        294⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Dkceokii.exe
        
        C:\Windows\system32\Dkceokii.exe
        295⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        296⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8324
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        298⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        299⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8652
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        301⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8740
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        302⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        303⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        304⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9092
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        305⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        306⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        307⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8540
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        308⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        309⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        310⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:8208
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        312⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        313⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        314⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Ebimgcfi.exe
        
        C:\Windows\system32\Ebimgcfi.exe
        315⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8256
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        316⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        317⤵
        System Location Discovery: System Language Discovery
        
        PID:9004
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        318⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        319⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        320⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        321⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        322⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        323⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        324⤵
        System Location Discovery: System Language Discovery
        
        PID:9340
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        325⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        326⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        327⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        328⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9528
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        329⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        330⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        331⤵
        Drops file in System32 directory
        
        PID:9732
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        332⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        333⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        334⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        335⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        336⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10008
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        337⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        338⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        339⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        340⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        341⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        342⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        343⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        344⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        345⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        346⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        347⤵
        System Location Discovery: System Language Discovery
        
        PID:9492
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        348⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        349⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        350⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9740
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        351⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        352⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        353⤵
        Drops file in System32 directory
        
        PID:9996
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        354⤵
        System Location Discovery: System Language Discovery
        
        PID:10112
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        355⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        356⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        357⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        358⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        359⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        360⤵
        Modifies registry class
        
        PID:9424
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        361⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        362⤵
        Drops file in System32 directory
        
        PID:9652
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        363⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        364⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        365⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10028
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        366⤵
        Modifies registry class
        
        PID:10128
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        367⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        368⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        369⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        370⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        371⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9724
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        372⤵
        Drops file in System32 directory
        
        PID:9956
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        373⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        374⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        375⤵
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        376⤵
        System Location Discovery: System Language Discovery
        
        PID:9684
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        377⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        378⤵
        Modifies registry class
        
        PID:10192
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        379⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        380⤵
        Modifies registry class
        
        PID:9888
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        381⤵
        Drops file in System32 directory
        
        PID:9324
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        382⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        383⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        384⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        385⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        386⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        387⤵
        System Location Discovery: System Language Discovery
        
        PID:10320
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        388⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        389⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10408
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        390⤵
        Modifies registry class
        
        PID:10452
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        391⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        392⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        393⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        394⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        395⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        396⤵
        Drops file in System32 directory
        
        PID:10716
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        397⤵
        System Location Discovery: System Language Discovery
        
        PID:10760
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        398⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        399⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        400⤵
        System Location Discovery: System Language Discovery
        
        PID:10892
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        401⤵
        Modifies registry class
        
        PID:10936
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        402⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        403⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        404⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        405⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        406⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        407⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        408⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        409⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        410⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        411⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        412⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10488
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        413⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        414⤵
        Drops file in System32 directory
        
        PID:10612
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        415⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        416⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        417⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        418⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:10780
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        419⤵
        System Location Discovery: System Language Discovery
        
        PID:10132
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        420⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        421⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        422⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        423⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        424⤵
        
        PID:11196
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        425⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11256
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        426⤵
        Modifies registry class
        
        PID:10332
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        427⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        428⤵
        Modifies registry class
        
        PID:10568
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        429⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        430⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        431⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        432⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        433⤵
        System Location Discovery: System Language Discovery
        
        PID:11040
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        434⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        435⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        436⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        437⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10592
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        438⤵
        System Location Discovery: System Language Discovery
        
        PID:10744
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        439⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        440⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        441⤵
        Drops file in System32 directory
        
        PID:11252
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        442⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        443⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        444⤵
        Drops file in System32 directory
        
        PID:11004
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        445⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        446⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        447⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:11212
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        448⤵
        Modifies registry class
        
        PID:10836
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        449⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        450⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10796
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        451⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        452⤵
        
        PID:11308
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        453⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        454⤵
        Drops file in System32 directory
        
        PID:11396
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        455⤵
        Modifies registry class
        
        PID:11440
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        456⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:11484
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        457⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        458⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        459⤵
        
        PID:11616
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        460⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        461⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        462⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        463⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11792
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        464⤵
        System Location Discovery: System Language Discovery
        
        PID:11840
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        465⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        466⤵
        System Location Discovery: System Language Discovery
        
        PID:11928
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        467⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        468⤵
        
        PID:12016
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        469⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        470⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        471⤵
        
        PID:12148
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        472⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        473⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        474⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12280
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        475⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        476⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        477⤵
        
        PID:11436
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        478⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        479⤵
        Modifies registry class
        
        PID:11584
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        480⤵
        Drops file in System32 directory
        
        PID:11656
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        481⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        482⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        483⤵
        Modifies registry class
        
        PID:11860
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        484⤵
        Drops file in System32 directory
        
        PID:11920
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        485⤵
        
        PID:12012
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        486⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        487⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        488⤵
        Modifies registry class
        
        PID:12188
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        489⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        490⤵
        
        PID:11324
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        491⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        492⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        493⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        494⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        495⤵
        Drops file in System32 directory
        
        PID:11852
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        496⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        497⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        498⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        499⤵
        Modifies registry class
        
        PID:12264
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        500⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        501⤵
        System Location Discovery: System Language Discovery
        
        PID:11556
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        502⤵
        Modifies registry class
        
        PID:11696
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        503⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        504⤵
        Modifies registry class
        
        PID:12028
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        505⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:12232
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        506⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        507⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        508⤵
        Modifies registry class
        
        PID:11832
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        509⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        510⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        511⤵
        Modifies registry class
        
        PID:11492
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        512⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        513⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        514⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        515⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        516⤵
        
        PID:12296
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        517⤵
        
        PID:12332
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        518⤵
        Drops file in System32 directory
        
        PID:12376
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        519⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        520⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        521⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12492
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        522⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        523⤵
        
        PID:12564
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        524⤵
        Modifies registry class
        
        PID:12600
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        525⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        526⤵
        Modifies registry class
        
        PID:12672
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        527⤵
        Modifies registry class
        
        PID:12708
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        528⤵
        
        PID:12748
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        529⤵
        
        PID:12784
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        530⤵
        
        PID:12820
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        531⤵
        
        PID:12856
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        532⤵
        
        PID:12892
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        533⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:12948
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        534⤵
        
        PID:13048
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        535⤵
        
        PID:13088
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        536⤵
        
        PID:13124
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        537⤵
        
        PID:13160
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        538⤵
        
        PID:13196
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        539⤵
        
        PID:13232
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        540⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13268
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        541⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13304
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        542⤵
        
        PID:12316
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        543⤵
        System Location Discovery: System Language Discovery
        
        PID:12392
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        544⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        545⤵
        System Location Discovery: System Language Discovery
        
        PID:12516
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        546⤵
        System Location Discovery: System Language Discovery
        
        PID:12664
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        547⤵
        
        PID:12732
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        548⤵
        
        PID:12816
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        549⤵
        
        PID:12864
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        550⤵
        
        PID:12920
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        551⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        552⤵
        
        PID:13036
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        553⤵
        Drops file in System32 directory
        
        PID:13016
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        554⤵
        
        PID:13120
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        555⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13180
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        556⤵
        
        PID:13252
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        557⤵
        Drops file in System32 directory
        
        PID:13300
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        558⤵
        
        PID:12372
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        559⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        560⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        561⤵
        
        PID:12656
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        562⤵
        
        PID:12776
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        563⤵
        
        PID:12900
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        564⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        565⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:13076
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        566⤵
        Drops file in System32 directory
        
        PID:13192
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        567⤵
        
        PID:12720
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        568⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        569⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        570⤵
        
        PID:12744
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        571⤵
        
        PID:12976
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        572⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        573⤵
        
        PID:13288
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        574⤵
        
        PID:12560
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        575⤵
        
        PID:12852
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        576⤵
        
        PID:13220
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        577⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        578⤵
        System Location Discovery: System Language Discovery
        
        PID:13156
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        579⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        580⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12512
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        581⤵
        
        PID:13336
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        582⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13372
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        583⤵
        
        PID:13408
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        584⤵
        
        PID:13448
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        585⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:13484
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        586⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        587⤵
        System Location Discovery: System Language Discovery
        
        PID:13556
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        588⤵
        
        PID:13592
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        589⤵
        Modifies registry class
        
        PID:13628
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        590⤵
        
        PID:13664
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        591⤵
        
        PID:13700
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        592⤵
        
        PID:13740
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        593⤵
        
        PID:13776
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        594⤵
        
        PID:13812
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        595⤵
        
        PID:13848
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        596⤵
        
        PID:13884
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        597⤵
        
        PID:13920
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        598⤵
        
        PID:13960
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        599⤵
        Modifies registry class
        
        PID:13996
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        600⤵
        
        PID:14032
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        601⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:14068
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        602⤵
        System Location Discovery: System Language Discovery
        
        PID:14108
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        603⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:14144
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        604⤵
        
        PID:14180
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        605⤵
        
        PID:14220
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        606⤵
        
        PID:14260
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        607⤵
        Modifies registry class
        
        PID:14296
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        608⤵
        
        PID:13324
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        609⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        610⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:13440
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        611⤵
        
        PID:13508
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        612⤵
        
        PID:13056
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        613⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13624
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        614⤵
        
        PID:13692
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        615⤵
        
        PID:13768
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        616⤵
        
        PID:13844
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        617⤵
        
        PID:13892
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        618⤵
        
        PID:13952
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        619⤵
        Modifies registry class
        
        PID:14028
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        620⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14100
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        621⤵
        
        PID:14172
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        622⤵
        
        PID:14228
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        623⤵
        
        PID:14304
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        624⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13364
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        625⤵
        Drops file in System32 directory
        
        PID:13472
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        626⤵
        
        PID:13580
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        627⤵
        
        PID:13684
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        628⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:13804
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        629⤵
        
        PID:13928
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        630⤵
        
        PID:14020
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        631⤵
        
        PID:14168
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        632⤵
        
        PID:14280
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        633⤵
        Drops file in System32 directory
        
        PID:13456
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        634⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13660
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        635⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13876
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        636⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:14024
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        637⤵
        
        PID:14248
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        638⤵
        Drops file in System32 directory
        
        PID:13548
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        639⤵
        
        PID:14132
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        640⤵
        
        PID:13808
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        641⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        642⤵
        
        PID:14352
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        643⤵
        
        PID:14388
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        644⤵
        
        PID:14440
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        645⤵
        
        PID:14476
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        646⤵
        
        PID:14512
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        647⤵
        System Location Discovery: System Language Discovery
        
        PID:14552
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        648⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14588
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        649⤵
        
        PID:14624
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        650⤵
        
        PID:14664
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        651⤵
        Drops file in System32 directory
        
        PID:14700
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        652⤵
        Modifies registry class
        
        PID:14740
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        653⤵
        
        PID:14780
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        654⤵
        
        PID:14820
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        655⤵
        
        PID:14860
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        656⤵
        
        PID:14896
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        657⤵
        
        PID:14936
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        658⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14976
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        659⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:15008
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        660⤵
        
        PID:15060
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        661⤵
        Modifies registry class
        
        PID:15108
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        662⤵
        System Location Discovery: System Language Discovery
        
        PID:15152
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        663⤵
        
        PID:15192
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        664⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:15248
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        665⤵
        
        PID:15284
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        666⤵
        
        PID:15332
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        667⤵
        
        PID:14372
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        668⤵
        Drops file in System32 directory
        
        PID:14408
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        669⤵
        
        PID:14464
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        670⤵
        
        PID:14508
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        671⤵
        
        PID:14572
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        672⤵
        
        PID:14672
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        673⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:14808
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        674⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14924
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        675⤵
        
        PID:14968
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        676⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        677⤵
        
        PID:15104
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        678⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        679⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        680⤵
        Modifies registry class
        
        PID:15272
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        681⤵
        System Location Discovery: System Language Discovery
        
        PID:15328
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        682⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14376
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        683⤵
        
        PID:14432
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        684⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        685⤵
        
        PID:14548
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        686⤵
        Drops file in System32 directory
        
        PID:14616
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        687⤵
        
        PID:14728
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        688⤵
        
        PID:14708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14708 -s 408
        689⤵
        Program crash
        
        PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 14708 -ip 14708
1⤵
PID:14772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aopemh32.exe

Filesize
96KB

MD5
03761223cb60bf496921e3fdcada744d

SHA1
ca2dcfb21fd8a9c152c0bc228448fb8c925bb6da

SHA256
f5fc44c11d7f73975a52bce07417580c18f78aa99b1c2a34efa1ebccd5de63f2

SHA512
6a4d4eb0a51a699f4344a4f14ec3c10a1d2dd3fe7f3f07e435b6dd5af1cdb0dfabf65b678e57297d804485bdfab424d0c5a04cc57b005844c44a5c3370666dcd

Download Submit
C:\Windows\SysWOW64\Apeknk32.exe

Filesize
96KB

MD5
da9950935568049d5ff587979ebe67d2

SHA1
70e8784bbf66276920b8fff59bf48913b4b68949

SHA256
608541c6317ddc98cc0126fff3996404c20b6839a85aa9681beea92d600f40e8

SHA512
82af44dbd9fbfcc5b049bee85012865f2417805c969280488fa438a2f28b5070b01ab1f3c095400d6429405f9cfebafb775ec292cff50dea70345421d83fa19a

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
96KB

MD5
861bbf2225b77bbb47b81cea51dcad02

SHA1
f4cac9a75e4ef0edd95896592ac4ff49cd65b943

SHA256
582a2f18d79b501570780d1a4646c4256985db3a5f4f69ffa53512eec6e8efab

SHA512
73618d9991ac319df4c3a6bb96d7660cd03735202cb87258cf6500af463620e5190f3d6178dd6b3e17a7d014518ae55cc71027b47f4cd7150d018b7cf4d99df3

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
96KB

MD5
7f1d858aa42df29b1b2d1e7e1b24eae8

SHA1
abd8b4e8c9350b199948b833307f8f23f7520f76

SHA256
2214553c1068a93bf728958501dcb0f14f114ffb3a26b7c7103edbe44cf8738b

SHA512
a055ff8afd376ad28ee61efefa0f1e4dcec071cb9d296387aaba65d380eb5676fbbbab45b333f453d3a1be96bf635d69e298eee4320bddfecfc71e5ca81a9b3e

Download Submit
C:\Windows\SysWOW64\Bdojjo32.exe

Filesize
96KB

MD5
e0fb052c9d85d2a27fc0d7dba10b2456

SHA1
b4f941bcc9089e891fc81bdc43144873a6c48f3b

SHA256
edc98d6aa9a6cf06afe993f76153e8a2b94ca4b2ca2b731cc2bb583054b7fdcb

SHA512
978116af9d55521bc1d74898ec3367594a4e58f7c7d3f9e458e42b65d7e0431e952d13d5a75beb9ca480eb3cf33f3fe1c82c7ceb7667d3700c4c87c2ee3f9d7b

Download Submit
C:\Windows\SysWOW64\Bigbmpco.exe

Filesize
96KB

MD5
1e24f50065a1aa868738de0baf3f7cba

SHA1
6178f920d28b59ff2af67e822ac3bc8bc9371cbe

SHA256
f3ea87ff2746ceb3396c577b62b7e767b000957db38629169395f557f06e3982

SHA512
b1cf3e94d9f960e0dac08f24ef3b9e0b51fcd128b6bf17f78c17efc456d83a3fe95927ed61e05942f1636c7815bc107349a211da7cb1c3897034dc3dd8d579f6

Download Submit
C:\Windows\SysWOW64\Binhnomg.exe

Filesize
96KB

MD5
058293ce37d7f62d4d02955e23ea935b

SHA1
a5c56b94f8eebb3a09914f640364dd90337e7a05

SHA256
a4cfa02bbf839087b4b1366a303c801a0bc13dbb1282fa8ba63b27a10d0fd339

SHA512
b1edf4c3751b6150705555189685a86c4bd75745f40f1ff6190c323875ea3fb84fd15209b0a28e1027fd0ceedf43c67bb1d76bb2cdb676f7adcfd67b182d21c2

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
96KB

MD5
aebf89dcfbe5756b53641d99795bf032

SHA1
329d502e069d4afa062b92d5adb2a09cd72a79bd

SHA256
6704bae692556682f0502808545e984c7ca7d4226246292a87a01f8ec4e1ecca

SHA512
091e4a2f2ad9a9bada6501f283af535b9fe5aa18eb704f74c2b1895d70a6f18180ea507fc0cb968aba5e391a6b6fb3ba5ca9ca980b99e68ea26329c79dbd3f77

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
96KB

MD5
5d75a58e8b36aaf551be655d277eab80

SHA1
82fcb24207c6005da48815f7adc81473e52bc281

SHA256
a7f866a557c7d7dca22a9f862b488269182b991d592abea24cb8c0432a7a2a75

SHA512
61368ae1d3f5432679a3cb66b5ef14c46808d95ca3e8b21f2abdd6d6a965236e7665ff5cc51ccde4caf1da27e6346e60de3d873aedff80ca08d1d01dd63e565d

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
96KB

MD5
5a82970307a96de2472f203d5492a09a

SHA1
731f40eb019a9ef92bd704addcc5f9ea9f94a438

SHA256
7468e176f4c37296546066c478fd1baf4062cc8600819f79079a3d65ed41c615

SHA512
d98a8ce7ad4a3cd081f0f4176da448c7e2cf30e0c7bab1e7239ab25d960adb1072816beeb1916bcab3daef7f89c3121b1b462a46b5812d301685b45c11992b06

Download Submit
C:\Windows\SysWOW64\Ebhglj32.exe

Filesize
96KB

MD5
2e83006b481893dda0dfa59b52ec80dd

SHA1
5606bf86a37db5cd2c08332788bb421859b8fe30

SHA256
3008d5fc84543bc8df91edcb2504636ed38d099e7af35d668b20eb95557c2c64

SHA512
98a75220b85591d94608531bade56e5424fe4d8a8e833f7d3c0e3cbf156dafe855b9969b46de02e95232bdaaf665c17c0a368ec6e3c5b13cbad5662cf71d1195

Download Submit
C:\Windows\SysWOW64\Eclmamod.exe

Filesize
96KB

MD5
c700508103a11e59d48cb5dcff3da4bb

SHA1
698cd273cf983cdf5ff375f3fb06b2326d9f6d71

SHA256
c2342f20728d8c5f5ad1ce0a768fb2f4f3f2f039b6470c309e3f08fcf641f83a

SHA512
d944a184995f939b7f0c6ed162b8a72f41a10f36a8f02b40aa95de7cc3d16abad8aed555b325b7183f6dcf205ae397b234ac81011c18e368fd5aeb77d92f5210

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
96KB

MD5
87e2da2aa30433eac037bd43f7bed556

SHA1
59aecaddd922fd70ab1b43cf03b9e64f22ffa5e8

SHA256
679cc0df09ae91a2f6db9150fc6f81b01c3e9c73c6ee32e14fa9d02e3d5238b0

SHA512
4313b115b0de36b31adee08563b9959402274f7c1792c09bc663a4616a0007420cb006fecb4cb27dba188ba7f33fe6b7467963f0e163fbadd9b84ddd37637a4b

Download Submit
C:\Windows\SysWOW64\Efepbi32.exe

Filesize
96KB

MD5
187680022c45891b3a523b4e196211ce

SHA1
3ae56e956a6729147171b5b3bd4c2fc25af76e9b

SHA256
71358ef365f11daf8a1573da48b72bbb2821c1fa6c7123252016f4a93c9b30ff

SHA512
adaab6c8d620f4d819736cee4587fcb88f55b633e94b8ff72da9f5e351011fbd7f73f32832bdba4ca9b01a96241db0c577e3ba0594044f99f0b99e954fd9da0d

Download Submit
C:\Windows\SysWOW64\Efhlhh32.exe

Filesize
96KB

MD5
ace4240a9ef2a0643854606ebbb5c3d2

SHA1
bef021d3d10a396f214d9613e9fe1d1c70bc7a97

SHA256
ab62829d32e0254cb772107d521ed0a813030a5ad7dcfc52c0222656ef3073e3

SHA512
ff4f7292414cb1ef82592b52391012efd408e6e3dcc776ab8cccb0010d09cdc045eedbdfbb9e816ef2c8ae2709f70853aa7935e55681ef43b31340cc13d3c139

Download Submit
C:\Windows\SysWOW64\Eifhdd32.exe

Filesize
96KB

MD5
feb273c5ecaaf4ca25f28441fb75c7e7

SHA1
2328b2c98485f356585d0e4c3d9ecb609ad7fc95

SHA256
453a405769f68021ec046404c8c7bfa9f86ae87208b24d3353b8cf6baa90e7f7

SHA512
974152b8f7a14b374ecbfd88788cac81d6dad4688fa92d0501d07ff3d7976ddca8e4a3089b94c8bd1bb8aa0e8253698d7aafe6b03cba7b356fdd6e7010d2788d

Download Submit
C:\Windows\SysWOW64\Ejfeng32.exe

Filesize
96KB

MD5
05adaaf10d426450e59af87556e853c0

SHA1
97e6d31c20c4d167c7817d95d27f5ff1fac49fec

SHA256
528f6375d979ae5fc2ddc4db73c5b88d2908298ad89c2364c1ac4ea5d0e9a08b

SHA512
1eda8aedeceb5fde48588872d3470cf7e05e27d107c15a09a7112c3011f271159744ad8836599f17dd93f4514c8e634d847afd9c5e4fba8fcd4d3469ea9215dd

Download Submit
C:\Windows\SysWOW64\Ejlbhh32.exe

Filesize
96KB

MD5
4da72beb358d2f790c676baf92b1ed3d

SHA1
2df390a91a0948cb72c7fe1562c27949c49cb260

SHA256
6170fd09a72b407ad8e60e2bd153ba8b7f3e85451abd59b8c8b16a11b363e725

SHA512
987e7776221f0830531bdf2d47644bfb710ed5ca9b870ce3885379f9747ef6a5c23c6bb7b7777b9bbc1f23c7ac930636d4666581f0e51af2eb18d38cbe0a7c64

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
96KB

MD5
ef531306fa45a7b44a0f793ab88e7bb0

SHA1
a27a716b1f3bdb9bc4ed4f4599c27466203abcd9

SHA256
d38f0037ea64d8629aea913fc67b0dc5878b8f325f1a7b9d20f5733ffa54579e

SHA512
6682091acff218beefc50cbfb1ee706ccb274056ca807e830ef222ffa8d9f92535b588714289ccf879a2c1ca1959ed4d54f2562be575402e3aefd8164057943f

Download Submit
C:\Windows\SysWOW64\Elbhjp32.exe

Filesize
96KB

MD5
508b5a7c1b76c2618e20b1e1a7946e01

SHA1
31f8d955d2616f8f475ee3a315394ea3ec5a8a05

SHA256
af4a174aa04cbae5bc74bdbadced4d5cd4799634986450c6264e8af1ef4373df

SHA512
5c8cfa27b6b76fe39200787059e7deaa61315a2d00bb4bc08add63f66869678bba853917842a49c095e10474edbfc4edca4a2389404b15b6dfd13b53609f8d7b

Download Submit
C:\Windows\SysWOW64\Emdajb32.exe

Filesize
96KB

MD5
d638e899153f7fc2abdfe88cb2cdce0c

SHA1
3df9fe918c04492ca26df70ea69dcda9c9e72e93

SHA256
3066f175c2ea37a7428ce82f3d5e2ccfc5b7d6ba931a05b52c920eebbbc658c8

SHA512
fefad42d91e276ed9646484180aa86c82c5e7e429e7e0d9a01672e9dd5064a7fd39f34799b00ba86b00986fcbc56b31d1c4bdf6c21d0127c0730740aa5bfdc0c

Download Submit
C:\Windows\SysWOW64\Emjgim32.exe

Filesize
96KB

MD5
9e9ca6c654021df301e350e46c0e653f

SHA1
afebea85e147b90b874565aba747c21d0b36896d

SHA256
6c697aa28b4554043933f374b28c17d832fef4226bc8210fc4eda783c6c42a0d

SHA512
3c4c214f697c1227b8d9f3468725a22959d11e8a89ba30408e6ad974deee4150f964cd8c3f2c969184171634643f1afbb4b8714c3c6f1dd131c9beb9aa9d5204

Download Submit
C:\Windows\SysWOW64\Emkndc32.exe

Filesize
96KB

MD5
3b1dca3d53a26e9d2ed7c1f9f7d23d27

SHA1
769dc9e24355c5c4df5568626bab8b147e96cd52

SHA256
f08d3fb771a1c03c1035300a9e18272dae6ca6f584f5bd2f59cc37e15d5c684e

SHA512
bd3c681b7f990ee98acc34bf0aa828015ac0406b725176220a40a5180bfd24fc670648d00ae65b55fa3ca58472c38f3b5666a50c5ba867eca12a458aadb2fdf4

Download Submit
C:\Windows\SysWOW64\Emmkiclm.exe

Filesize
96KB

MD5
c752522a461cd6bfb9041a6a99cef392

SHA1
005352af27bcd18e714cd1c84b784e962a0ccec5

SHA256
cb9429363e6c05bc672349ac1b3c19671cd8f4f1ff3156a10092a6f0d9c51757

SHA512
f3312f4e576b7f02cc79f3972e013872672d4665a511ac102c2c248cf04f57db84c0d3b7edc61c3870c36b43b32ebacfb4ba154f0e02bde49e619a8355b52bf4

Download Submit
C:\Windows\SysWOW64\Enhpao32.exe

Filesize
96KB

MD5
425697d1b84061a5c16040ed04c01c14

SHA1
9eca1702211463d50a3c9344a2da0208543ad8b1

SHA256
fa44f0ac87d3bd628a17f05f8851af761fb2560be81dfaec3d7e96a385afb61f

SHA512
7a6dbd6fef780c7c548a8698a13b8e650ea6342359ae1a109e12eafd53e33b27751075c9d971bb9077f393ddcbd4a025716870a1203768758e64c50902534a16

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
96KB

MD5
798c7afb4206422bfd6c5d9a5279d63a

SHA1
ab60c7220eee0513fa2b2e58a35ecc3656b20bf6

SHA256
801c12ec6cadff5b50733302ca1844a86e7766127212bc7fd84ee0625e52d058

SHA512
00ec17f1fb28f2bc1dad3558be7646fd514cb13b40a58403b2af9efdb9c3151ee22e1179d1a183b812b196f020f5ab6c3f4f679b8e8d93ff375ebef6765f0b52

Download Submit
C:\Windows\SysWOW64\Eojiqb32.exe

Filesize
96KB

MD5
28e8eaabfe107cb2547ed546fc4ae244

SHA1
e6df762254432e6bedbb89e4b3564473e43447af

SHA256
41fc91e4f718456c3a4becb9e5725d44cbdc33d87e3407f65ea5e77cfb142181

SHA512
cef404499423e17a33acbd30dc912e19fc5c6b84c2ea575c30584b74071cb8ec89a374060f1b2d28e8023036af22cbcbf9ae6d6906c843a7d905c6f8dc5dcd43

Download Submit
C:\Windows\SysWOW64\Eplgeokq.exe

Filesize
96KB

MD5
fdb1c32357478f4ba512e4664912da9d

SHA1
260d1da9ae566bf708e845dfc6a937d3f36d2485

SHA256
aaac2a02a745fa5b946a246356c639dac8db4f7b2ace40f4a89dfea5e567c730

SHA512
a804323fd84de630f525be87a25cd39ee3876d43de85c9298b23822f29c83f4bf14526760deb89bfc3ce5f3f3e7cb30509fe981ae65c6d1b53cc24b7c6be0126

Download Submit
C:\Windows\SysWOW64\Fbfcmhpg.exe

Filesize
96KB

MD5
5e9cc891baf80630d3a31990fac92c6f

SHA1
f18232861b70c9229469cff9af8736d7fc651550

SHA256
e673f99f6cd72b4599d71d1f20eb0b59a44debfeec3812042cb54a0f77ce37dc

SHA512
ab0fbaffecbb1cb721c181e610183452000ce1adafbc230cb38edfccd7732bb9795bba75a630ff4af6b06b1dc001909ca88179ce2b38aa38ceda7947172445ba

Download Submit
C:\Windows\SysWOW64\Fdqfll32.exe

Filesize
96KB

MD5
181ec53e212b808463bbe58aede7c207

SHA1
1938a87becff00e5d00aa8e531d4bfb727d69950

SHA256
ea594b83cc00ddc85fb22f78323fe295a514a70c1c880903d49923b7750ea81c

SHA512
4686103526ca4494055f5c00b06e37577c2c4be6ebf90ccc0eed40be0ec88a7724bfc7217de9ae41e71ee0f5a5682e66fc1d9da0318c129594c9deda1da8ddb3

Download Submit
C:\Windows\SysWOW64\Ffaong32.exe

Filesize
96KB

MD5
95590ba4ac5285fddce8d035acdc0c1d

SHA1
31cb233f6c043615cb93d7bf33f55d22aa38aad0

SHA256
bf37a851d54bdd20f5dd801cefb25fc2d611940065bdad2eb213851dec689852

SHA512
9dbaf8ade2b0658858c22fabed99a2d11058625955d59ab98e98dc537d7c79c4a2fc4653509d16502bcdcce1150116850ac60b95f7abd014f151646105c30a87

Download Submit
C:\Windows\SysWOW64\Ffclcgfn.exe

Filesize
96KB

MD5
385a06abe584ec4c4490c41181b77ec0

SHA1
c9ffd6ddabd4b12ad7bbfe235af64b4aa3041579

SHA256
b9f3e698cb18d4ec26f2f5c37da5a79fc73e2a0c2d70d46169e676f35a5b20d8

SHA512
dfefd51ddbc86ef13cfda715466412f6bf1ca6a45424bce6fa508f6807640a1820415c9c85d8e244957eb5500c8eee564f5fa3a28dd2d9ce3bcf1a3fbe207ae3

Download Submit
C:\Windows\SysWOW64\Fffhifdk.exe

Filesize
96KB

MD5
6e9e4a93d97c4519e0258866ed14225d

SHA1
b2ddd30aec80ac066e94f78c883328a799baee23

SHA256
17f58b2db700051de90df8da9d11910b747b0af98476cd4ee9ab0ee9233b8438

SHA512
445f1289a82e7750c70ad86a663467e913fa48635dfc6e90ef4add8280a575d13eaa59deb8aff4452b5fd8dbf8978b812de16bbac351e4d44181502fd83cbe88

Download Submit
C:\Windows\SysWOW64\Ffmfchle.exe

Filesize
96KB

MD5
771a98092b59f366afb1cd5af9ae031d

SHA1
7e3f83c3230a8d4cf68bc37a8634e049b45dd157

SHA256
adec8bb4765a78ae0e8dc0f020c59f722dda75c868ed6eb5ed0d77676d0f2d11

SHA512
692fb701086d24c2b4efc13e0e011d635c1993823e120dc84a92ee452a7cf4c33d47adcbeb44a1d427277ede4af50762c2a2757f9299b957e31de33671a796a9

Download Submit
C:\Windows\SysWOW64\Ffobhg32.exe

Filesize
96KB

MD5
2c45048fa6bdfb5f60e9f65f55310ecf

SHA1
ae7ac40124be5abbf98b966cb7679df0605d0769

SHA256
da1bf24225adc6b00db0eddd2575b41f592b672cf89c4da969988159d4a42a22

SHA512
835166e96fb4e6c3d90d7028f5974c5f43662ede09f886c1aa397f64f8e2ee4ce2638716b486780a8419df520d4e26be857b2ef8869af0c0036dd7358af6814d

Download Submit
C:\Windows\SysWOW64\Finnef32.exe

Filesize
96KB

MD5
5650a491dd1afc1792667252b6d4f57c

SHA1
9afc79452718c57a8610babc7938bb26816b0eec

SHA256
830c01c7a973db3afab3980d4e4f9f93edcb8f22fd3c5c907645f7149ed80495

SHA512
4081267108b2c0c3e479f06377eebb570924fe7424a34981818c9e3a51af9d87f10f1be18631c521e85b603289f3e4f97d7f95fd5cb4aacafcd6665e84679dfe

Download Submit
C:\Windows\SysWOW64\Fjjjgh32.exe

Filesize
96KB

MD5
44bd3f53f021a2df9483c5a1d3e3dd6c

SHA1
4cf97ad8a7211c73e1b7eba95f028956ea309118

SHA256
282f941d380f6ab2eebc111b349c4286646f62c3d95b34e59862538340608247

SHA512
7da152872ede90f6a37cff2c4745f229008495c4ac80b83406b2f805708413a79753321527051910e5ae7ed6b6b81dba88076b244ce816b0925c3ede3a66c52b

Download Submit
C:\Windows\SysWOW64\Flinkojm.exe

Filesize
96KB

MD5
ae28baa79f78b47c40d5ee39aa52747c

SHA1
cbdc3d96cc4577cd858b7bab24bb3e1bb44851b6

SHA256
f57c95521c4148c0ed5da68f2c44b46cb406918f218e9a738e5002ca8cafc7d0

SHA512
095588b42be37f267942aa1922ad195e3b40bb727189a6ccc63ecce168a33dcf755fe208171b5bdad7f80a17a3ce04d0ed525eea4c3fcff7b1d1ec77d0207845

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
96KB

MD5
5f870838ea1050a4b4ac42fb79a29e71

SHA1
dddd9d5b6e6aed8b4e688abbbb861086ebe8d319

SHA256
626f225ad2e151333750f4052e78bbe838f9eefbbc08cd7024eb60cb59981e80

SHA512
e81ebdbdd00f16ef1cda7a787ccea4a38779279c53c92a0129ef4c5f7d0eccd3b86c07ba335ea5454a5a7014987a8cc8e8405e1c3e8b324fa97ca9f5c8d505b9

Download Submit
C:\Windows\SysWOW64\Flngfn32.exe

Filesize
96KB

MD5
ad99ad4d9995649a7c6e8ab12bb8587f

SHA1
a44b515a4858cff13c2bdbd1ae691a01c7709d56

SHA256
6735a25013cfb8c8a52ad815440d027a5442517c0d443a574cc0119bc58e3613

SHA512
15babfa9f5bd78ed995e77bc00dc59edd37f7c78d347f13adf6d1a571bb553a9e6d2ca1b14fd6f99307579f44c736de9fce7f82cfe3b756eaf2ceb3707cb56f7

Download Submit
C:\Windows\SysWOW64\Fmikeaap.exe

Filesize
96KB

MD5
8390479428d9edf1e58ffe80678f19a8

SHA1
834662757cd7f9d91990677c764b15352bedfb05

SHA256
4b753052f9fe2e76e7307e3fd998df182d5d8f857055e9240bbfa06948f54086

SHA512
be44422353f8cd87588c99d9e2310ea97ac5548ba8b4b6eafcf5ace145e2ef934ce86bf1fdd16b134b3e58533e5d095e129cd83eb70b4ddcba05d4a6d4f4d30b

Download Submit
C:\Windows\SysWOW64\Fmpqfq32.exe

Filesize
96KB

MD5
8e33e2e96c6bffe3d38d891377ff60b6

SHA1
0b6d9a4d28fe8e1b64098814dffe1b07240864ac

SHA256
8b0d2cfee447aa009472ce6713bdc8bbaa38079ea8a52912a6cc6e3da02b53e4

SHA512
b124b68443f6b74961b1ae7988a540c06d1de6c667bdd97f6ea6e5d302141b9e34b92e4f4a9e757a6c0b099dddd31deadae169e4d54c118dd7fccd4048bb4a3c

Download Submit
C:\Windows\SysWOW64\Fpjcgm32.exe

Filesize
96KB

MD5
1557631693fbf63540a2675c26351fb4

SHA1
5f1a3e1e54df04bb16ffec499abd609af6341267

SHA256
9960a0308fa1ad49c18cc8fba9e6bdaee62f9291a5bfaca240fe48c2d95311be

SHA512
61d95fff3f0dec4e110922cbe76cc1abffdd32e1d92972d0889ea1e6649d9856fccb7e6ec44114d285c0abf315fe8ca14bed7a195777083f2c6013ef86954745

Download Submit
C:\Windows\SysWOW64\Fplpll32.exe

Filesize
96KB

MD5
a8267156464827dbfd30a3a9bf28d7ee

SHA1
26591690f5599d043f66fc20505e8c36c0aa7ea9

SHA256
737c6c03f09dbac502469d0b0804ea7867fb186ff752e68c76a87baa3963fd9c

SHA512
460c35afa6b717f1c8135208da32d6529f83b12a8125f691afc69be212b8488caabf88645af94c6bf7e67b23e59926f99b1f9257d2e0761be8b430f4bd70df8c

Download Submit
C:\Windows\SysWOW64\Gbabigfj.exe

Filesize
96KB

MD5
168087d234434556d79a878d381936ee

SHA1
78b02ecdd8899d7ce43c195b73c6b2796d422c6e

SHA256
514507264e4993d82707f362dbb8d1d9097e77d378aeae3736964e726c4ee9eb

SHA512
b6af32cfb4145195ac6a0d1c4730f7ef12a8d6d04851eeb9f1093ce48223fdd0d5cf327f7f27fb5aab8bf866fc8b89389e9b384574eea75813e5f96141ed2709

Download Submit
C:\Windows\SysWOW64\Gbchdp32.exe

Filesize
96KB

MD5
86243d25e2029bf511d9332fd7fc5229

SHA1
aacf818b324a276780f16997587135519cd1dfcf

SHA256
40a0c7befe543872a2bd10fbab67ad3eac2e04ffa0024b8a839d1b7d1c60eed2

SHA512
b44c130f7da47738fb5fa4b64ac7bffeb16f7bb2d48768a98d9ea5ae9694adb2f3e04d0a3633912e0e897302cd48b531c34580e33582507602ebfb2cebc9793e

Download Submit
C:\Windows\SysWOW64\Gbkkik32.exe

Filesize
96KB

MD5
9f6fdf92a42bf35af525313b991c6fd5

SHA1
e665971eaa8b7187eb72b45340d4c5077d7451ef

SHA256
29507893f5fec8652ba4b701125cba76a455081fef89b8208fb2c72fbd184d4c

SHA512
16549004f1df9d9c7ac72de9bad3469cc31cce3dbe737c3ec17a155c400ae85444da7961eef7deb7b2835f658d3bac5508ab3fdcc041a9584763a4d6d2b605c3

Download Submit
C:\Windows\SysWOW64\Gdjibj32.exe

Filesize
96KB

MD5
980c692a1fcb2d2c94c12708d247b267

SHA1
d2064e6e57525495f091169bc49965554220a24d

SHA256
ac7486e22bc27c5cdf18b72095d4c93131c896136251ab8f8d608d711210818b

SHA512
33e66088b82527039e11c2261c8fef231e0b74f773ff14691208a3785860b139e8c6b657fe45ec24fd1b44a180f4a9e3ace7f84ad1fbd252857129b1b3b3bdf1

Download Submit
C:\Windows\SysWOW64\Gdlfhj32.exe

Filesize
96KB

MD5
dabf670e473d6f3fa82523bbc0cd6906

SHA1
6e6e0028034d46f32cb099ccd3b53276d3127585

SHA256
029b5488108ee39ea406a189f6cd5a8f6b0f50ccc9bc3253312e39fd447073cf

SHA512
df24883a60f143e557aecf3e159914bbd51f5663b28e749fac0eefac897b49094fa5461d63944e581e2c249bbeb7fbba5bf88e65308bd97292b11c082fa57bba

Download Submit
C:\Windows\SysWOW64\Geoapenf.exe

Filesize
96KB

MD5
a726d3e3a48ce534c90b75921fbb6448

SHA1
4cd9eeb8f18964bb965fe940173e5cd0ea27b2db

SHA256
79873b4eda0bffbd187d92fb937307e74a0497de1a905a299255612b38cc9f17

SHA512
cc5ca794141b5bfc6a5f1bd0307860676e31f54511abc138cdcf5bd176aba24404b8b49474c11569361c1403204b43fcc72dd68137f6efb4784e4521ea3b1320

Download Submit
C:\Windows\SysWOW64\Gfkbde32.exe

Filesize
96KB

MD5
f2b8e4581fe4aa14321003ce2ef89127

SHA1
72600c635073305be020076f5c9260aa6a15ba2a

SHA256
d27f976c46f82e7c0958f6b0d94af81f06ce00d8b9f06215cfed2fb7579fcc0c

SHA512
ea6361b27f317b3209bd5cd1dd9b09bb7d59b1f2077339716d6c5d3bc4a5437fc60476d88428629ac91cb991247a4b58821f21178c088bd25d8de46220c20255

Download Submit
C:\Windows\SysWOW64\Giinpa32.exe

Filesize
96KB

MD5
79f2dda46c47ddc95530c0e28eea688c

SHA1
47e85d7ed5f5c7f16a50fa2521668959ea8f876b

SHA256
e09ef5eb7ff5b216cf5c4a316b11b8713b4e362eb1b0c2e8c19ae22dea5299a4

SHA512
d27496b04c6b51a2c409a6b1fb1882c0496723166ec54b4cba4ec42cbf326f104a4f4e189e84c7a859d61809ff9c6107ece4c06939e4074dc81bb58aef0a4eb5

Download Submit
C:\Windows\SysWOW64\Gjdaodja.exe

Filesize
96KB

MD5
b86e47894022db1abae70b97f158d5fa

SHA1
165d83b59322f50d2d7d1fe8c289250bb8031bd2

SHA256
55d02e3c2da48499b4b861f73408b7f6aecd0239a0d39fa130fc89602cda5612

SHA512
2a333e5c70e91a81d46a7778bca48115d05083f47bb16cde8d8ce2a074c59e1c62ae3cf06ed6667896f05c08e6965ac308f2f0083b3b2ff773d36c7e281bba8e

Download Submit
C:\Windows\SysWOW64\Gkcigjel.exe

Filesize
96KB

MD5
e88338fa702dfe5480078eb7797ee891

SHA1
a49f109657ee6c4fcb61cdc44b3a5e660f54c132

SHA256
08444e24f84c8d2b27323f86f25381cd49d43832ece75fab75ca43896002c451

SHA512
924f6c919bb327a8e81e55a22208ca95c014d7d9d9186b620db4e0c0991c7887e6a4220d42b0a8fc4bb25816850ebde2ebd6e1d41233ae63a3692933171d934e

Download Submit
C:\Windows\SysWOW64\Gkoplk32.exe

Filesize
96KB

MD5
d63141c0df85672af73742dcf7c47221

SHA1
b3c1eb2e0d0e12a07d803257ad7192d49063b8e4

SHA256
a8776ac496ecee7dd90c5d6c8089b0cae71b45087dc24386359bc43bb3a5f2c4

SHA512
5c7b731c5b98b5f4ad58ce4675d1e5d2e11f00e28d9909010743c0f289df9796d8da8ea2e09bdf7b04e272260ae35610f8315eae77b59939ada3d542f2124050

Download Submit
C:\Windows\SysWOW64\Glengm32.exe

Filesize
96KB

MD5
4eebe3bd2fd4b93690fce7ec5cd80693

SHA1
906f63ab41dd0ae7e86ac9b227dcacd1fc7a4309

SHA256
4ac0745b0bf674eb3d0e7817462b14cd8876bf7bafc4c36061f26ddcfeb97cbd

SHA512
8d74751bc24900417b31793339556258f239aeb76a417ee5119bc2216ca2b70d765bed47632e1a523c3002c4666afefcdfdecd34680689e3ca7c7a8f844e822b

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
96KB

MD5
0fee432ea627bcb1cbd4801aff438f55

SHA1
13dc54b480718003696233373c21532265e2c85d

SHA256
584742f293f304a32b7adaf49dd8216382362e7b9abf1a81b9bf366fb408a674

SHA512
521b12204fc62008c72611f25e6a31d4433efd15644549754816fa67892d459bcad3095f047d3df3f6504a0f764ccfacaaf462d0c25087f56d91249cfb2d7a37

Download Submit
C:\Windows\SysWOW64\Hahokfag.exe

Filesize
96KB

MD5
3763c01ba4520315b62c255329c9f68e

SHA1
5cbcc44e1d3bf4ee5557bf31f796a862890dc8ae

SHA256
85dd2b1ecb6e867bc70db44d8b0714328427ffd9c1eecdc0f0e5f76d0630f7bb

SHA512
8d7975f9b5cdb17e16fc162665fbf63b2ca5f1d1637858715ea17e8998c52d37a135f48a850f3665d26a23886705e0384b3df33ee465855a9696a32e781a4bda

Download Submit
C:\Windows\SysWOW64\Hajkqfoe.exe

Filesize
96KB

MD5
e0d8bd2143e2ff22da4ae462682c58ae

SHA1
12a676d2e5d9dfbdd16a3dd45e70fd86fe195f36

SHA256
b124064be9f075c081319525106dfd4c0392f084ea6c3433577f13aa535c0db9

SHA512
2fc10f0a641737c54c8d77278aa10ceb9500c2f9aee8ad5573203257952f0d94200a30a8264e5a39733a3d070414e87694fd3c8706c3c5410be789f3c67aaba0

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
96KB

MD5
4af46ccf45d39ee8822e2b6d12d8d905

SHA1
1b6768fa3d314d4e3807bae894af4174e49d4d53

SHA256
9ea451d23ba6c2fb6d253b6e73498979e6aacb200428d80f9f60ae0fcfee3f60

SHA512
35185337d28ebefc9c6a8d79f2f0ea7a9907f7098e6fd0fa19d8646b5e523293935ca5ca767aee58586b54076d7c0b67a662ad38da491fc22c6843e78c1878a3

Download Submit
C:\Windows\SysWOW64\Hiipmhmk.exe

Filesize
96KB

MD5
cd12ac78fb68b26af249a4ba6a199240

SHA1
55fe4fec7bb1f9a865f1d23bf8dd545102ebf6a2

SHA256
d2c28c26728b1ec6fd0285fb0292b5920d911ced0131fd65898343f8c86d4659

SHA512
d0c429356e8e9216a750bd726b0727f9cfbf0a9f5ae587989a6d99fe0e4f86dfd550e6017d067cea433830b82d82f8dcc8aa710357aa64ec84607adbb1a9b521

Download Submit
C:\Windows\SysWOW64\Hpmhdmea.exe

Filesize
96KB

MD5
1a430c6e597af0d4e98f00eface74c5b

SHA1
f6258c27bdfa04bb97ca114e2086c1f8f3468f9e

SHA256
c173dbc2d281058b290783ab88463b8d7e4053d8eb26f1724e3f84096f720168

SHA512
6c0d4078543c8502e3557ccf04a88a08da7c83f4e67683a88239e2026b8931726ad6ef42a813940da8187e4337e59a7f9b588d390c20f65cc34de52a48728209

Download Submit
C:\Windows\SysWOW64\Igdgglfl.exe

Filesize
96KB

MD5
c1f9e0d7e0aae1a681091ab4ceb91866

SHA1
5931f0fb3ce76d251f93f79bc1574f78870803f4

SHA256
81295f061eb5b766d4cc3beee127a03a113a20eb8b38ddeb46a1dedd9df95863

SHA512
d2f32f371b5ae7e4313ff3dfda86a0a9c91d6d2800b9d0b1e3f88720e822ac100efc1247b82c36e630a979e2d0f6ec42d39106a7f5eac519b4c15713793becc1

Download Submit
C:\Windows\SysWOW64\Illfdc32.exe

Filesize
96KB

MD5
b24a0be7fee08a680786e1ae2e74f64b

SHA1
00880abc5ee6d2f0b258c0ebb72ad15f9bb3eb4e

SHA256
9e816495b6ad5082413e91acaff2bdb948ee76785ae60da897cc79919e0b7977

SHA512
aaab5c41d511fab8078bc9cef99a2c0800fc823806446ae947dc7d5365835ccf3b2efa8581f02bb136278d82e8e2dc00ab0c499a3b5f822fd658415b552dfe0f

Download Submit
C:\Windows\SysWOW64\Impliekg.exe

Filesize
96KB

MD5
41cfcb186ae72c7788b23d1ec5c41eb6

SHA1
165562fedd17472b8c128b7bafb37fec49774fa3

SHA256
258ee023614a1d1371787a82ffdbe511d39e605bc09f8e941cb03286679b2743

SHA512
5b1c688d87aad51ba0b307c2842723c1706044e4295166cf4af4c0f03d135078532dd2371a346605810d194f03fe6ffadaa0d0e00a6da537e9f01fe4a9d40f24

Download Submit
C:\Windows\SysWOW64\Ipkdek32.exe

Filesize
96KB

MD5
a571ff701f44bf680d1ca1d9f6a1d6f5

SHA1
f68a4afbe35c842c287750b3a3ed7bbc87f6ae7a

SHA256
b3f215d3e3e593900ff8f2704471dd1f5f9fd5b5433b65388129de9aa43d0b13

SHA512
6c9b741b3c6c1dd1195e3a61aadbbf08a50e60cba61e3b3be813def9faaa4e578fb081412b657965473cbc166a2fff5290fbe97c84b7cadc8d1591bc4a51d9b2

Download Submit
C:\Windows\SysWOW64\Jcbdgb32.exe

Filesize
96KB

MD5
2f0cb318e0708e7d34d81f4fc4bda669

SHA1
6f8a78fda4cf3f6b12acb98d681d482f13d79ddc

SHA256
b093b37ee68ff7153258d6bbd01cf0f440a5f577b4477a1dd136e0cfb5aaf163

SHA512
2b3f722fea85576d85b83881193e8df633057d8da22c1d0cb5571fa8a8bdbea494a986afae4aedcd29f6b8df45d647a374cd59685ac87e8d72811d06115e9fc0

Download Submit
C:\Windows\SysWOW64\Jdmgfedl.exe

Filesize
96KB

MD5
81093aeb477800c69718f133b377ed2a

SHA1
b766206ce0fccec2977373cfbc9647f8140651f1

SHA256
958b033626b587047bdc953375fdfe5bdb97512440738cfb773cada4c29fdc0e

SHA512
5319c08efd40ee5908704dd3697e14bac106fe5a5c67663f58f325619a17f3907333a0c98f219e682c74a5f0f4659d9d44d82a6a0084b00724cc559927f5c0d0

Download Submit
C:\Windows\SysWOW64\Jgbjbp32.exe

Filesize
96KB

MD5
1dca78328ff5047242b6e47a7839dbeb

SHA1
d9d846918d109fb0848fe6117aa3773a63eb58ac

SHA256
a2bd60ce36a15a65e57c148f4d021351d2a0f6a53c68e3ea50e950f377da1942

SHA512
51f3e2e9a7c9f48c009d8659315ff7ee62fca94d7342d1f70d5e6b6c5bfc6aba3dc8e37b5d88097e94be18a2b4a160080e28bb75694ab7da4e19d03a142e750f

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
96KB

MD5
cbe9ab6aff6a209cb71ad72b82291272

SHA1
68016407132e60dd84ca5c12e796a06aa5d7dbbe

SHA256
95dd2565532481aca0745b4376dee7fde8b5a0cbd02ab6e8add4e9d8a3bcf6c2

SHA512
802e68703ec3326a39cefaa60c3224ba2af527f1180f32a33c5988de073beba87c03202eefce4124b2ba9e916d25a2b7577a1e5a204c019afd3810477a6ac950

Download Submit
C:\Windows\SysWOW64\Jinboekc.exe

Filesize
96KB

MD5
341825fdb201a3e8623c14e92d9f69c3

SHA1
2ec9f3deb56ce1ea418a790413d7ab576560598a

SHA256
2da51103cef33eda3bb543378819b970facdf6fc7fb0e85058bbbea45d78292e

SHA512
1f8bd67d5a2082f96a48f0d6687bb972bba24cb9fc883b8057bd7aad7d9b9b66cb111823ab0e70cb057e5572a70ac4cd9716adfaa46c3314d3b6d82fd78529c7

Download Submit
C:\Windows\SysWOW64\Jofalmmp.exe

Filesize
96KB

MD5
b60279d2938b140c09b3e5c90525e349

SHA1
a8459dc3b220af896275c4e3c3f821a24e517388

SHA256
31c06cc31ccb8db73dccb04c6fab146ebeb968a9098661b29cdce3b6e3291554

SHA512
85343306720a902537babb317f5bb85a4b7d0f1a4d6d2d5b9fdb4f64c1e37c33eee9ae1286ad2f893c44610a5cf84b72c13f590378e24f3780d3bdd9cae0bc84

Download Submit
C:\Windows\SysWOW64\Kcpahpmd.exe

Filesize
96KB

MD5
6dfc14a82595eea8f1d4f2d257b345a2

SHA1
da7c768c304f83fae8514465b9205fd224e339e7

SHA256
9a02c9e10cd269849441ed1db2025e3c9d3a7bf739e2c785adc0ebc601bd00c5

SHA512
c07f78f8bd6d6e9ac7ccc74bcbdc7e8486ed8934696403f468a0d9ac2650c50650791738e9b55bc20c956694d8005037d04002b8d08dc79fd2f4abdd64dfa6ca

Download Submit
C:\Windows\SysWOW64\Kcpjnjii.exe

Filesize
96KB

MD5
316ee5107e49d86d7aeb00bdc7ca195f

SHA1
e4da008b3c345c58a8cfa05eea742a8e018d02b8

SHA256
90bca5da418e25ee1c9c27553c5b9838e104b78edf7678f55eec5170cdb034b3

SHA512
4703f78aa1648b0041905b08cb9f9cc4f262b59e3f30a567eec9e9b3085da922158f8b32d5e7242ced1d584ddbd435e8253478983173e5ff6e4d631cf870a7d0

Download Submit
C:\Windows\SysWOW64\Kdpmbc32.exe

Filesize
96KB

MD5
808c246ea2dba5822c57b094d44a3095

SHA1
c43ab6914a77b136c87230e2c5564769e2f2ca61

SHA256
05c8cd8aa41ea3e20a2c793cb0a1fab32f21167ffa5394d874cbaa125cfa24ca

SHA512
000cac66344c8ad4ccde98d08c9f4d4d8517d0e9e2b130473fc496f9fcc0a1b44ed660ff7763e14b3c9aa226a8fda5d34a148b3b27ddc65b21aff40eba185117

Download Submit
C:\Windows\SysWOW64\Kgipcogp.exe

Filesize
96KB

MD5
8dcf5d8fcb1529d33698f48fa2bb6721

SHA1
053931db7c9c0c809dc3895ca265426deb0ce7ab

SHA256
4dcf2e5a2a317705a0b7b26e0cc34079d6c8a8b244f5cb340ae91144bcb3d8ec

SHA512
c9b066993cde897234a81537bd0f78180ab8afd3e7e07f1ef611a5f5ca51d80d3b3dd6a4b633334ce27997efb74a8622957536702b28e5da06bc3fe3ce6a553e

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
96KB

MD5
6d1336a24bfc8a687858aa95eb613390

SHA1
55ffc0dfab148572d73832879d14ac48164f886a

SHA256
df20937ea90da38808cafe03722cac3759038fd2ccd8b275a7b53cea09c4354d

SHA512
83e159acdc75a95d9abb1252469904cfde7f679dfe5ab14ad83440fba4916728cc1b682a2e52d3ea0c08af2b00e38d3d4fae9eb5c736c7cd2b61b4c0d7bca498

Download Submit
C:\Windows\SysWOW64\Knqepc32.exe

Filesize
96KB

MD5
87feaa7710a39a97ef79dfabf24f313b

SHA1
9719c76f53df95580d4640a3465e893fc051b9c1

SHA256
e049b2b9d59fd8ba5b7bb5cb91409f524d95024556eadf0ef056a897e66fc517

SHA512
5bb2d9699505aa28e897ad1b27f26a3718a6399274b2fab90170d75b73ca21f7b8d78837fa0f40ce858caf9ffd5a8fc4ea0c6b69198333bcd25ebe89902d7173

Download Submit
C:\Windows\SysWOW64\Kodnmkap.exe

Filesize
96KB

MD5
11c605e980bceeb1f5b2de14200a4333

SHA1
e65bc8acacc2d90f638c65753f0142c5d87edc06

SHA256
a14d984e25120d04475caa640a984db88eec53cc6d918b8db20d5dc3f1c662f7

SHA512
c5cc6668d35c0efd0462fa2bff07b631044ea25cdbf777f706d65aec7be962ca9e7b4addb2afa2fd6e8f47437b318bb0aa7d99c17a633e6a2f408c83f44298b5

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
96KB

MD5
f875a83386e7f1778870a156b10adabc

SHA1
8df4574f22a5554ca172c3eefa0a316236623ec4

SHA256
9c47d7468639dc9f949c5abc56dc71f680bef7807c8e35f04f9c3ee350413769

SHA512
98b8daa3914cb316c660b4e37aa295453a8bcc85328c5f2ede5877db8f37b5d536dafb9834c77fb37284294bdf9dca0615be719f0d95d0a9e8817a708426dffe

Download Submit
C:\Windows\SysWOW64\Ljobpiql.exe

Filesize
64KB

MD5
f5c034896a66ed77c9ca4c9c68bb0fa0

SHA1
96d0b256dc41616d0bfc7808c54ac5b35be3de63

SHA256
44a9d1af88aea1267a60f28e31ca308ff2fbae151d0272c5336ea5ce72ee29f6

SHA512
e5edb32b35a0163ef3f36fb3853f0b94260d6fae30a4057094b4502159c4a79e53aaa7eb92f6f3895780bb708b825ce4bf9fa565395a8265adcbe675db164a69

Download Submit
C:\Windows\SysWOW64\Lknojl32.exe

Filesize
96KB

MD5
78a7ae8124fae832061b159d746fcf15

SHA1
4ec0eae2ec19da513e02735f9d1725fdd1fa9c3a

SHA256
c09d7cb7dee774a276771bba0419c3540a05acd9c53d4cfe07f24a12bf9c218f

SHA512
ee2b0daff1a895baa320f784c6ea248fc9d70736a64c5f6d68b230c5a1c09f5b4676136faad67c7a3e3c6ae8947f7c5411fb50fe238cdae17ffd163a6da5536f

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
96KB

MD5
9093f765c9e9b67e28989b3492f8c76f

SHA1
086f72e5cac268438a619981968c5a8952f2cdf1

SHA256
846b0e854c1d9a691b767a497572fe981c137cfa60317f546a9a54cf26862880

SHA512
f4cbb0bc6385649f31619f68bb9d9a1a4e77a995cbb6f0e67f5412d213a94122575a3ecde397a206fe5c8bbfbf2806a16fcc53e315abc49b0644376906432b80

Download Submit
C:\Windows\SysWOW64\Mjnnbk32.exe

Filesize
96KB

MD5
a73c0a5caa80a4502dd6f214dd57fa2e

SHA1
1c9168074c025e4f481a5055ead318d01faa82f7

SHA256
79c9a5b1546098c10fdae65c058b69cc3f70bc138991f87afdc38cf2bf26c61a

SHA512
347b04ee58e339ee15085979ac368b7b7c0ce2a1d5c074570c12eae4e77f07343126a1528e9d84850cc74ac2176ceb0a90d3d810364f7bac71b7619076aaba65

Download Submit
C:\Windows\SysWOW64\Momcpa32.exe

Filesize
96KB

MD5
8c1437661e8a0719b1562c308be3287a

SHA1
22b766c9263e200dcb5efd4990ea54e0d721f4d0

SHA256
c953debba3a5ec9f93fdd79d0ca88de008271d84ab89177a147d3e635d2f4158

SHA512
aa0b9f0271ee9eb99bbec1f26a2d0cefe8a7c7a07148766d19bb83e1d58081af1c4ce4dfaa7ae72827cc5cd03aec449e27227bb7f2144c1515a46d0c3ca39beb

Download Submit
C:\Windows\SysWOW64\Nfqnbjfi.exe

Filesize
96KB

MD5
c06627ab0f3f84e6828594b2fc8f284f

SHA1
da998fa26a3090630bce63a5e98b2c272b421865

SHA256
5bb84b41b397e33e0dfffd6bf42d4328c6333842f7a7029278a96863d0508bb1

SHA512
73e4ad5e3fd530b1bb2143aad1f603bbbe2c345b6da7e18749a1a0de06aacc9364481ef9d092bd61bff6d71908e2fd7e3903d03090747ed29e04e8f8d46eef6f

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
96KB

MD5
3ba515fdf200ad037b9ef1dcaf2ad60c

SHA1
ca7c0ead21989c89631b16544b58df088170c38a

SHA256
b277b3ba323f0eefe11aef33f8b573f56a1c9919b17c5ed9c1601266bc739d61

SHA512
db4386e9ea71e7dc164345ea3639147d1584d39ce1480f8e5fc4e57a6136c2f736555d31c46afbc1ffeecf8c7eb8159a85b4f74b75a2ae1eacc231ad226bd0a7

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
96KB

MD5
105b01bae3cec4d6cc523dd8bec2f888

SHA1
34e545070bd9091b6717e2acee737951c26805e2

SHA256
37a8ff99d48a74698d4f3c95c0d2abc2cccb9caa60819a32e9d52272679a98f3

SHA512
0f9557abc845341502ceb4bed7f02227696ee2d34d2756c0c94959f701b3bf1d7b2e9573fe0a37d92fafea58e9c30178b55c2daaa1da2021118d2b81f13c61c1

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
96KB

MD5
0f7c7b4360a12486340f265c13219651

SHA1
3a59ba8f30c76c4f030107b6af90e06bb9f045bd

SHA256
543b287cb61e28f8aa91120e3c62b94edd6e92671e4d93e0904f973d20d77ced

SHA512
36beb90322accce8f6b49a3ccd24218219f09f52efa2b759c67fa6f7cb6c4e1f430cb5bf53f16a0fa482a1596d6405684bebf55d9915544d30f30be870ecc2dc

Download Submit
C:\Windows\SysWOW64\Ojdnid32.exe

Filesize
96KB

MD5
31a664998d7d92cdf220d1174a00bac1

SHA1
a81752d9a10076939a942ab4b327bc7f1be01558

SHA256
f07d441121dc49fa22d06e517e695b4b82fbc5b9a9574933dd6fa6f9d8776f5e

SHA512
b57e96dcdd8327c2985efc2ac3ef32216a8ab5bd246163e0866f67d588e406d3d68a72a0b24d47f0bda47ce56c77a82d76c34288edbede63957bdd4b395dc0b7

Download Submit
C:\Windows\SysWOW64\Oqoefand.exe

Filesize
96KB

MD5
88bdd63509f4f31328541d5b9be97be9

SHA1
4a8776d49feeae1e0b36295960814eddaabac745

SHA256
90d41ced74dc895be4eae2705382f53acf964878ad47f0ea73d83dfa84d2645f

SHA512
0dd7ba78df6829b601f3a04bc35ab20910d7178666b1d39aef80f5283739b8421b5d231a528c09107c5016ade0d9099d4854a2b60d46ada95a20b17108249df4

Download Submit
C:\Windows\SysWOW64\Pdhbmh32.exe

Filesize
96KB

MD5
f9ce3bd84235c8b7ee3ee0a5ab7927a6

SHA1
39ea832914b6040ea8692831fcbf2a52bba9addb

SHA256
4813001567b7da716f1d8b65ee00bbbe4167c49cffe147d5290b606e93628fc2

SHA512
04a22f419bb62169e7a3d95fffb0518628f2e3584bc1688d753501d7e47315eddcd28f21f37f8a58752609b9d48830d8e61f1afce1ae9f5db7d01ff62ce6c2c1

Download Submit
C:\Windows\SysWOW64\Pfoann32.exe

Filesize
96KB

MD5
729ec0008569553739089e9fcd0a84e4

SHA1
1dab564d10535a1ba83cbbd36e726b6ad7500e99

SHA256
c067db4e1c94abd359a011d34dadd53f3ec13df5a7e7f1389a4984ff6f4c26fc

SHA512
bda8d06c95f1d97785922ce5f20285ac3b237c8af0da59d4e8139b9a10040b33a3ed5ed7ab4e5fe8e0b1eb6361a98c75077b5846a67639219bdee8b74e00526f

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
96KB

MD5
f92b7b84f80b10183ef5156969bd3d94

SHA1
77ab81398fdbe8a34c286616f77c9a6d3fdab0ab

SHA256
c9c4a4a02a90f1dd19ad762ec8fcf81a064a75e8f4ed35f101ae8bef23fc5457

SHA512
6fa45c1e99739dcb4f54842b95c72f33a8cde8b1ec5db2bf9fc8815e19f33db5aada192eb1d23da5b7ebc63168cf51aed437a84545eca45ec6bbdcdf95b4ebee

Download Submit
C:\Windows\SysWOW64\Plbfdekd.exe

Filesize
96KB

MD5
b4f9d2f7e272d0c0e53e938ef6cbc35f

SHA1
55d4e8344031202d82d8dd7a4fdc748811d3887a

SHA256
9098f185aaa9852a55a2a7cccf0b5801558ecf18a81cf9d7025e8ea5278d90d6

SHA512
44d28923e08a190f1dc1cfd61d453f556878ab6d595cbf88591e7fbb776ebe49cfdfbaec3b6a2cc22577b1398fbaaf5ba14940b177b0f8a911301f658c845d26

Download Submit
C:\Windows\SysWOW64\Pmlmkn32.exe

Filesize
96KB

MD5
3bf48b9d5364bf1bf5bcede84de83cb1

SHA1
3b04d7c56bf6ed946d9b19dcb7d5e5a8101e1257

SHA256
6b48b239c005471ad767384b35ff33a5ef3f38e98cc19df76141fb4eaaa3bcaf

SHA512
d4d86ba020835458a9a534823b10e58fb91674a08eab32b8f6a3023dc947e89f3303c4a90ec20d90db83e6932d1a2d8fdface67d5860f770e89d9026c639dcc2

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
96KB

MD5
7867c2f753996535fa6b21ac41d700b9

SHA1
1e48d9d1ac317b73a6e3fe947f30fb835dc255a9

SHA256
106b711d88f367ca6b7f177d953d03a07c3df098374b584f0aea35e8a7208634

SHA512
ac7e0ccc7ddcad834f7dd17907fef37a569cb8f1d4fc2810281a67d7bcb828ff9c77a642b43538a058ac6afcff1105066921b40d95ef3a86b73f4e9edce7af07

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
96KB

MD5
cc95b555df16f7b9c9c41970d0a28f88

SHA1
3b8dcab097f03b58af4e77df76510b11494390e8

SHA256
dee0983e59e676b93443c16a709f7fc04f7d45820ec4747cc6052a71cfe052e0

SHA512
642c9137e61fa8959c3f30a6680efc06639ea23cc83c4babf0cb42f245e8811414af453e33d96b1bd4ce053bc7429f26d0e8a86eb074f6bcd2f8c793eb19ec24

Download Submit
memory/220-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/484-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/488-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/492-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1524-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5140-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5192-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5232-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5336-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5396-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5504-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5548-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads