xmrig | c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b

Analysis

max time kernel
120s
max time network
122s
platform
windows10_x64
resource
win10v20210408
submitted
13-05-2021 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b.exe
Size

5.7MB
MD5

dd0c228c145084ca7fb7c4c9992db0de
SHA1

fafb80dc4eb5b861efccfa89267c36a7f20f97cb
SHA256

c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b
SHA512

40a459b26ef3c4370f5ac5b6f66d16a4168575859aa27415818ec9d92a4dbe15a17a24b975ccb4dc5aad80457bc0211a66a08237cdf92ae673deac6cc10d4592

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 64 IoCs

Processes:

Obfbpdfj.exePoopjdjl.exePboefbnp.exePiljhl32.exeQcflfa32.exeAapbbmhj.exeAenkik32.exeBcpgcnaj.exeEigliaid.exeHlmpcgfk.exeJcjnln32.exeLjkeqe32.exeNcdbph32.exeNcfofhfp.exeOcmefg32.exeOlnpnc32.exeQhpqob32.exeDobqjgie.exeFkkgke32.exeGnjlnnpe.exeHbddpklo.exeKlfefm32.exeLfhleajh.exeLfaokpbm.exeMmbmhicb.exeOfbaikfh.exeQfpmji32.exeAhfpekkb.exeBampooec.exeFbehmibe.exeFdhndd32.exeFifgkbdj.exeHpphnj32.exeJpggff32.exeMfgnah32.exeOfajnebl.exePfcgddpi.exePmnoqo32.exePbjgiefn.exePidpep32.exePbmdoedk.exePmbhlnca.exePboade32.exePcomnhik.exePmgagm32.exeQfofpc32.exeQphkhhmm.exeQfaceb32.exeAcecog32.exeAmnhgl32.exeAfflpbpd.exeApoaig32.exeAigebm32.exeApanogdb.exeAiibgm32.exeApcjdgbo.exeAfmbaa32.exeBpfgjf32.exeBfpofqhi.exeBaecdigo.exeBfbllpfg.exeBmldijmc.exeBbimaakk.exeBicenk32.exe

pid	process
2540	Obfbpdfj.exe
3464	Poopjdjl.exe
3664	Pboefbnp.exe
2232	Piljhl32.exe
2448	Qcflfa32.exe
508	Aapbbmhj.exe
3912	Aenkik32.exe
188	Bcpgcnaj.exe
2316	Eigliaid.exe
3508	Hlmpcgfk.exe
1332	Jcjnln32.exe
2100	Ljkeqe32.exe
2900	Ncdbph32.exe
3832	Ncfofhfp.exe
3956	Ocmefg32.exe
3928	Olnpnc32.exe
3680	Qhpqob32.exe
1924	Dobqjgie.exe
1664	Fkkgke32.exe
1992	Gnjlnnpe.exe
2420	Hbddpklo.exe
2236	Klfefm32.exe
2280	Lfhleajh.exe
1248	Lfaokpbm.exe
1204	Mmbmhicb.exe
744	Ofbaikfh.exe
1564	Qfpmji32.exe
3696	Ahfpekkb.exe
3452	Bampooec.exe
416	Fbehmibe.exe
4104	Fdhndd32.exe
4132	Fifgkbdj.exe
4164	Hpphnj32.exe
4188	Jpggff32.exe
4208	Mfgnah32.exe
4228	Ofajnebl.exe
4248	Pfcgddpi.exe
4268	Pmnoqo32.exe
4288	Pbjgiefn.exe
4308	Pidpep32.exe
4328	Pbmdoedk.exe
4348	Pmbhlnca.exe
4368	Pboade32.exe
4388	Pcomnhik.exe
4408	Pmgagm32.exe
4428	Qfofpc32.exe
4448	Qphkhhmm.exe
4500	Qfaceb32.exe
4520	Acecog32.exe
4540	Amnhgl32.exe
4560	Afflpbpd.exe
4580	Apoaig32.exe
4600	Aigebm32.exe
4620	Apanogdb.exe
4640	Aiibgm32.exe
4660	Apcjdgbo.exe
4680	Afmbaa32.exe
4700	Bpfgjf32.exe
4720	Bfpofqhi.exe
4740	Baecdigo.exe
4760	Bfbllpfg.exe
4780	Bmldijmc.exe
4800	Bbimaakk.exe
4820	Bicenk32.exe

Drops file in System32 directory 64 IoCs

Processes:

Ndqncn32.exeCljmfo32.exeLfiqcfcp.exeDncbcb32.exeIcebcj32.exeMfgnah32.exeFqiodo32.exeOcbghc32.exeBeplbgmk.exeEggpjdap.exeJeeooqng.exeEheibgfe.exeLfaokpbm.exePbmdoedk.exeApoaig32.exeKebeeege.exeIfhhkdlj.exeMjpeemnp.exeEaphhc32.exeIeflbi32.exeHpphnj32.exeMckhpf32.exeNaiggaqd.exeEmjbfp32.exeFgemlbep.exeHoimlmge.exeAhfpekkb.exeGkfibg32.exeMljicmbb.exeOcidadgg.exeOlfbeijb.exeHdlbaddd.exeJgmdjmcc.exeMeagam32.exeHhhheb32.exeBalidhag.exeKoccmldn.exeKmqccckb.exeMdiqhi32.exeNcfofhfp.exeDmojeh32.exeInldeo32.exeKblbhk32.exeOmfqheii.exeFifgkbdj.exeHgmbne32.exeLheklp32.exeOkfoapod.exeBfldld32.exeCpgoagip.exeBbnflq32.exeIgcbdnkn.exeNebphjgd.exePadpijbk.exePokmhn32.exeJiknbo32.exePbjgiefn.exePidpep32.exeBoblojkh.exePoopjdjl.exeQfofpc32.exeQfaceb32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Nkkfphmm.exe	Ndqncn32.exe
File created	C:\Windows\SysWOW64\Cbdebinb.exe	Cljmfo32.exe
File created	C:\Windows\SysWOW64\Gohkln32.dll	Lfiqcfcp.exe
File created	C:\Windows\SysWOW64\Demjpmom.exe	Dncbcb32.exe
File created	C:\Windows\SysWOW64\Iqibmn32.exe	Icebcj32.exe
File opened for modification	C:\Windows\SysWOW64\Ofajnebl.exe	Mfgnah32.exe
File created	C:\Windows\SysWOW64\Ihnpmh32.dll	Fqiodo32.exe
File opened for modification	C:\Windows\SysWOW64\Pdccpk32.exe	Ocbghc32.exe
File created	C:\Windows\SysWOW64\Bpepopma.exe	Beplbgmk.exe
File opened for modification	C:\Windows\SysWOW64\Emahgo32.exe	Eggpjdap.exe
File created	C:\Windows\SysWOW64\Kncnpcdi.dll	Jeeooqng.exe
File created	C:\Windows\SysWOW64\Ebkmppfk.exe	Eheibgfe.exe
File created	C:\Windows\SysWOW64\Mmbmhicb.exe	Lfaokpbm.exe
File created	C:\Windows\SysWOW64\Aqdmoe32.dll	Pbmdoedk.exe
File created	C:\Windows\SysWOW64\Cmaeicim.dll	Apoaig32.exe
File created	C:\Windows\SysWOW64\Kllmao32.exe	Kebeeege.exe
File opened for modification	C:\Windows\SysWOW64\Joplcj32.exe	Ifhhkdlj.exe
File opened for modification	C:\Windows\SysWOW64\Mpmnmdlh.exe	Mjpeemnp.exe
File created	C:\Windows\SysWOW64\Mldeqcki.dll	Eaphhc32.exe
File created	C:\Windows\SysWOW64\Mjjlhlhc.dll	Ieflbi32.exe
File created	C:\Windows\SysWOW64\Bcdqbjmg.dll	Mjpeemnp.exe
File opened for modification	C:\Windows\SysWOW64\Jpggff32.exe	Hpphnj32.exe
File created	C:\Windows\SysWOW64\Dnpfjo32.dll	Mckhpf32.exe
File created	C:\Windows\SysWOW64\Ololejpj.exe	Naiggaqd.exe
File created	C:\Windows\SysWOW64\Eddkcj32.exe	Emjbfp32.exe
File created	C:\Windows\SysWOW64\Pncnhjkf.dll	Fgemlbep.exe
File created	C:\Windows\SysWOW64\Onejjlml.dll	Hoimlmge.exe
File created	C:\Windows\SysWOW64\Ogbffpke.dll	Ahfpekkb.exe
File opened for modification	C:\Windows\SysWOW64\Gbpaoaem.exe	Gkfibg32.exe
File opened for modification	C:\Windows\SysWOW64\Mbdapg32.exe	Mljicmbb.exe
File created	C:\Windows\SysWOW64\Odjqim32.exe	Ocidadgg.exe
File created	C:\Windows\SysWOW64\Obcjnphj.exe	Olfbeijb.exe
File created	C:\Windows\SysWOW64\Hfmoiljc.exe	Hdlbaddd.exe
File created	C:\Windows\SysWOW64\Jngmgg32.exe	Jgmdjmcc.exe
File created	C:\Windows\SysWOW64\Mfccieke.exe	Meagam32.exe
File created	C:\Windows\SysWOW64\Epakai32.dll	Hhhheb32.exe
File created	C:\Windows\SysWOW64\Bbnflq32.exe	Balidhag.exe
File created	C:\Windows\SysWOW64\Kemkjf32.exe	Koccmldn.exe
File opened for modification	C:\Windows\SysWOW64\Kgfgplkh.exe	Kmqccckb.exe
File opened for modification	C:\Windows\SysWOW64\Mkcidcpi.exe	Mdiqhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ocmefg32.exe	Ncfofhfp.exe
File created	C:\Windows\SysWOW64\Mdlbdqbi.dll	Dmojeh32.exe
File created	C:\Windows\SysWOW64\Mfcapd32.dll	Inldeo32.exe
File created	C:\Windows\SysWOW64\Cbdgmjeq.dll	Kblbhk32.exe
File created	C:\Windows\SysWOW64\Phkeen32.exe	Omfqheii.exe
File opened for modification	C:\Windows\SysWOW64\Hpphnj32.exe	Fifgkbdj.exe
File opened for modification	C:\Windows\SysWOW64\Hngkjpln.exe	Hgmbne32.exe
File created	C:\Windows\SysWOW64\Beaqch32.dll	Lheklp32.exe
File created	C:\Windows\SysWOW64\Oekcnioj.exe	Okfoapod.exe
File opened for modification	C:\Windows\SysWOW64\Bkimdk32.exe	Bfldld32.exe
File created	C:\Windows\SysWOW64\Dedgjngg.exe	Cpgoagip.exe
File created	C:\Windows\SysWOW64\Kdhipi32.dll	Bbnflq32.exe
File created	C:\Windows\SysWOW64\Edqobd32.dll	Igcbdnkn.exe
File created	C:\Windows\SysWOW64\Ibbljmnb.dll	Nebphjgd.exe
File opened for modification	C:\Windows\SysWOW64\Phnhec32.exe	Padpijbk.exe
File opened for modification	C:\Windows\SysWOW64\Pdgfpd32.exe	Pokmhn32.exe
File created	C:\Windows\SysWOW64\Jcdclb32.dll	Jiknbo32.exe
File created	C:\Windows\SysWOW64\Gnnpdc32.dll	Pbjgiefn.exe
File opened for modification	C:\Windows\SysWOW64\Pbmdoedk.exe	Pidpep32.exe
File created	C:\Windows\SysWOW64\Iqhbbfkl.dll	Boblojkh.exe
File created	C:\Windows\SysWOW64\Hcnlck32.exe	Hhhheb32.exe
File created	C:\Windows\SysWOW64\Bldeio32.dll	Poopjdjl.exe
File created	C:\Windows\SysWOW64\Gdpghk32.dll	Qfofpc32.exe
File created	C:\Windows\SysWOW64\Acecog32.exe	Qfaceb32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4180 2376 WerFault.exe Qgjdmiem.exe

pid	pid_target	process	target process
4180	2376	WerFault.exe	Qgjdmiem.exe

Modifies registry class 64 IoCs

Processes:

Hjdiibjm.exeBchbqn32.exeLoceic32.exeQfnhkfod.exePmnoqo32.exePidpep32.exeEkafpjph.exeGkcllgob.exeJmdmmn32.exeNkookg32.exePopnmcoi.exeCekknfcn.exeDbpengcd.exeJpggff32.exeOfajnebl.exeKehbofop.exeKllmao32.exeLgcmgc32.exeEbkmppfk.exeFhjbmf32.exeFbogko32.exeGlhdjbjd.exeQmigbgjm.exeLehdkn32.exeLmcippkm.exePomjmm32.exeMckhpf32.exeBllqdabe.exeDeigoc32.exeHoimlmge.exeHcnlck32.exeQphkhhmm.exeBfbllpfg.exeJeoohhgk.exeNdqncn32.exeDdhkgkqo.exeMdiqhi32.exePdeike32.exeCimfdm32.exeFdhndd32.exeCkighmdb.exeJligeboh.exeBeplbgmk.exeEpjdndij.exeHeceig32.exePnmgidba.exec921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b.exeEggpjdap.exeHfhfnm32.exePdgfpd32.exePohqbn32.exeAfcbfe32.exeLoapnj32.exeOlfbeijb.exeDaooaf32.exeFcenkk32.exeLnloidhh.exeMmjhfi32.exeCijknjmp.exeAiphgh32.exeKgfgplkh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjdiibjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchbqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loceic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gllkmd32.dll"	Qfnhkfod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aicnjiqc.dll"	Pmnoqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbjaeohf.dll"	Pidpep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennpnfbq.dll"	Ekafpjph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkcllgob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elheoojp.dll"	Jmdmmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkookg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjpbo32.dll"	Popnmcoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cekknfcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbpengcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjqkl32.dll"	Jpggff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofajnebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kehbofop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kllmao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgcmgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebkmppfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkmmnnf.dll"	Fhjbmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pklehl32.dll"	Fbogko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glhdjbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfcdnkoi.dll"	Qmigbgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lehdkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmcippkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloemo32.dll"	Pomjmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnpfjo32.dll"	Mckhpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolekdel.dll"	Bllqdabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deigoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hoimlmge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnolp32.dll"	Hcnlck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qphkhhmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfbllpfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeoohhgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndqncn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjifof32.dll"	Ddhkgkqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkgmiaa.dll"	Mdiqhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdeike32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cimfdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdhndd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckighmdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jligeboh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmidin32.dll"	Beplbgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlinjdaf.dll"	Epjdndij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epjdndij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Heceig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnmgidba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdcgp32.dll"	Eggpjdap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilqlie32.dll"	Hfhfnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdgfpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhbhmkk.dll"	Pohqbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afcbfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loapnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpofkl32.dll"	Nkookg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfbeijb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daooaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfcecd32.dll"	Fcenkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnloidhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmjhfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cijknjmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aiphgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkfpe32.dll"	Kgfgplkh.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

WerFault.exe

pid	process
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4180 WerFault.exe
Token: SeBackupPrivilege 4180 WerFault.exe
Token: SeDebugPrivilege 4180 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	4180	WerFault.exe
Token: SeBackupPrivilege	4180	WerFault.exe
Token: SeDebugPrivilege	4180	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b.exeObfbpdfj.exePoopjdjl.exePboefbnp.exePiljhl32.exeQcflfa32.exeAapbbmhj.exeAenkik32.exeBcpgcnaj.exeEigliaid.exeHlmpcgfk.exeJcjnln32.exeLjkeqe32.exeNcdbph32.exeNcfofhfp.exeOcmefg32.exeOlnpnc32.exeQhpqob32.exeDobqjgie.exeFkkgke32.exeGnjlnnpe.exeHbddpklo.exe

description	pid	process	target process
PID 644 wrote to memory of 2540	644	c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b.exe	Obfbpdfj.exe
PID 644 wrote to memory of 2540	644	c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b.exe	Obfbpdfj.exe
PID 644 wrote to memory of 2540	644	c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b.exe	Obfbpdfj.exe
PID 2540 wrote to memory of 3464	2540	Obfbpdfj.exe	Poopjdjl.exe
PID 2540 wrote to memory of 3464	2540	Obfbpdfj.exe	Poopjdjl.exe
PID 2540 wrote to memory of 3464	2540	Obfbpdfj.exe	Poopjdjl.exe
PID 3464 wrote to memory of 3664	3464	Poopjdjl.exe	Pboefbnp.exe
PID 3464 wrote to memory of 3664	3464	Poopjdjl.exe	Pboefbnp.exe
PID 3464 wrote to memory of 3664	3464	Poopjdjl.exe	Pboefbnp.exe
PID 3664 wrote to memory of 2232	3664	Pboefbnp.exe	Piljhl32.exe
PID 3664 wrote to memory of 2232	3664	Pboefbnp.exe	Piljhl32.exe
PID 3664 wrote to memory of 2232	3664	Pboefbnp.exe	Piljhl32.exe
PID 2232 wrote to memory of 2448	2232	Piljhl32.exe	Qcflfa32.exe
PID 2232 wrote to memory of 2448	2232	Piljhl32.exe	Qcflfa32.exe
PID 2232 wrote to memory of 2448	2232	Piljhl32.exe	Qcflfa32.exe
PID 2448 wrote to memory of 508	2448	Qcflfa32.exe	Aapbbmhj.exe
PID 2448 wrote to memory of 508	2448	Qcflfa32.exe	Aapbbmhj.exe
PID 2448 wrote to memory of 508	2448	Qcflfa32.exe	Aapbbmhj.exe
PID 508 wrote to memory of 3912	508	Aapbbmhj.exe	Aenkik32.exe
PID 508 wrote to memory of 3912	508	Aapbbmhj.exe	Aenkik32.exe
PID 508 wrote to memory of 3912	508	Aapbbmhj.exe	Aenkik32.exe
PID 3912 wrote to memory of 188	3912	Aenkik32.exe	Bcpgcnaj.exe
PID 3912 wrote to memory of 188	3912	Aenkik32.exe	Bcpgcnaj.exe
PID 3912 wrote to memory of 188	3912	Aenkik32.exe	Bcpgcnaj.exe
PID 188 wrote to memory of 2316	188	Bcpgcnaj.exe	Eigliaid.exe
PID 188 wrote to memory of 2316	188	Bcpgcnaj.exe	Eigliaid.exe
PID 188 wrote to memory of 2316	188	Bcpgcnaj.exe	Eigliaid.exe
PID 2316 wrote to memory of 3508	2316	Eigliaid.exe	Hlmpcgfk.exe
PID 2316 wrote to memory of 3508	2316	Eigliaid.exe	Hlmpcgfk.exe
PID 2316 wrote to memory of 3508	2316	Eigliaid.exe	Hlmpcgfk.exe
PID 3508 wrote to memory of 1332	3508	Hlmpcgfk.exe	Jcjnln32.exe
PID 3508 wrote to memory of 1332	3508	Hlmpcgfk.exe	Jcjnln32.exe
PID 3508 wrote to memory of 1332	3508	Hlmpcgfk.exe	Jcjnln32.exe
PID 1332 wrote to memory of 2100	1332	Jcjnln32.exe	Ljkeqe32.exe
PID 1332 wrote to memory of 2100	1332	Jcjnln32.exe	Ljkeqe32.exe
PID 1332 wrote to memory of 2100	1332	Jcjnln32.exe	Ljkeqe32.exe
PID 2100 wrote to memory of 2900	2100	Ljkeqe32.exe	Ncdbph32.exe
PID 2100 wrote to memory of 2900	2100	Ljkeqe32.exe	Ncdbph32.exe
PID 2100 wrote to memory of 2900	2100	Ljkeqe32.exe	Ncdbph32.exe
PID 2900 wrote to memory of 3832	2900	Ncdbph32.exe	Ncfofhfp.exe
PID 2900 wrote to memory of 3832	2900	Ncdbph32.exe	Ncfofhfp.exe
PID 2900 wrote to memory of 3832	2900	Ncdbph32.exe	Ncfofhfp.exe
PID 3832 wrote to memory of 3956	3832	Ncfofhfp.exe	Ocmefg32.exe
PID 3832 wrote to memory of 3956	3832	Ncfofhfp.exe	Ocmefg32.exe
PID 3832 wrote to memory of 3956	3832	Ncfofhfp.exe	Ocmefg32.exe
PID 3956 wrote to memory of 3928	3956	Ocmefg32.exe	Olnpnc32.exe
PID 3956 wrote to memory of 3928	3956	Ocmefg32.exe	Olnpnc32.exe
PID 3956 wrote to memory of 3928	3956	Ocmefg32.exe	Olnpnc32.exe
PID 3928 wrote to memory of 3680	3928	Olnpnc32.exe	Qhpqob32.exe
PID 3928 wrote to memory of 3680	3928	Olnpnc32.exe	Qhpqob32.exe
PID 3928 wrote to memory of 3680	3928	Olnpnc32.exe	Qhpqob32.exe
PID 3680 wrote to memory of 1924	3680	Qhpqob32.exe	Dobqjgie.exe
PID 3680 wrote to memory of 1924	3680	Qhpqob32.exe	Dobqjgie.exe
PID 3680 wrote to memory of 1924	3680	Qhpqob32.exe	Dobqjgie.exe
PID 1924 wrote to memory of 1664	1924	Dobqjgie.exe	Fkkgke32.exe
PID 1924 wrote to memory of 1664	1924	Dobqjgie.exe	Fkkgke32.exe
PID 1924 wrote to memory of 1664	1924	Dobqjgie.exe	Fkkgke32.exe
PID 1664 wrote to memory of 1992	1664	Fkkgke32.exe	Gnjlnnpe.exe
PID 1664 wrote to memory of 1992	1664	Fkkgke32.exe	Gnjlnnpe.exe
PID 1664 wrote to memory of 1992	1664	Fkkgke32.exe	Gnjlnnpe.exe
PID 1992 wrote to memory of 2420	1992	Gnjlnnpe.exe	Hbddpklo.exe
PID 1992 wrote to memory of 2420	1992	Gnjlnnpe.exe	Hbddpklo.exe
PID 1992 wrote to memory of 2420	1992	Gnjlnnpe.exe	Hbddpklo.exe
PID 2420 wrote to memory of 2236	2420	Hbddpklo.exe	Klfefm32.exe

C:\Users\Admin\AppData\Local\Temp\c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b.exe
"C:\Users\Admin\AppData\Local\Temp\c921e602a57a7f00bee04a91057c536923186cff287e5885b5404dd69df1088b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\SysWOW64\Obfbpdfj.exe
  C:\Windows\system32\Obfbpdfj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\Poopjdjl.exe
    C:\Windows\system32\Poopjdjl.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\Pboefbnp.exe
      C:\Windows\system32\Pboefbnp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Windows\SysWOW64\Piljhl32.exe
        
        C:\Windows\system32\Piljhl32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\SysWOW64\Qcflfa32.exe
        
        C:\Windows\system32\Qcflfa32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Aapbbmhj.exe
        
        C:\Windows\system32\Aapbbmhj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\Aenkik32.exe
        
        C:\Windows\system32\Aenkik32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Bcpgcnaj.exe
        
        C:\Windows\system32\Bcpgcnaj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:188
        
        C:\Windows\SysWOW64\Eigliaid.exe
        
        C:\Windows\system32\Eigliaid.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Hlmpcgfk.exe
        
        C:\Windows\system32\Hlmpcgfk.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Jcjnln32.exe
        
        C:\Windows\system32\Jcjnln32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Ljkeqe32.exe
        
        C:\Windows\system32\Ljkeqe32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Ncdbph32.exe
        
        C:\Windows\system32\Ncdbph32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Ncfofhfp.exe
        
        C:\Windows\system32\Ncfofhfp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Ocmefg32.exe
        
        C:\Windows\system32\Ocmefg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Olnpnc32.exe
        
        C:\Windows\system32\Olnpnc32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Qhpqob32.exe
        
        C:\Windows\system32\Qhpqob32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Dobqjgie.exe
        
        C:\Windows\system32\Dobqjgie.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Fkkgke32.exe
        
        C:\Windows\system32\Fkkgke32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Gnjlnnpe.exe
        
        C:\Windows\system32\Gnjlnnpe.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Hbddpklo.exe
        
        C:\Windows\system32\Hbddpklo.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Klfefm32.exe
        
        C:\Windows\system32\Klfefm32.exe
        23⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Lfhleajh.exe
        
        C:\Windows\system32\Lfhleajh.exe
        24⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Lfaokpbm.exe
        
        C:\Windows\system32\Lfaokpbm.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Mmbmhicb.exe
        
        C:\Windows\system32\Mmbmhicb.exe
        26⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\Ofbaikfh.exe
        
        C:\Windows\system32\Ofbaikfh.exe
        27⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Qfpmji32.exe
        
        C:\Windows\system32\Qfpmji32.exe
        28⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Ahfpekkb.exe
        
        C:\Windows\system32\Ahfpekkb.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Bampooec.exe
        
        C:\Windows\system32\Bampooec.exe
        30⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Fbehmibe.exe
        
        C:\Windows\system32\Fbehmibe.exe
        31⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\Fdhndd32.exe
        
        C:\Windows\system32\Fdhndd32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Fifgkbdj.exe
        
        C:\Windows\system32\Fifgkbdj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Hpphnj32.exe
        
        C:\Windows\system32\Hpphnj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Jpggff32.exe
        
        C:\Windows\system32\Jpggff32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Mfgnah32.exe
        
        C:\Windows\system32\Mfgnah32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Ofajnebl.exe
        
        C:\Windows\system32\Ofajnebl.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Pfcgddpi.exe
        
        C:\Windows\system32\Pfcgddpi.exe
        38⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Pmnoqo32.exe
        
        C:\Windows\system32\Pmnoqo32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Pbjgiefn.exe
        
        C:\Windows\system32\Pbjgiefn.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Pidpep32.exe
        
        C:\Windows\system32\Pidpep32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Pbmdoedk.exe
        
        C:\Windows\system32\Pbmdoedk.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Pmbhlnca.exe
        
        C:\Windows\system32\Pmbhlnca.exe
        43⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Pboade32.exe
        
        C:\Windows\system32\Pboade32.exe
        44⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Pcomnhik.exe
        
        C:\Windows\system32\Pcomnhik.exe
        45⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Pmgagm32.exe
        
        C:\Windows\system32\Pmgagm32.exe
        46⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Qfofpc32.exe
        
        C:\Windows\system32\Qfofpc32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Qphkhhmm.exe
        
        C:\Windows\system32\Qphkhhmm.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Qfaceb32.exe
        
        C:\Windows\system32\Qfaceb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Acecog32.exe
        
        C:\Windows\system32\Acecog32.exe
        50⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Amnhgl32.exe
        
        C:\Windows\system32\Amnhgl32.exe
        51⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Afflpbpd.exe
        
        C:\Windows\system32\Afflpbpd.exe
        52⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Apoaig32.exe
        
        C:\Windows\system32\Apoaig32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Aigebm32.exe
        
        C:\Windows\system32\Aigebm32.exe
        54⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Apanogdb.exe
        
        C:\Windows\system32\Apanogdb.exe
        55⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Aiibgm32.exe
        
        C:\Windows\system32\Aiibgm32.exe
        56⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Apcjdgbo.exe
        
        C:\Windows\system32\Apcjdgbo.exe
        57⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Afmbaa32.exe
        
        C:\Windows\system32\Afmbaa32.exe
        58⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Bpfgjf32.exe
        
        C:\Windows\system32\Bpfgjf32.exe
        59⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\SysWOW64\Bfpofqhi.exe
        
        C:\Windows\system32\Bfpofqhi.exe
        60⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Baecdigo.exe
        
        C:\Windows\system32\Baecdigo.exe
        61⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Bfbllpfg.exe
        
        C:\Windows\system32\Bfbllpfg.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Bmldijmc.exe
        
        C:\Windows\system32\Bmldijmc.exe
        63⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Bbimaakk.exe
        
        C:\Windows\system32\Bbimaakk.exe
        64⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Bicenk32.exe
        
        C:\Windows\system32\Bicenk32.exe
        65⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Bpmmjejd.exe
        
        C:\Windows\system32\Bpmmjejd.exe
        66⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Bfgegp32.exe
        
        C:\Windows\system32\Bfgegp32.exe
        67⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Balidhag.exe
        
        C:\Windows\system32\Balidhag.exe
        68⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Bbnflq32.exe
        
        C:\Windows\system32\Bbnflq32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Cmcjii32.exe
        
        C:\Windows\system32\Cmcjii32.exe
        70⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Cbpbap32.exe
        
        C:\Windows\system32\Cbpbap32.exe
        71⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Cijknjmp.exe
        
        C:\Windows\system32\Cijknjmp.exe
        72⤵
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Cdoolc32.exe
        
        C:\Windows\system32\Cdoolc32.exe
        73⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Ckighmdb.exe
        
        C:\Windows\system32\Ckighmdb.exe
        74⤵
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Cpfpqdbj.exe
        
        C:\Windows\system32\Cpfpqdbj.exe
        75⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Cgphmn32.exe
        
        C:\Windows\system32\Cgphmn32.exe
        76⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Cahipggj.exe
        
        C:\Windows\system32\Cahipggj.exe
        77⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Ccieho32.exe
        
        C:\Windows\system32\Ccieho32.exe
        78⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Dmojeh32.exe
        
        C:\Windows\system32\Dmojeh32.exe
        79⤵
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ddibbbdk.exe
        
        C:\Windows\system32\Ddibbbdk.exe
        80⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Dkcjollh.exe
        
        C:\Windows\system32\Dkcjollh.exe
        81⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Dppbgcjo.exe
        
        C:\Windows\system32\Dppbgcjo.exe
        82⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Dgikcm32.exe
        
        C:\Windows\system32\Dgikcm32.exe
        83⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Daooaf32.exe
        
        C:\Windows\system32\Daooaf32.exe
        84⤵
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Dcplhngp.exe
        
        C:\Windows\system32\Dcplhngp.exe
        85⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Dpdlbb32.exe
        
        C:\Windows\system32\Dpdlbb32.exe
        86⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\Dgndolmg.exe
        
        C:\Windows\system32\Dgndolmg.exe
        87⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\Dadhlemm.exe
        
        C:\Windows\system32\Dadhlemm.exe
        88⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\Egqadlkd.exe
        
        C:\Windows\system32\Egqadlkd.exe
        89⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Enjiafca.exe
        
        C:\Windows\system32\Enjiafca.exe
        90⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\Eddanp32.exe
        
        C:\Windows\system32\Eddanp32.exe
        91⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Ejajfg32.exe
        
        C:\Windows\system32\Ejajfg32.exe
        92⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Epkbbapb.exe
        
        C:\Windows\system32\Epkbbapb.exe
        93⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\Ekafpjph.exe
        
        C:\Windows\system32\Ekafpjph.exe
        94⤵
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Eakomdgd.exe
        
        C:\Windows\system32\Eakomdgd.exe
        95⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Eclkdl32.exe
        
        C:\Windows\system32\Eclkdl32.exe
        96⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\Ejfcafdp.exe
        
        C:\Windows\system32\Ejfcafdp.exe
        97⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Ekepki32.exe
        
        C:\Windows\system32\Ekepki32.exe
        98⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Eaphhc32.exe
        
        C:\Windows\system32\Eaphhc32.exe
        99⤵
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Fcqdplin.exe
        
        C:\Windows\system32\Fcqdplin.exe
        100⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Fjkmlf32.exe
        
        C:\Windows\system32\Fjkmlf32.exe
        101⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Fdpaio32.exe
        
        C:\Windows\system32\Fdpaio32.exe
        102⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Fkjifhgm.exe
        
        C:\Windows\system32\Fkjifhgm.exe
        103⤵
        
        PID:412
        
        C:\Windows\SysWOW64\Fcenkk32.exe
        
        C:\Windows\system32\Fcenkk32.exe
        104⤵
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Fjofgele.exe
        
        C:\Windows\system32\Fjofgele.exe
        105⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Fqiodo32.exe
        
        C:\Windows\system32\Fqiodo32.exe
        106⤵
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Fgcgqiko.exe
        
        C:\Windows\system32\Fgcgqiko.exe
        107⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Faiknbkd.exe
        
        C:\Windows\system32\Faiknbkd.exe
        108⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Gkcllgob.exe
        
        C:\Windows\system32\Gkcllgob.exe
        109⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Gqpddnnj.exe
        
        C:\Windows\system32\Gqpddnnj.exe
        110⤵
        
        PID:508
        
        C:\Windows\SysWOW64\Gkfibg32.exe
        
        C:\Windows\system32\Gkfibg32.exe
        111⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Gbpaoaem.exe
        
        C:\Windows\system32\Gbpaoaem.exe
        112⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Gcanfi32.exe
        
        C:\Windows\system32\Gcanfi32.exe
        113⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Gngbcb32.exe
        
        C:\Windows\system32\Gngbcb32.exe
        114⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Gdqjplbn.exe
        
        C:\Windows\system32\Gdqjplbn.exe
        115⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Gbdjjp32.exe
        
        C:\Windows\system32\Gbdjjp32.exe
        116⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Gcfgahfe.exe
        
        C:\Windows\system32\Gcfgahfe.exe
        117⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Gjponb32.exe
        
        C:\Windows\system32\Gjponb32.exe
        118⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Hqjgkmeo.exe
        
        C:\Windows\system32\Hqjgkmeo.exe
        119⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Hkolhe32.exe
        
        C:\Windows\system32\Hkolhe32.exe
        120⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Hbidepmb.exe
        
        C:\Windows\system32\Hbidepmb.exe
        121⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Hcjqmh32.exe
        
        C:\Windows\system32\Hcjqmh32.exe
        122⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Hjdiibjm.exe
        
        C:\Windows\system32\Hjdiibjm.exe
        123⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Hejmfkjc.exe
        
        C:\Windows\system32\Hejmfkjc.exe
        124⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Hjgeoahj.exe
        
        C:\Windows\system32\Hjgeoahj.exe
        125⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Hqqnklog.exe
        
        C:\Windows\system32\Hqqnklog.exe
        126⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Hgkfhf32.exe
        
        C:\Windows\system32\Hgkfhf32.exe
        127⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Hbpjeo32.exe
        
        C:\Windows\system32\Hbpjeo32.exe
        128⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Hgmbne32.exe
        
        C:\Windows\system32\Hgmbne32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Hngkjpln.exe
        
        C:\Windows\system32\Hngkjpln.exe
        130⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Ieacgjck.exe
        
        C:\Windows\system32\Ieacgjck.exe
        131⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Iahclk32.exe
        
        C:\Windows\system32\Iahclk32.exe
        132⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Igblieql.exe
        
        C:\Windows\system32\Igblieql.exe
        133⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Inldeo32.exe
        
        C:\Windows\system32\Inldeo32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Ieflbi32.exe
        
        C:\Windows\system32\Ieflbi32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Ibjmlm32.exe
        
        C:\Windows\system32\Ibjmlm32.exe
        136⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Ickicedn.exe
        
        C:\Windows\system32\Ickicedn.exe
        137⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ijeapp32.exe
        
        C:\Windows\system32\Ijeapp32.exe
        138⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Iejfmhkp.exe
        
        C:\Windows\system32\Iejfmhkp.exe
        139⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Ildnjb32.exe
        
        C:\Windows\system32\Ildnjb32.exe
        140⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Jbnfgmjj.exe
        
        C:\Windows\system32\Jbnfgmjj.exe
        141⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Jcpcoe32.exe
        
        C:\Windows\system32\Jcpcoe32.exe
        142⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Jnegln32.exe
        
        C:\Windows\system32\Jnegln32.exe
        143⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Jeoohhgk.exe
        
        C:\Windows\system32\Jeoohhgk.exe
        144⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Jligeboh.exe
        
        C:\Windows\system32\Jligeboh.exe
        145⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Jbcpbl32.exe
        
        C:\Windows\system32\Jbcpbl32.exe
        146⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Jbelgl32.exe
        
        C:\Windows\system32\Jbelgl32.exe
        147⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Jdfiodjp.exe
        
        C:\Windows\system32\Jdfiodjp.exe
        148⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Jjqalnam.exe
        
        C:\Windows\system32\Jjqalnam.exe
        149⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Jefeigac.exe
        
        C:\Windows\system32\Jefeigac.exe
        150⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Jlpnfa32.exe
        
        C:\Windows\system32\Jlpnfa32.exe
        151⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Kehbofop.exe
        
        C:\Windows\system32\Kehbofop.exe
        152⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Klbjkqgm.exe
        
        C:\Windows\system32\Klbjkqgm.exe
        153⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Kblbhk32.exe
        
        C:\Windows\system32\Kblbhk32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Kdnopcdh.exe
        
        C:\Windows\system32\Kdnopcdh.exe
        155⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Koccmldn.exe
        
        C:\Windows\system32\Koccmldn.exe
        156⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Kemkjf32.exe
        
        C:\Windows\system32\Kemkjf32.exe
        157⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Kjjdbm32.exe
        
        C:\Windows\system32\Kjjdbm32.exe
        158⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Kephoeih.exe
        
        C:\Windows\system32\Kephoeih.exe
        159⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Kohmhk32.exe
        
        C:\Windows\system32\Kohmhk32.exe
        160⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Kebeeege.exe
        
        C:\Windows\system32\Kebeeege.exe
        161⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Kllmao32.exe
        
        C:\Windows\system32\Kllmao32.exe
        162⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Lahejfmj.exe
        
        C:\Windows\system32\Lahejfmj.exe
        163⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Llnjgomp.exe
        
        C:\Windows\system32\Llnjgomp.exe
        164⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Lbhbdi32.exe
        
        C:\Windows\system32\Lbhbdi32.exe
        165⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Lheklp32.exe
        
        C:\Windows\system32\Lheklp32.exe
        166⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Lbjoiibj.exe
        
        C:\Windows\system32\Lbjoiibj.exe
        167⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Lhggappa.exe
        
        C:\Windows\system32\Lhggappa.exe
        168⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Loapnj32.exe
        
        C:\Windows\system32\Loapnj32.exe
        169⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Ldnhgq32.exe
        
        C:\Windows\system32\Ldnhgq32.exe
        170⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Locldi32.exe
        
        C:\Windows\system32\Locldi32.exe
        171⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Ldpelpdc.exe
        
        C:\Windows\system32\Ldpelpdc.exe
        172⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Mkjmij32.exe
        
        C:\Windows\system32\Mkjmij32.exe
        173⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Mepafc32.exe
        
        C:\Windows\system32\Mepafc32.exe
        174⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Mljicmbb.exe
        
        C:\Windows\system32\Mljicmbb.exe
        175⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Mbdapg32.exe
        
        C:\Windows\system32\Mbdapg32.exe
        176⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Mllfhm32.exe
        
        C:\Windows\system32\Mllfhm32.exe
        177⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Maioqd32.exe
        
        C:\Windows\system32\Maioqd32.exe
        178⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Mlocnm32.exe
        
        C:\Windows\system32\Mlocnm32.exe
        179⤵
        
        PID:664
        
        C:\Windows\SysWOW64\Makkfc32.exe
        
        C:\Windows\system32\Makkfc32.exe
        180⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Mheccn32.exe
        
        C:\Windows\system32\Mheccn32.exe
        181⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Mckhpf32.exe
        
        C:\Windows\system32\Mckhpf32.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Mdldhoje.exe
        
        C:\Windows\system32\Mdldhoje.exe
        183⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Nkfldi32.exe
        
        C:\Windows\system32\Nkfldi32.exe
        184⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Nelqba32.exe
        
        C:\Windows\system32\Nelqba32.exe
        185⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Nkhijhop.exe
        
        C:\Windows\system32\Nkhijhop.exe
        186⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Ndqncn32.exe
        
        C:\Windows\system32\Ndqncn32.exe
        187⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Nkkfphmm.exe
        
        C:\Windows\system32\Nkkfphmm.exe
        188⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Nepjmamc.exe
        
        C:\Windows\system32\Nepjmamc.exe
        189⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Nkmbehkj.exe
        
        C:\Windows\system32\Nkmbehkj.exe
        190⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Nebgbq32.exe
        
        C:\Windows\system32\Nebgbq32.exe
        191⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Nkookg32.exe
        
        C:\Windows\system32\Nkookg32.exe
        192⤵
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Naiggaqd.exe
        
        C:\Windows\system32\Naiggaqd.exe
        193⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Ololejpj.exe
        
        C:\Windows\system32\Ololejpj.exe
        194⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Ocidadgg.exe
        
        C:\Windows\system32\Ocidadgg.exe
        195⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Odjqim32.exe
        
        C:\Windows\system32\Odjqim32.exe
        196⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Oopefe32.exe
        
        C:\Windows\system32\Oopefe32.exe
        197⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Ofjmcpdh.exe
        
        C:\Windows\system32\Ofjmcpdh.exe
        198⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Okfelfcp.exe
        
        C:\Windows\system32\Okfelfcp.exe
        199⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Ofljio32.exe
        
        C:\Windows\system32\Ofljio32.exe
        200⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Olfbeijb.exe
        
        C:\Windows\system32\Olfbeijb.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Obcjnphj.exe
        
        C:\Windows\system32\Obcjnphj.exe
        202⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Ohmbjj32.exe
        
        C:\Windows\system32\Ohmbjj32.exe
        203⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Ocbghc32.exe
        
        C:\Windows\system32\Ocbghc32.exe
        204⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\Pdccpk32.exe
        
        C:\Windows\system32\Pdccpk32.exe
        205⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Poigmd32.exe
        
        C:\Windows\system32\Poigmd32.exe
        206⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Pdjipjoc.exe
        
        C:\Windows\system32\Pdjipjoc.exe
        207⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Popnmcoi.exe
        
        C:\Windows\system32\Popnmcoi.exe
        208⤵
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Pdmffjmp.exe
        
        C:\Windows\system32\Pdmffjmp.exe
        209⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Pobjcc32.exe
        
        C:\Windows\system32\Pobjcc32.exe
        210⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Qflbpmdc.exe
        
        C:\Windows\system32\Qflbpmdc.exe
        211⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Qkikhdbj.exe
        
        C:\Windows\system32\Qkikhdbj.exe
        212⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Qfooembp.exe
        
        C:\Windows\system32\Qfooembp.exe
        213⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Qmigbgjm.exe
        
        C:\Windows\system32\Qmigbgjm.exe
        214⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Qcbpoa32.exe
        
        C:\Windows\system32\Qcbpoa32.exe
        215⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Aiphgh32.exe
        
        C:\Windows\system32\Aiphgh32.exe
        216⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Aoiqcbgn.exe
        
        C:\Windows\system32\Aoiqcbgn.exe
        217⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Aefiliee.exe
        
        C:\Windows\system32\Aefiliee.exe
        218⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Akpaic32.exe
        
        C:\Windows\system32\Akpaic32.exe
        219⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Aehfah32.exe
        
        C:\Windows\system32\Aehfah32.exe
        220⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Afhbkkje.exe
        
        C:\Windows\system32\Afhbkkje.exe
        221⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Ambjhe32.exe
        
        C:\Windows\system32\Ambjhe32.exe
        222⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Abocqlpj.exe
        
        C:\Windows\system32\Abocqlpj.exe
        223⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Aiikmf32.exe
        
        C:\Windows\system32\Aiikmf32.exe
        224⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Bcnojo32.exe
        
        C:\Windows\system32\Bcnojo32.exe
        225⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Beplbgmk.exe
        
        C:\Windows\system32\Beplbgmk.exe
        226⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Bpepopma.exe
        
        C:\Windows\system32\Bpepopma.exe
        227⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Bfohljdn.exe
        
        C:\Windows\system32\Bfohljdn.exe
        228⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Bllqdabe.exe
        
        C:\Windows\system32\Bllqdabe.exe
        229⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Bbfiak32.exe
        
        C:\Windows\system32\Bbfiak32.exe
        230⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Bipaneao.exe
        
        C:\Windows\system32\Bipaneao.exe
        231⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Bceeknad.exe
        
        C:\Windows\system32\Bceeknad.exe
        232⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Begbcfgc.exe
        
        C:\Windows\system32\Begbcfgc.exe
        233⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Bchbqn32.exe
        
        C:\Windows\system32\Bchbqn32.exe
        234⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Ccjofn32.exe
        
        C:\Windows\system32\Ccjofn32.exe
        235⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Cekknfcn.exe
        
        C:\Windows\system32\Cekknfcn.exe
        236⤵
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Cclllmkm.exe
        
        C:\Windows\system32\Cclllmkm.exe
        237⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Cenhce32.exe
        
        C:\Windows\system32\Cenhce32.exe
        238⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Cpclqn32.exe
        
        C:\Windows\system32\Cpclqn32.exe
        239⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Cepeie32.exe
        
        C:\Windows\system32\Cepeie32.exe
        240⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Cljmfo32.exe
        
        C:\Windows\system32\Cljmfo32.exe
        241⤵
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Cbdebinb.exe
        
        C:\Windows\system32\Cbdebinb.exe
        242⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Cmiipbmh.exe
        
        C:\Windows\system32\Cmiipbmh.exe
        243⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Cbfbhilo.exe
        
        C:\Windows\system32\Cbfbhilo.exe
        244⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Cipjdc32.exe
        
        C:\Windows\system32\Cipjdc32.exe
        245⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Ddfnblcb.exe
        
        C:\Windows\system32\Ddfnblcb.exe
        246⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Dibgjbai.exe
        
        C:\Windows\system32\Dibgjbai.exe
        247⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Ddhkgkqo.exe
        
        C:\Windows\system32\Ddhkgkqo.exe
        248⤵
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Deigoc32.exe
        
        C:\Windows\system32\Deigoc32.exe
        249⤵
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Dpolllfc.exe
        
        C:\Windows\system32\Dpolllfc.exe
        250⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Dfidif32.exe
        
        C:\Windows\system32\Dfidif32.exe
        251⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Dmclfqem.exe
        
        C:\Windows\system32\Dmclfqem.exe
        252⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Dbpengcd.exe
        
        C:\Windows\system32\Dbpengcd.exe
        253⤵
        Modifies registry class
        
        PID:7196
        
        C:\Windows\SysWOW64\Dijmka32.exe
        
        C:\Windows\system32\Dijmka32.exe
        254⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Ddoahjkg.exe
        
        C:\Windows\system32\Ddoahjkg.exe
        255⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Deqnpb32.exe
        
        C:\Windows\system32\Deqnpb32.exe
        256⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Epfbmk32.exe
        
        C:\Windows\system32\Epfbmk32.exe
        257⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Egpjjehh.exe
        
        C:\Windows\system32\Egpjjehh.exe
        258⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Emjbfp32.exe
        
        C:\Windows\system32\Emjbfp32.exe
        259⤵
        Drops file in System32 directory
        
        PID:7292
        
        C:\Windows\SysWOW64\Eddkcj32.exe
        
        C:\Windows\system32\Eddkcj32.exe
        260⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Eiqckq32.exe
        
        C:\Windows\system32\Eiqckq32.exe
        261⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Edfgii32.exe
        
        C:\Windows\system32\Edfgii32.exe
        262⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Eegdqajn.exe
        
        C:\Windows\system32\Eegdqajn.exe
        263⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Elalml32.exe
        
        C:\Windows\system32\Elalml32.exe
        264⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Eggpjdap.exe
        
        C:\Windows\system32\Eggpjdap.exe
        265⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Emahgo32.exe
        
        C:\Windows\system32\Emahgo32.exe
        266⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Edkadiqj.exe
        
        C:\Windows\system32\Edkadiqj.exe
        267⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Fjalbnfg.exe
        
        C:\Windows\system32\Fjalbnfg.exe
        268⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Fpkdoh32.exe
        
        C:\Windows\system32\Fpkdoh32.exe
        269⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Fgemlbep.exe
        
        C:\Windows\system32\Fgemlbep.exe
        270⤵
        Drops file in System32 directory
        
        PID:7468
        
        C:\Windows\SysWOW64\Gnoehmmm.exe
        
        C:\Windows\system32\Gnoehmmm.exe
        271⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Gdimeg32.exe
        
        C:\Windows\system32\Gdimeg32.exe
        272⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Glfooi32.exe
        
        C:\Windows\system32\Glfooi32.exe
        273⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Gfochn32.exe
        
        C:\Windows\system32\Gfochn32.exe
        274⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Glikehnp.exe
        
        C:\Windows\system32\Glikehnp.exe
        275⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Ggnobame.exe
        
        C:\Windows\system32\Ggnobame.exe
        276⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Glkhjhlm.exe
        
        C:\Windows\system32\Glkhjhlm.exe
        277⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Gcepgbcj.exe
        
        C:\Windows\system32\Gcepgbcj.exe
        278⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Hnkddkcp.exe
        
        C:\Windows\system32\Hnkddkcp.exe
        279⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Hjaeil32.exe
        
        C:\Windows\system32\Hjaeil32.exe
        280⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Hqkmffpa.exe
        
        C:\Windows\system32\Hqkmffpa.exe
        281⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Hfhfnm32.exe
        
        C:\Windows\system32\Hfhfnm32.exe
        282⤵
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Hmbnkgee.exe
        
        C:\Windows\system32\Hmbnkgee.exe
        283⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Hclfha32.exe
        
        C:\Windows\system32\Hclfha32.exe
        284⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Hdlbaddd.exe
        
        C:\Windows\system32\Hdlbaddd.exe
        285⤵
        Drops file in System32 directory
        
        PID:7708
        
        C:\Windows\SysWOW64\Hfmoiljc.exe
        
        C:\Windows\system32\Hfmoiljc.exe
        286⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Hqbcfeji.exe
        
        C:\Windows\system32\Hqbcfeji.exe
        287⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Hgllco32.exe
        
        C:\Windows\system32\Hgllco32.exe
        288⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Infdpihb.exe
        
        C:\Windows\system32\Infdpihb.exe
        289⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Icclhpgj.exe
        
        C:\Windows\system32\Icclhpgj.exe
        290⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Ijmdejng.exe
        
        C:\Windows\system32\Ijmdejng.exe
        291⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Idbibcnm.exe
        
        C:\Windows\system32\Idbibcnm.exe
        292⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Ifdejk32.exe
        
        C:\Windows\system32\Ifdejk32.exe
        293⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Imnngekh.exe
        
        C:\Windows\system32\Imnngekh.exe
        294⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Igcbdnkn.exe
        
        C:\Windows\system32\Igcbdnkn.exe
        295⤵
        Drops file in System32 directory
        
        PID:7868
        
        C:\Windows\SysWOW64\Inmjqhbj.exe
        
        C:\Windows\system32\Inmjqhbj.exe
        296⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Igfoin32.exe
        
        C:\Windows\system32\Igfoin32.exe
        297⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Jqqphc32.exe
        
        C:\Windows\system32\Jqqphc32.exe
        298⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Jfmhpj32.exe
        
        C:\Windows\system32\Jfmhpj32.exe
        299⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Jmgpmdcm.exe
        
        C:\Windows\system32\Jmgpmdcm.exe
        300⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Jgmdjmcc.exe
        
        C:\Windows\system32\Jgmdjmcc.exe
        301⤵
        Drops file in System32 directory
        
        PID:7964
        
        C:\Windows\SysWOW64\Jngmgg32.exe
        
        C:\Windows\system32\Jngmgg32.exe
        302⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Jeqeca32.exe
        
        C:\Windows\system32\Jeqeca32.exe
        303⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Jjnnlh32.exe
        
        C:\Windows\system32\Jjnnlh32.exe
        304⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Jcfbenfd.exe
        
        C:\Windows\system32\Jcfbenfd.exe
        305⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Jjpjah32.exe
        
        C:\Windows\system32\Jjpjah32.exe
        306⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Jeeooqng.exe
        
        C:\Windows\system32\Jeeooqng.exe
        307⤵
        Drops file in System32 directory
        
        PID:8060
        
        C:\Windows\SysWOW64\Kfgkfi32.exe
        
        C:\Windows\system32\Kfgkfi32.exe
        308⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Kmqccckb.exe
        
        C:\Windows\system32\Kmqccckb.exe
        309⤵
        Drops file in System32 directory
        
        PID:8092
        
        C:\Windows\SysWOW64\Kgfgplkh.exe
        
        C:\Windows\system32\Kgfgplkh.exe
        310⤵
        Modifies registry class
        
        PID:8108
        
        C:\Windows\SysWOW64\Kmcpibip.exe
        
        C:\Windows\system32\Kmcpibip.exe
        311⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Kghdfk32.exe
        
        C:\Windows\system32\Kghdfk32.exe
        312⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Knblbepb.exe
        
        C:\Windows\system32\Knblbepb.exe
        313⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Kcoeklnj.exe
        
        C:\Windows\system32\Kcoeklnj.exe
        314⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Kjimgf32.exe
        
        C:\Windows\system32\Kjimgf32.exe
        315⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Keoaeo32.exe
        
        C:\Windows\system32\Keoaeo32.exe
        316⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Kfpnmg32.exe
        
        C:\Windows\system32\Kfpnmg32.exe
        317⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Kaebjp32.exe
        
        C:\Windows\system32\Kaebjp32.exe
        318⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Lfbjbg32.exe
        
        C:\Windows\system32\Lfbjbg32.exe
        319⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Lmlcoaae.exe
        
        C:\Windows\system32\Lmlcoaae.exe
        320⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Ldfklk32.exe
        
        C:\Windows\system32\Ldfklk32.exe
        321⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Lnloidhh.exe
        
        C:\Windows\system32\Lnloidhh.exe
        322⤵
        Modifies registry class
        
        PID:8224
        
        C:\Windows\SysWOW64\Ldihakfo.exe
        
        C:\Windows\system32\Ldihakfo.exe
        323⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Ljbpne32.exe
        
        C:\Windows\system32\Ljbpne32.exe
        324⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Lehdkn32.exe
        
        C:\Windows\system32\Lehdkn32.exe
        325⤵
        Modifies registry class
        
        PID:8272
        
        C:\Windows\SysWOW64\Lfiqcfcp.exe
        
        C:\Windows\system32\Lfiqcfcp.exe
        326⤵
        Drops file in System32 directory
        
        PID:8288
        
        C:\Windows\SysWOW64\Lmcippkm.exe
        
        C:\Windows\system32\Lmcippkm.exe
        327⤵
        Modifies registry class
        
        PID:8304
        
        C:\Windows\SysWOW64\Ldmalj32.exe
        
        C:\Windows\system32\Ldmalj32.exe
        328⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Loceic32.exe
        
        C:\Windows\system32\Loceic32.exe
        329⤵
        Modifies registry class
        
        PID:8336
        
        C:\Windows\SysWOW64\Memnfmim.exe
        
        C:\Windows\system32\Memnfmim.exe
        330⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Mjjfodhd.exe
        
        C:\Windows\system32\Mjjfodhd.exe
        331⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Meojlm32.exe
        
        C:\Windows\system32\Meojlm32.exe
        332⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Mklcdd32.exe
        
        C:\Windows\system32\Mklcdd32.exe
        333⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Meagam32.exe
        
        C:\Windows\system32\Meagam32.exe
        334⤵
        Drops file in System32 directory
        
        PID:8416
        
        C:\Windows\SysWOW64\Mfccieke.exe
        
        C:\Windows\system32\Mfccieke.exe
        335⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Mahhfn32.exe
        
        C:\Windows\system32\Mahhfn32.exe
        336⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Mhbpchbh.exe
        
        C:\Windows\system32\Mhbpchbh.exe
        337⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Molhpb32.exe
        
        C:\Windows\system32\Molhpb32.exe
        338⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Mdiqhi32.exe
        
        C:\Windows\system32\Mdiqhi32.exe
        339⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8496
        
        C:\Windows\SysWOW64\Mkcidcpi.exe
        
        C:\Windows\system32\Mkcidcpi.exe
        340⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Nkllkago.exe
        
        C:\Windows\system32\Nkllkago.exe
        341⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Nebphjgd.exe
        
        C:\Windows\system32\Nebphjgd.exe
        342⤵
        Drops file in System32 directory
        
        PID:8544
        
        C:\Windows\SysWOW64\Ngclpbmc.exe
        
        C:\Windows\system32\Ngclpbmc.exe
        343⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Oaiqmkmi.exe
        
        C:\Windows\system32\Oaiqmkmi.exe
        344⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Ogeiebkp.exe
        
        C:\Windows\system32\Ogeiebkp.exe
        345⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Onpabl32.exe
        
        C:\Windows\system32\Onpabl32.exe
        346⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Oheeoe32.exe
        
        C:\Windows\system32\Oheeoe32.exe
        347⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Ooonlo32.exe
        
        C:\Windows\system32\Ooonlo32.exe
        348⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Odlfdf32.exe
        
        C:\Windows\system32\Odlfdf32.exe
        349⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Okfoapod.exe
        
        C:\Windows\system32\Okfoapod.exe
        350⤵
        Drops file in System32 directory
        
        PID:8672
        
        C:\Windows\SysWOW64\Oekcnioj.exe
        
        C:\Windows\system32\Oekcnioj.exe
        351⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Ogmofa32.exe
        
        C:\Windows\system32\Ogmofa32.exe
        352⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Oenpdi32.exe
        
        C:\Windows\system32\Oenpdi32.exe
        353⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Okjhlp32.exe
        
        C:\Windows\system32\Okjhlp32.exe
        354⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Padpijbk.exe
        
        C:\Windows\system32\Padpijbk.exe
        355⤵
        Drops file in System32 directory
        
        PID:8752
        
        C:\Windows\SysWOW64\Phnhec32.exe
        
        C:\Windows\system32\Phnhec32.exe
        356⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Pohqbn32.exe
        
        C:\Windows\system32\Pohqbn32.exe
        357⤵
        Modifies registry class
        
        PID:8784
        
        C:\Windows\SysWOW64\Pdeike32.exe
        
        C:\Windows\system32\Pdeike32.exe
        358⤵
        Modifies registry class
        
        PID:8800
        
        C:\Windows\SysWOW64\Pokmhn32.exe
        
        C:\Windows\system32\Pokmhn32.exe
        359⤵
        Drops file in System32 directory
        
        PID:8816
        
        C:\Windows\SysWOW64\Pdgfpd32.exe
        
        C:\Windows\system32\Pdgfpd32.exe
        360⤵
        Modifies registry class
        
        PID:8832
        
        C:\Windows\SysWOW64\Pomjmm32.exe
        
        C:\Windows\system32\Pomjmm32.exe
        361⤵
        Modifies registry class
        
        PID:8848
        
        C:\Windows\SysWOW64\Pfgbjg32.exe
        
        C:\Windows\system32\Pfgbjg32.exe
        362⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\Pghobpkk.exe
        
        C:\Windows\system32\Pghobpkk.exe
        363⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Pbncohja.exe
        
        C:\Windows\system32\Pbncohja.exe
        364⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\Phhklb32.exe
        
        C:\Windows\system32\Phhklb32.exe
        365⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\Qbppdhhn.exe
        
        C:\Windows\system32\Qbppdhhn.exe
        366⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Qhjhabpk.exe
        
        C:\Windows\system32\Qhjhabpk.exe
        367⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Qodpnl32.exe
        
        C:\Windows\system32\Qodpnl32.exe
        368⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Qfnhkfod.exe
        
        C:\Windows\system32\Qfnhkfod.exe
        369⤵
        Modifies registry class
        
        PID:8976
        
        C:\Windows\SysWOW64\Akkacmml.exe
        
        C:\Windows\system32\Akkacmml.exe
        370⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Abeipg32.exe
        
        C:\Windows\system32\Abeipg32.exe
        371⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Ahoala32.exe
        
        C:\Windows\system32\Ahoala32.exe
        372⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Aoijikcb.exe
        
        C:\Windows\system32\Aoijikcb.exe
        373⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Afcbfe32.exe
        
        C:\Windows\system32\Afcbfe32.exe
        374⤵
        Modifies registry class
        
        PID:9056
        
        C:\Windows\SysWOW64\Akpjnl32.exe
        
        C:\Windows\system32\Akpjnl32.exe
        375⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Afeoke32.exe
        
        C:\Windows\system32\Afeoke32.exe
        376⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Agfkcn32.exe
        
        C:\Windows\system32\Agfkcn32.exe
        377⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Adjkma32.exe
        
        C:\Windows\system32\Adjkma32.exe
        378⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Aoppjj32.exe
        
        C:\Windows\system32\Aoppjj32.exe
        379⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Admhba32.exe
        
        C:\Windows\system32\Admhba32.exe
        380⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\Boblojkh.exe
        
        C:\Windows\system32\Boblojkh.exe
        381⤵
        Drops file in System32 directory
        
        PID:9168
        
        C:\Windows\SysWOW64\Bfldld32.exe
        
        C:\Windows\system32\Bfldld32.exe
        382⤵
        Drops file in System32 directory
        
        PID:9184
        
        C:\Windows\SysWOW64\Bkimdk32.exe
        
        C:\Windows\system32\Bkimdk32.exe
        383⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Bbceaehi.exe
        
        C:\Windows\system32\Bbceaehi.exe
        384⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Bgpnilfp.exe
        
        C:\Windows\system32\Bgpnilfp.exe
        385⤵
        
        PID:492
        
        C:\Windows\SysWOW64\Bnjfffnm.exe
        
        C:\Windows\system32\Bnjfffnm.exe
        386⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Becncp32.exe
        
        C:\Windows\system32\Becncp32.exe
        387⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Boibpi32.exe
        
        C:\Windows\system32\Boibpi32.exe
        388⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Cboemc32.exe
        
        C:\Windows\system32\Cboemc32.exe
        389⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Cgkmej32.exe
        
        C:\Windows\system32\Cgkmej32.exe
        390⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Ceonoo32.exe
        
        C:\Windows\system32\Ceonoo32.exe
        391⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Cnhbgdam.exe
        
        C:\Windows\system32\Cnhbgdam.exe
        392⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\Cimfdm32.exe
        
        C:\Windows\system32\Cimfdm32.exe
        393⤵
        Modifies registry class
        
        PID:9260
        
        C:\Windows\SysWOW64\Cpgoagip.exe
        
        C:\Windows\system32\Cpgoagip.exe
        394⤵
        Drops file in System32 directory
        
        PID:9276
        
        C:\Windows\SysWOW64\Dedgjngg.exe
        
        C:\Windows\system32\Dedgjngg.exe
        395⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\Dlnpfh32.exe
        
        C:\Windows\system32\Dlnpfh32.exe
        396⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\Dfcdcanj.exe
        
        C:\Windows\system32\Dfcdcanj.exe
        397⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\Dlpllhla.exe
        
        C:\Windows\system32\Dlpllhla.exe
        398⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\Dhgmai32.exe
        
        C:\Windows\system32\Dhgmai32.exe
        399⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Dnaencjb.exe
        
        C:\Windows\system32\Dnaencjb.exe
        400⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Dncbcb32.exe
        
        C:\Windows\system32\Dncbcb32.exe
        401⤵
        Drops file in System32 directory
        
        PID:9388
        
        C:\Windows\SysWOW64\Demjpmom.exe
        
        C:\Windows\system32\Demjpmom.exe
        402⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\Dpcnmeob.exe
        
        C:\Windows\system32\Dpcnmeob.exe
        403⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Efmfjp32.exe
        
        C:\Windows\system32\Efmfjp32.exe
        404⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\Ehncahln.exe
        
        C:\Windows\system32\Ehncahln.exe
        405⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\Ebcgoq32.exe
        
        C:\Windows\system32\Ebcgoq32.exe
        406⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Ehqpgg32.exe
        
        C:\Windows\system32\Ehqpgg32.exe
        407⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\Eojhdaah.exe
        
        C:\Windows\system32\Eojhdaah.exe
        408⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\Eedpql32.exe
        
        C:\Windows\system32\Eedpql32.exe
        409⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Epjdndij.exe
        
        C:\Windows\system32\Epjdndij.exe
        410⤵
        Modifies registry class
        
        PID:9532
        
        C:\Windows\SysWOW64\Efdmjo32.exe
        
        C:\Windows\system32\Efdmjo32.exe
        411⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Eheibgfe.exe
        
        C:\Windows\system32\Eheibgfe.exe
        412⤵
        Drops file in System32 directory
        
        PID:9564
        
        C:\Windows\SysWOW64\Ebkmppfk.exe
        
        C:\Windows\system32\Ebkmppfk.exe
        413⤵
        Modifies registry class
        
        PID:9580
        
        C:\Windows\SysWOW64\Ehgfhfdc.exe
        
        C:\Windows\system32\Ehgfhfdc.exe
        414⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Fbmjeo32.exe
        
        C:\Windows\system32\Fbmjeo32.exe
        415⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Fhjbmf32.exe
        
        C:\Windows\system32\Fhjbmf32.exe
        416⤵
        Modifies registry class
        
        PID:9628
        
        C:\Windows\SysWOW64\Fbogko32.exe
        
        C:\Windows\system32\Fbogko32.exe
        417⤵
        Modifies registry class
        
        PID:9644
        
        C:\Windows\SysWOW64\Fljhid32.exe
        
        C:\Windows\system32\Fljhid32.exe
        418⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Fgplfm32.exe
        
        C:\Windows\system32\Fgplfm32.exe
        419⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\Flleod32.exe
        
        C:\Windows\system32\Flleod32.exe
        420⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Fbfmknln.exe
        
        C:\Windows\system32\Fbfmknln.exe
        421⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\Gegfmi32.exe
        
        C:\Windows\system32\Gegfmi32.exe
        422⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Gpmjjb32.exe
        
        C:\Windows\system32\Gpmjjb32.exe
        423⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Gggbgl32.exe
        
        C:\Windows\system32\Gggbgl32.exe
        424⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\Ghhoodfp.exe
        
        C:\Windows\system32\Ghhoodfp.exe
        425⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\Gpaceadp.exe
        
        C:\Windows\system32\Gpaceadp.exe
        426⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\Ggklbk32.exe
        
        C:\Windows\system32\Ggklbk32.exe
        427⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\Glhdjbjd.exe
        
        C:\Windows\system32\Glhdjbjd.exe
        428⤵
        Modifies registry class
        
        PID:9820
        
        C:\Windows\SysWOW64\Ggnhgkjj.exe
        
        C:\Windows\system32\Ggnhgkjj.exe
        429⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\Ghoeoc32.exe
        
        C:\Windows\system32\Ghoeoc32.exe
        430⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\Hoimlmge.exe
        
        C:\Windows\system32\Hoimlmge.exe
        431⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9868
        
        C:\Windows\SysWOW64\Heceig32.exe
        
        C:\Windows\system32\Heceig32.exe
        432⤵
        Modifies registry class
        
        PID:9884
        
        C:\Windows\SysWOW64\Hphjfpnh.exe
        
        C:\Windows\system32\Hphjfpnh.exe
        433⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\Hgbbbj32.exe
        
        C:\Windows\system32\Hgbbbj32.exe
        434⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Honggm32.exe
        
        C:\Windows\system32\Honggm32.exe
        435⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Hegodgjm.exe
        
        C:\Windows\system32\Hegodgjm.exe
        436⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Hckomk32.exe
        
        C:\Windows\system32\Hckomk32.exe
        437⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\Hhhheb32.exe
        
        C:\Windows\system32\Hhhheb32.exe
        438⤵
        Drops file in System32 directory
        
        PID:9980
        
        C:\Windows\SysWOW64\Hcnlck32.exe
        
        C:\Windows\system32\Hcnlck32.exe
        439⤵
        Modifies registry class
        
        PID:9996
        
        C:\Windows\SysWOW64\Hjhdpeop.exe
        
        C:\Windows\system32\Hjhdpeop.exe
        440⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Ipbmlofm.exe
        
        C:\Windows\system32\Ipbmlofm.exe
        441⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\Ifoedfdd.exe
        
        C:\Windows\system32\Ifoedfdd.exe
        442⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\Ipdiaodj.exe
        
        C:\Windows\system32\Ipdiaodj.exe
        443⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\Ignani32.exe
        
        C:\Windows\system32\Ignani32.exe
        444⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\Ilkjgp32.exe
        
        C:\Windows\system32\Ilkjgp32.exe
        445⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Icebcj32.exe
        
        C:\Windows\system32\Icebcj32.exe
        446⤵
        Drops file in System32 directory
        
        PID:10108
        
        C:\Windows\SysWOW64\Iqibmn32.exe
        
        C:\Windows\system32\Iqibmn32.exe
        447⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\Ifekee32.exe
        
        C:\Windows\system32\Ifekee32.exe
        448⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\Iqkobn32.exe
        
        C:\Windows\system32\Iqkobn32.exe
        449⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\Ifhhkdlj.exe
        
        C:\Windows\system32\Ifhhkdlj.exe
        450⤵
        Drops file in System32 directory
        
        PID:10172
        
        C:\Windows\SysWOW64\Joplcj32.exe
        
        C:\Windows\system32\Joplcj32.exe
        451⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Jfjdpdjg.exe
        
        C:\Windows\system32\Jfjdpdjg.exe
        452⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Jmdmmn32.exe
        
        C:\Windows\system32\Jmdmmn32.exe
        453⤵
        Modifies registry class
        
        PID:10220
        
        C:\Windows\SysWOW64\Jcnejhia.exe
        
        C:\Windows\system32\Jcnejhia.exe
        454⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\Jiknbo32.exe
        
        C:\Windows\system32\Jiknbo32.exe
        455⤵
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Joefoioe.exe
        
        C:\Windows\system32\Joefoioe.exe
        456⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\Jjkjlbnk.exe
        
        C:\Windows\system32\Jjkjlbnk.exe
        457⤵
        
        PID:416
        
        C:\Windows\SysWOW64\Jqdbhl32.exe
        
        C:\Windows\system32\Jqdbhl32.exe
        458⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Jgojefmd.exe
        
        C:\Windows\system32\Jgojefmd.exe
        459⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Jmkcnm32.exe
        
        C:\Windows\system32\Jmkcnm32.exe
        460⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\Jcekjgci.exe
        
        C:\Windows\system32\Jcekjgci.exe
        461⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\Kfhaab32.exe
        
        C:\Windows\system32\Kfhaab32.exe
        462⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\Kmbinled.exe
        
        C:\Windows\system32\Kmbinled.exe
        463⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\Kclakf32.exe
        
        C:\Windows\system32\Kclakf32.exe
        464⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\Kiijcm32.exe
        
        C:\Windows\system32\Kiijcm32.exe
        465⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\Kconqfkn.exe
        
        C:\Windows\system32\Kconqfkn.exe
        466⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\Kmgbil32.exe
        
        C:\Windows\system32\Kmgbil32.exe
        467⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\Kcakffik.exe
        
        C:\Windows\system32\Kcakffik.exe
        468⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Ljkcbp32.exe
        
        C:\Windows\system32\Ljkcbp32.exe
        469⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\Laekpj32.exe
        
        C:\Windows\system32\Laekpj32.exe
        470⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\Lfacha32.exe
        
        C:\Windows\system32\Lfacha32.exe
        471⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\Laghej32.exe
        
        C:\Windows\system32\Laghej32.exe
        472⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\Lfdpmq32.exe
        
        C:\Windows\system32\Lfdpmq32.exe
        473⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\Lmnhjkkg.exe
        
        C:\Windows\system32\Lmnhjkkg.exe
        474⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\Lgcmgc32.exe
        
        C:\Windows\system32\Lgcmgc32.exe
        475⤵
        Modifies registry class
        
        PID:10496
        
        C:\Windows\SysWOW64\Lmpepj32.exe
        
        C:\Windows\system32\Lmpepj32.exe
        476⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\Lgfimc32.exe
        
        C:\Windows\system32\Lgfimc32.exe
        477⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\Ligfdkoh.exe
        
        C:\Windows\system32\Ligfdkoh.exe
        478⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\Lcmjbdon.exe
        
        C:\Windows\system32\Lcmjbdon.exe
        479⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\Miibjk32.exe
        
        C:\Windows\system32\Miibjk32.exe
        480⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\Mpckgedb.exe
        
        C:\Windows\system32\Mpckgedb.exe
        481⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Milopk32.exe
        
        C:\Windows\system32\Milopk32.exe
        482⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\Mpfhlebp.exe
        
        C:\Windows\system32\Mpfhlebp.exe
        483⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\Mfppiojm.exe
        
        C:\Windows\system32\Mfppiojm.exe
        484⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\Mmjhfi32.exe
        
        C:\Windows\system32\Mmjhfi32.exe
        485⤵
        Modifies registry class
        
        PID:10656
        
        C:\Windows\SysWOW64\Mddpbchf.exe
        
        C:\Windows\system32\Mddpbchf.exe
        486⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\Miqikjgn.exe
        
        C:\Windows\system32\Miqikjgn.exe
        487⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\Mdfmhbfc.exe
        
        C:\Windows\system32\Mdfmhbfc.exe
        488⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\Mjpeemnp.exe
        
        C:\Windows\system32\Mjpeemnp.exe
        489⤵
        Drops file in System32 directory
        
        PID:10720
        
        C:\Windows\SysWOW64\Mpmnmdlh.exe
        
        C:\Windows\system32\Mpmnmdlh.exe
        490⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\Nfgfjn32.exe
        
        C:\Windows\system32\Nfgfjn32.exe
        491⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\Nmanfhka.exe
        
        C:\Windows\system32\Nmanfhka.exe
        492⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\Nhfbcqkg.exe
        
        C:\Windows\system32\Nhfbcqkg.exe
        493⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\Nigoki32.exe
        
        C:\Windows\system32\Nigoki32.exe
        494⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\Nhioip32.exe
        
        C:\Windows\system32\Nhioip32.exe
        495⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\Nijlaioc.exe
        
        C:\Windows\system32\Nijlaioc.exe
        496⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\Npddnb32.exe
        
        C:\Windows\system32\Npddnb32.exe
        497⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\Nfnljmnm.exe
        
        C:\Windows\system32\Nfnljmnm.exe
        498⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\Nacpge32.exe
        
        C:\Windows\system32\Nacpge32.exe
        499⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\Nfpipm32.exe
        
        C:\Windows\system32\Nfpipm32.exe
        500⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\Nafmme32.exe
        
        C:\Windows\system32\Nafmme32.exe
        501⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\Ohpejobm.exe
        
        C:\Windows\system32\Ohpejobm.exe
        502⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\Omlnbfad.exe
        
        C:\Windows\system32\Omlnbfad.exe
        503⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\Ohbboo32.exe
        
        C:\Windows\system32\Ohbboo32.exe
        504⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\Omojhf32.exe
        
        C:\Windows\system32\Omojhf32.exe
        505⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\Oggoqkeb.exe
        
        C:\Windows\system32\Oggoqkeb.exe
        506⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\Omagme32.exe
        
        C:\Windows\system32\Omagme32.exe
        507⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\Odkojp32.exe
        
        C:\Windows\system32\Odkojp32.exe
        508⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\Oihhbf32.exe
        
        C:\Windows\system32\Oihhbf32.exe
        509⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\Opbpoqjp.exe
        
        C:\Windows\system32\Opbpoqjp.exe
        510⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\Oglhlk32.exe
        
        C:\Windows\system32\Oglhlk32.exe
        511⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\Omfqheii.exe
        
        C:\Windows\system32\Omfqheii.exe
        512⤵
        Drops file in System32 directory
        
        PID:11092
        
        C:\Windows\SysWOW64\Phkeen32.exe
        
        C:\Windows\system32\Phkeen32.exe
        513⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\Pmhmnd32.exe
        
        C:\Windows\system32\Pmhmnd32.exe
        514⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\Phnakm32.exe
        
        C:\Windows\system32\Phnakm32.exe
        515⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\Paffdcmm.exe
        
        C:\Windows\system32\Paffdcmm.exe
        516⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\Phpnqmdj.exe
        
        C:\Windows\system32\Phpnqmdj.exe
        517⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\Pnmgidba.exe
        
        C:\Windows\system32\Pnmgidba.exe
        518⤵
        Modifies registry class
        
        PID:11188
        
        C:\Windows\SysWOW64\Phbkfmbg.exe
        
        C:\Windows\system32\Phbkfmbg.exe
        519⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\Pjcgne32.exe
        
        C:\Windows\system32\Pjcgne32.exe
        520⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\Pdilkn32.exe
        
        C:\Windows\system32\Pdilkn32.exe
        521⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\Pjfdcdfc.exe
        
        C:\Windows\system32\Pjfdcdfc.exe
        522⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\Qpplpo32.exe
        
        C:\Windows\system32\Qpplpo32.exe
        523⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\Qgjdmiem.exe
        
        C:\Windows\system32\Qgjdmiem.exe
        524⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 372
        525⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aapbbmhj.exe

MD5
1100e7ea75265fe3b1afc0b96588d21b

SHA1
e654d213a3a212a67c806c1e52b38019b02cf1d2

SHA256
49e6f46b5538adf616d1d33732e5068502fcc27d792b44ffaf21aca204da6f1f

SHA512
afc8c0eef709787ecdc82bf22de9a0fdb50f9071822cca81c3cc343a6ad9b5c9ea2e7feb52c622c63291eb572b71d9846718476972e3d0c8cba5ffb665c1ce42

Download Submit
C:\Windows\SysWOW64\Aapbbmhj.exe

MD5
1100e7ea75265fe3b1afc0b96588d21b

SHA1
e654d213a3a212a67c806c1e52b38019b02cf1d2

SHA256
49e6f46b5538adf616d1d33732e5068502fcc27d792b44ffaf21aca204da6f1f

SHA512
afc8c0eef709787ecdc82bf22de9a0fdb50f9071822cca81c3cc343a6ad9b5c9ea2e7feb52c622c63291eb572b71d9846718476972e3d0c8cba5ffb665c1ce42

Download Submit
C:\Windows\SysWOW64\Aenkik32.exe

MD5
8ad9625e2ba5e42aa5ad5a2a51d45329

SHA1
b069b6abf90d8fd4431f3c30240d1bb820e649c7

SHA256
57ef865b0c04aa55194316360c25509c5f069ec6586bfb3f93951f35e6215177

SHA512
4020c84954d24f8f61a59b992333468eac6417369169b4d3caa217d11872aec1dc6f7d062c6d406cee5eddde84245e8690a682c8765864c8f89e0e27688bcd32

Download Submit
C:\Windows\SysWOW64\Aenkik32.exe

MD5
8ad9625e2ba5e42aa5ad5a2a51d45329

SHA1
b069b6abf90d8fd4431f3c30240d1bb820e649c7

SHA256
57ef865b0c04aa55194316360c25509c5f069ec6586bfb3f93951f35e6215177

SHA512
4020c84954d24f8f61a59b992333468eac6417369169b4d3caa217d11872aec1dc6f7d062c6d406cee5eddde84245e8690a682c8765864c8f89e0e27688bcd32

Download Submit
C:\Windows\SysWOW64\Ahfpekkb.exe

MD5
8be5596b1681bec1ac2071846b449dc5

SHA1
5f4106448e8c7e264e639c9f9935d81dc402d3f4

SHA256
4f0976a7659521b404870bfdc6809f4c0cee95addc271b966a5f41325ebf9d3b

SHA512
aa96e2066d950c51778cf24f382c012b1bc9ada6b740448b12f6d7d98095bf6d6c50180b8d7b67aedf25c5ad089d848bad6f6bcc812aa809ae5b0436370cf0b0

Download Submit
C:\Windows\SysWOW64\Ahfpekkb.exe

MD5
8be5596b1681bec1ac2071846b449dc5

SHA1
5f4106448e8c7e264e639c9f9935d81dc402d3f4

SHA256
4f0976a7659521b404870bfdc6809f4c0cee95addc271b966a5f41325ebf9d3b

SHA512
aa96e2066d950c51778cf24f382c012b1bc9ada6b740448b12f6d7d98095bf6d6c50180b8d7b67aedf25c5ad089d848bad6f6bcc812aa809ae5b0436370cf0b0

Download Submit
C:\Windows\SysWOW64\Bampooec.exe

MD5
ab57b45ed95342342de15ade0d5cbd39

SHA1
d2b7b5d3b56ed8013ae7e0bf7645e280b117ee14

SHA256
a388dcaedab859edd540dde65dae49194c343d93f62ba0d3f93cd603356c7b3d

SHA512
7e47148b83958841a2553d90628f52591f11c15dd3864870c384e7bd9e456b9db849b73998062b23b483813382a5bebd71f395e0d2898c6c70703d6824007375

Download Submit
C:\Windows\SysWOW64\Bampooec.exe

MD5
ab57b45ed95342342de15ade0d5cbd39

SHA1
d2b7b5d3b56ed8013ae7e0bf7645e280b117ee14

SHA256
a388dcaedab859edd540dde65dae49194c343d93f62ba0d3f93cd603356c7b3d

SHA512
7e47148b83958841a2553d90628f52591f11c15dd3864870c384e7bd9e456b9db849b73998062b23b483813382a5bebd71f395e0d2898c6c70703d6824007375

Download Submit
C:\Windows\SysWOW64\Bcpgcnaj.exe

MD5
1f3f9f1d92e63c74676039de0b316cc9

SHA1
a5d1b78a9430d6e2c16ab0c3bea4b55638c6f550

SHA256
6e2fb241c0236f18645c6a920cd20adc1f33d5510aa76168412046c46f381562

SHA512
4cc56e3878348b095a770433001c3836c7d8970030ac037511e3b452c3c8a86ecc9a42843eaa8cfaae506bbab77bc3bc4d1f4f12f520e1f369cae27d8636527a

Download Submit
C:\Windows\SysWOW64\Bcpgcnaj.exe

MD5
1f3f9f1d92e63c74676039de0b316cc9

SHA1
a5d1b78a9430d6e2c16ab0c3bea4b55638c6f550

SHA256
6e2fb241c0236f18645c6a920cd20adc1f33d5510aa76168412046c46f381562

SHA512
4cc56e3878348b095a770433001c3836c7d8970030ac037511e3b452c3c8a86ecc9a42843eaa8cfaae506bbab77bc3bc4d1f4f12f520e1f369cae27d8636527a

Download Submit
C:\Windows\SysWOW64\Dobqjgie.exe

MD5
727a8d385efe6a1e513bba7a938147ba

SHA1
b573a5d222f571396323b692479e4479b3510635

SHA256
d80ab44880210ba99a16e2e755854a8e23ed392116263348ddf14981fc17ae91

SHA512
b92d284940a3cf41bedec26e7746ef0077bf98df4e1085de886e0d5e77c923cf0a4c0ad47a727b2d7e89537885061bb73ef9b58b42776d345cd5bb1866ce7dd3

Download Submit
C:\Windows\SysWOW64\Dobqjgie.exe

MD5
727a8d385efe6a1e513bba7a938147ba

SHA1
b573a5d222f571396323b692479e4479b3510635

SHA256
d80ab44880210ba99a16e2e755854a8e23ed392116263348ddf14981fc17ae91

SHA512
b92d284940a3cf41bedec26e7746ef0077bf98df4e1085de886e0d5e77c923cf0a4c0ad47a727b2d7e89537885061bb73ef9b58b42776d345cd5bb1866ce7dd3

Download Submit
C:\Windows\SysWOW64\Eigliaid.exe

MD5
15b72b87dd74bac1d797411d734bf03b

SHA1
29a53e98cec67bc9d50a61a5655a03fdfe03e40d

SHA256
3d6e1e5352fed475edf0eec3993466159087a8dd705b73430e7bf74d2086c4bd

SHA512
da07dafde305d514092352344a412933a6096a7bb1e56e9e745a5e73f9b3c4e5d40ea5c05b45ddf648ed55f5b0b36a58e1763b88835e2a1a90477342724c2a20

Download Submit
C:\Windows\SysWOW64\Eigliaid.exe

MD5
15b72b87dd74bac1d797411d734bf03b

SHA1
29a53e98cec67bc9d50a61a5655a03fdfe03e40d

SHA256
3d6e1e5352fed475edf0eec3993466159087a8dd705b73430e7bf74d2086c4bd

SHA512
da07dafde305d514092352344a412933a6096a7bb1e56e9e745a5e73f9b3c4e5d40ea5c05b45ddf648ed55f5b0b36a58e1763b88835e2a1a90477342724c2a20

Download Submit
C:\Windows\SysWOW64\Fbehmibe.exe

MD5
7f0bb1a69d642aa3a7dd82f0f578f7d4

SHA1
0bc6d8135e82aa36653289346677de5485e4bb36

SHA256
5f3067357611af4e65e1798d833d61b37d766ca12336beaf365bb1c2acee0ec5

SHA512
c5060ff142ad99614e37de20079854ec8dd461f820fd0822f56750f81932e2369db7b38b28c8c12a7f419678bad8052e5d01ba651a1662323f05188af8f63cc3

Download Submit
C:\Windows\SysWOW64\Fbehmibe.exe

MD5
7f0bb1a69d642aa3a7dd82f0f578f7d4

SHA1
0bc6d8135e82aa36653289346677de5485e4bb36

SHA256
5f3067357611af4e65e1798d833d61b37d766ca12336beaf365bb1c2acee0ec5

SHA512
c5060ff142ad99614e37de20079854ec8dd461f820fd0822f56750f81932e2369db7b38b28c8c12a7f419678bad8052e5d01ba651a1662323f05188af8f63cc3

Download Submit
C:\Windows\SysWOW64\Fdhndd32.exe

MD5
6f053975b216e75d6ba151adf641ef5d

SHA1
1a9264ccf69077335ef0c434f3689da2811aea57

SHA256
4556fa1f3011f9d490a49b3f13288722291157f5c6906b5efbe114348e1e8b78

SHA512
fff8aaae5b9ef95a5269ec64839c8d36bb2fe30aa1215de74ac52be81c230b62a629646ff1b36fe439ec834a27b9f6c58960d4d23712cc98cbb1e1bb702f3355

Download Submit
C:\Windows\SysWOW64\Fdhndd32.exe

MD5
6f053975b216e75d6ba151adf641ef5d

SHA1
1a9264ccf69077335ef0c434f3689da2811aea57

SHA256
4556fa1f3011f9d490a49b3f13288722291157f5c6906b5efbe114348e1e8b78

SHA512
fff8aaae5b9ef95a5269ec64839c8d36bb2fe30aa1215de74ac52be81c230b62a629646ff1b36fe439ec834a27b9f6c58960d4d23712cc98cbb1e1bb702f3355

Download Submit
C:\Windows\SysWOW64\Fifgkbdj.exe

MD5
b80fca4b26936401efad38813441382b

SHA1
d2488affa1aef288ada2d11999f1334112c38bc6

SHA256
c295f3aed8d1e8bdf30380899a579c656194650aaca69e641dfabd5141a8bd0f

SHA512
47bc41b299cc54fe77e0a3dbae951a7df80f7fab871340e74f7e2d8a3b9d479e56bb59f2546a3e724bf1395aa6e483101971f08d7dc3eef68fa27fa1414b9f5d

Download Submit
C:\Windows\SysWOW64\Fifgkbdj.exe

MD5
b80fca4b26936401efad38813441382b

SHA1
d2488affa1aef288ada2d11999f1334112c38bc6

SHA256
c295f3aed8d1e8bdf30380899a579c656194650aaca69e641dfabd5141a8bd0f

SHA512
47bc41b299cc54fe77e0a3dbae951a7df80f7fab871340e74f7e2d8a3b9d479e56bb59f2546a3e724bf1395aa6e483101971f08d7dc3eef68fa27fa1414b9f5d

Download Submit
C:\Windows\SysWOW64\Fkkgke32.exe

MD5
d994e06d18e333e2d4c0f73033658c66

SHA1
27e4347570f20645900a5b5288f7f1fede1bb07f

SHA256
4d9ba37d4239399e793043ff2fc67e33b7bb0d05d1bbb39b06d03e90d9cbb0eb

SHA512
d0ea16535f8c5b261eb685629c81a5ad246ea67bf4fb057a976bc1cc206e5810199becebdd1058d47c162cb5db86f228fd64b4b25ceaa648d7e0f86d51268f12

Download Submit
C:\Windows\SysWOW64\Fkkgke32.exe

MD5
d994e06d18e333e2d4c0f73033658c66

SHA1
27e4347570f20645900a5b5288f7f1fede1bb07f

SHA256
4d9ba37d4239399e793043ff2fc67e33b7bb0d05d1bbb39b06d03e90d9cbb0eb

SHA512
d0ea16535f8c5b261eb685629c81a5ad246ea67bf4fb057a976bc1cc206e5810199becebdd1058d47c162cb5db86f228fd64b4b25ceaa648d7e0f86d51268f12

Download Submit
C:\Windows\SysWOW64\Gnjlnnpe.exe

MD5
a2282d59c4e0dff632fbb5bdc8cf0971

SHA1
f1529b108b1d32036fb3c7699b2eb0cfd40c872a

SHA256
e25cceeaa3ece2afbc6ca6a40ecb7d472852418efce6bf0f5c3c40dd0eae0ecb

SHA512
e185fd9022a7de400b6975e96f8e639d766578a5028f75a053122d2da90ee6eebd681d24f531f81641a84d7884aff3628d5a8184f8037694f7503fef192a8e54

Download Submit
C:\Windows\SysWOW64\Gnjlnnpe.exe

MD5
a2282d59c4e0dff632fbb5bdc8cf0971

SHA1
f1529b108b1d32036fb3c7699b2eb0cfd40c872a

SHA256
e25cceeaa3ece2afbc6ca6a40ecb7d472852418efce6bf0f5c3c40dd0eae0ecb

SHA512
e185fd9022a7de400b6975e96f8e639d766578a5028f75a053122d2da90ee6eebd681d24f531f81641a84d7884aff3628d5a8184f8037694f7503fef192a8e54

Download Submit
C:\Windows\SysWOW64\Hbddpklo.exe

MD5
40002550a1964cfa0ff948353e0296f9

SHA1
17fb836e625d7cedc64c06e7deb8248006f166b7

SHA256
cc9aadfdf59132f36845342faade66c00f9d478390a62d498cbaaeac8b1ba92f

SHA512
801020c45890983ae21fc91128b67155afc8255b90ff527a013b2b4f86e9b31c26d3474c52c69a22e8cf78bba933ec378a2b8228d98aabb1d823587c9757c4a9

Download Submit
C:\Windows\SysWOW64\Hbddpklo.exe

MD5
40002550a1964cfa0ff948353e0296f9

SHA1
17fb836e625d7cedc64c06e7deb8248006f166b7

SHA256
cc9aadfdf59132f36845342faade66c00f9d478390a62d498cbaaeac8b1ba92f

SHA512
801020c45890983ae21fc91128b67155afc8255b90ff527a013b2b4f86e9b31c26d3474c52c69a22e8cf78bba933ec378a2b8228d98aabb1d823587c9757c4a9

Download Submit
C:\Windows\SysWOW64\Hlmpcgfk.exe

MD5
a30232d467288bdba8e02bb4a4074e8b

SHA1
cd86f643a9fd86e062b3189e1afb770d97352ecc

SHA256
a8bee3806542da50afef3c9f31fc049c66a9f314845a31298f2b3ba19b07e35d

SHA512
b0642464067b6454ab79a34013ea2b940a258bdbb997dcde24122066f7dc2e0716c2937f58ad3d422a04b7e0696ec3a55041850861b7ca7a302256781568ad41

Download Submit
C:\Windows\SysWOW64\Hlmpcgfk.exe

MD5
a30232d467288bdba8e02bb4a4074e8b

SHA1
cd86f643a9fd86e062b3189e1afb770d97352ecc

SHA256
a8bee3806542da50afef3c9f31fc049c66a9f314845a31298f2b3ba19b07e35d

SHA512
b0642464067b6454ab79a34013ea2b940a258bdbb997dcde24122066f7dc2e0716c2937f58ad3d422a04b7e0696ec3a55041850861b7ca7a302256781568ad41

Download Submit
C:\Windows\SysWOW64\Jcjnln32.exe

MD5
391c5dfbaa1440d60ae0a0b6fadfa7eb

SHA1
6000d51508036dd3802519678fb4b89461ebc49e

SHA256
e7eee664f2c8fb822693a91452a3a99aa296329f8f04e5cfdfd48ef1faccf8da

SHA512
7110a683ae9731ef6e73be80ecdf92a1c4cde5d501eb724890ef26554db0bd067e768f75f49f8edf4a6699ec89c441bba8a1ba25d90f73e35de4ff7c7211ccbd

Download Submit
C:\Windows\SysWOW64\Jcjnln32.exe

MD5
391c5dfbaa1440d60ae0a0b6fadfa7eb

SHA1
6000d51508036dd3802519678fb4b89461ebc49e

SHA256
e7eee664f2c8fb822693a91452a3a99aa296329f8f04e5cfdfd48ef1faccf8da

SHA512
7110a683ae9731ef6e73be80ecdf92a1c4cde5d501eb724890ef26554db0bd067e768f75f49f8edf4a6699ec89c441bba8a1ba25d90f73e35de4ff7c7211ccbd

Download Submit
C:\Windows\SysWOW64\Klfefm32.exe

MD5
3ebeac69f7794a5561fbcd24e9bec6e3

SHA1
83aaacf592d0871e5d6cd0fb8f46a33aaf0d7619

SHA256
a63752402ba516b7f875ce1b61ad0a00d0773fa4955244a892de4790a5c42bb5

SHA512
27699773a3d7273e99d4acfa9aa1f7733a7b861663be7c58b0618a38d957e305b93958870d22a671a0c169c4fef569cf5d546b73186f7945e0e7f522b26e83ab

Download Submit
C:\Windows\SysWOW64\Klfefm32.exe

MD5
3ebeac69f7794a5561fbcd24e9bec6e3

SHA1
83aaacf592d0871e5d6cd0fb8f46a33aaf0d7619

SHA256
a63752402ba516b7f875ce1b61ad0a00d0773fa4955244a892de4790a5c42bb5

SHA512
27699773a3d7273e99d4acfa9aa1f7733a7b861663be7c58b0618a38d957e305b93958870d22a671a0c169c4fef569cf5d546b73186f7945e0e7f522b26e83ab

Download Submit
C:\Windows\SysWOW64\Lfaokpbm.exe

MD5
c8a501c2c245c99e2cd463c4ec207e1b

SHA1
b3d4ea1ca0b086f4560819c0d7df67bc416e3d84

SHA256
c2286b0bec56a07b6fbaf8cffa0cf733007144a356aaa83dfe77f8f4afc75959

SHA512
07d7b3f5afca4a41cc6c412ded5ce202d926f164b7727dbb0380b6f6f2c4d06da26635b17406d7ecafa407f498b6f8cb36539003b7cd4b16e2f9035b553898e8

Download Submit
C:\Windows\SysWOW64\Lfaokpbm.exe

MD5
c8a501c2c245c99e2cd463c4ec207e1b

SHA1
b3d4ea1ca0b086f4560819c0d7df67bc416e3d84

SHA256
c2286b0bec56a07b6fbaf8cffa0cf733007144a356aaa83dfe77f8f4afc75959

SHA512
07d7b3f5afca4a41cc6c412ded5ce202d926f164b7727dbb0380b6f6f2c4d06da26635b17406d7ecafa407f498b6f8cb36539003b7cd4b16e2f9035b553898e8

Download Submit
C:\Windows\SysWOW64\Lfhleajh.exe

MD5
dbc9c16f8b1f6c7490d4e6fb13c92dd5

SHA1
279d54d2733d0a45356d082eb0ac10b25adee809

SHA256
abe3000ef805ab2fa77e07547e8cf83c90d3e1e2f28a4e8a8e658bba77b192a2

SHA512
848041536ae1dbe29395e0e5f5f2a1e07d57e6c0911831403bdaf2a597c153c348509e348298804aab428269d1f828528aca4a55186631cf8acf26b0b2ae7983

Download Submit
C:\Windows\SysWOW64\Lfhleajh.exe

MD5
dbc9c16f8b1f6c7490d4e6fb13c92dd5

SHA1
279d54d2733d0a45356d082eb0ac10b25adee809

SHA256
abe3000ef805ab2fa77e07547e8cf83c90d3e1e2f28a4e8a8e658bba77b192a2

SHA512
848041536ae1dbe29395e0e5f5f2a1e07d57e6c0911831403bdaf2a597c153c348509e348298804aab428269d1f828528aca4a55186631cf8acf26b0b2ae7983

Download Submit
C:\Windows\SysWOW64\Ljkeqe32.exe

MD5
60b65a9de56c235f8a873b2e63a0d4c9

SHA1
963e99861665485fb80784269a535670c7e5ff85

SHA256
4ac9ac9d212585f183ce904795871ca0c4f4381c5b7428522d58e8bd59ec464c

SHA512
40150a5b6d37e37092f2d5152e598b909fdf135f5ae1f724059667e898b13c95990f4b4f8eb47b1f8ac884564f5907349e90e7152f6648f25062986b7b8eb036

Download Submit
C:\Windows\SysWOW64\Ljkeqe32.exe

MD5
60b65a9de56c235f8a873b2e63a0d4c9

SHA1
963e99861665485fb80784269a535670c7e5ff85

SHA256
4ac9ac9d212585f183ce904795871ca0c4f4381c5b7428522d58e8bd59ec464c

SHA512
40150a5b6d37e37092f2d5152e598b909fdf135f5ae1f724059667e898b13c95990f4b4f8eb47b1f8ac884564f5907349e90e7152f6648f25062986b7b8eb036

Download Submit
C:\Windows\SysWOW64\Mmbmhicb.exe

MD5
fdf69b1739acd0882865190e9e14a535

SHA1
6d17d601b1c1c1e31e8ec248ffb490849f9d7928

SHA256
77fb6fc755b8dac6ac9986f0d2a2097d8f740b90b02c119039f8bf1cd8f7b03a

SHA512
66473e92e99f833881da4040dc7b58f2a9411e36c2fab7093a7908dd3bb25f8b90995fc3cddcda6dd4020a5c859623491161dd24e23f9f1c3ef4110ce6881141

Download Submit
C:\Windows\SysWOW64\Mmbmhicb.exe

MD5
fdf69b1739acd0882865190e9e14a535

SHA1
6d17d601b1c1c1e31e8ec248ffb490849f9d7928

SHA256
77fb6fc755b8dac6ac9986f0d2a2097d8f740b90b02c119039f8bf1cd8f7b03a

SHA512
66473e92e99f833881da4040dc7b58f2a9411e36c2fab7093a7908dd3bb25f8b90995fc3cddcda6dd4020a5c859623491161dd24e23f9f1c3ef4110ce6881141

Download Submit
C:\Windows\SysWOW64\Ncdbph32.exe

MD5
6b152841fcf0823ca3eaea767ed498ef

SHA1
8e02885064563498d323a7fbcea2d871c1454dd6

SHA256
697e572f8b7cac2061d3ee295d3d3775139f34d0e415377e4b0e474fea129b2d

SHA512
89bb220a772afb3c84013b682d5949f585aa64bc6149b2cc15571ad0abe73906f983561f2d2255afaae75f26247694efd89072ae9b3a75517aee920227624728

Download Submit
C:\Windows\SysWOW64\Ncdbph32.exe

MD5
6b152841fcf0823ca3eaea767ed498ef

SHA1
8e02885064563498d323a7fbcea2d871c1454dd6

SHA256
697e572f8b7cac2061d3ee295d3d3775139f34d0e415377e4b0e474fea129b2d

SHA512
89bb220a772afb3c84013b682d5949f585aa64bc6149b2cc15571ad0abe73906f983561f2d2255afaae75f26247694efd89072ae9b3a75517aee920227624728

Download Submit
C:\Windows\SysWOW64\Ncfofhfp.exe

MD5
c9dfad16da32c4d21971f248de40c9d9

SHA1
c4e890657f1facb271bfcba4524e3c60063a2462

SHA256
a44121053d38f9878293d218f7f840dd3498c8285ee3936a59c85b2e6108277e

SHA512
fe479fc777c1138a7d04c7e99d6395bb56f1344483c95ea8d19cb60efacdbc87b1c79742f14e4dbb1971678aeba4b4c079f680806913b0a660bff85e8fd1961e

Download Submit
C:\Windows\SysWOW64\Ncfofhfp.exe

MD5
c9dfad16da32c4d21971f248de40c9d9

SHA1
c4e890657f1facb271bfcba4524e3c60063a2462

SHA256
a44121053d38f9878293d218f7f840dd3498c8285ee3936a59c85b2e6108277e

SHA512
fe479fc777c1138a7d04c7e99d6395bb56f1344483c95ea8d19cb60efacdbc87b1c79742f14e4dbb1971678aeba4b4c079f680806913b0a660bff85e8fd1961e

Download Submit
C:\Windows\SysWOW64\Obfbpdfj.exe

MD5
48e496ffbbfa168e59c7faa80b5649ed

SHA1
69a317633ff7dea3ca3de7a232dae758b92e7cd5

SHA256
b61edd417dc66b039469a7ce298438a270e437c037f5f828beafbc1a3fe1b07f

SHA512
9a60ce35e0ada9a9789d59198b78529acb29bf2c1b2f0e7b78df68d4633272912708eff84e01297ce6d8ff668162e0e91576625719dbb8862a87e3bb32b8b71f

Download Submit
C:\Windows\SysWOW64\Obfbpdfj.exe

MD5
48e496ffbbfa168e59c7faa80b5649ed

SHA1
69a317633ff7dea3ca3de7a232dae758b92e7cd5

SHA256
b61edd417dc66b039469a7ce298438a270e437c037f5f828beafbc1a3fe1b07f

SHA512
9a60ce35e0ada9a9789d59198b78529acb29bf2c1b2f0e7b78df68d4633272912708eff84e01297ce6d8ff668162e0e91576625719dbb8862a87e3bb32b8b71f

Download Submit
C:\Windows\SysWOW64\Ocmefg32.exe

MD5
58cfa87ad35e998a2fded07576bd74a8

SHA1
635665bcd00325ecfa05f0c93f2135601f5fd35f

SHA256
81fe010f12ab09bc280387349e6a81e99dbafa6762a157957af4520c0a3c8ca0

SHA512
66bd4962851c90eaab15a5cf68d90fc8aed870a4a5e588c9aedc49703a432de3b328412b2ae9e8b908438a8469311774cb61c11a5a97530929f3198f790bfafc

Download Submit
C:\Windows\SysWOW64\Ocmefg32.exe

MD5
58cfa87ad35e998a2fded07576bd74a8

SHA1
635665bcd00325ecfa05f0c93f2135601f5fd35f

SHA256
81fe010f12ab09bc280387349e6a81e99dbafa6762a157957af4520c0a3c8ca0

SHA512
66bd4962851c90eaab15a5cf68d90fc8aed870a4a5e588c9aedc49703a432de3b328412b2ae9e8b908438a8469311774cb61c11a5a97530929f3198f790bfafc

Download Submit
C:\Windows\SysWOW64\Ofbaikfh.exe

MD5
dfca2d82fe1217e86046efa7cd3391a0

SHA1
9dbb01e39b363d039746ba06cb19783a3e3a6909

SHA256
52dd9768e2ef3e87275e9ff43bdd2f74b56c8b970f4fd6a53d4cb3ed7b5990a0

SHA512
947fa187db702fcadf87cd466af8cb55dd8b9c84985a948b570a819b52dcdc7f08f3021ef2d546a89c11ab338b6e096ccc6c358dd211041fb8af779398a118e7

Download Submit
C:\Windows\SysWOW64\Ofbaikfh.exe

MD5
dfca2d82fe1217e86046efa7cd3391a0

SHA1
9dbb01e39b363d039746ba06cb19783a3e3a6909

SHA256
52dd9768e2ef3e87275e9ff43bdd2f74b56c8b970f4fd6a53d4cb3ed7b5990a0

SHA512
947fa187db702fcadf87cd466af8cb55dd8b9c84985a948b570a819b52dcdc7f08f3021ef2d546a89c11ab338b6e096ccc6c358dd211041fb8af779398a118e7

Download Submit
C:\Windows\SysWOW64\Olnpnc32.exe

MD5
a1f27a8532a970bce9642d0fbb92fb33

SHA1
c48c9ae371fdde91cde1dd364a86fa42a2e18008

SHA256
4001dec44f4824328dd296fb68de655480195dc986d9bc14141e5f73e851caf5

SHA512
8e1042b3a4a1cc6dae9d702463f36b7a23ff5e07246bc52e06af4731aa72cc9f0c980731b5cda2f566df7b56ec8631e5d4364871c5c04aafa3a20c2a3e1baeb0

Download Submit
C:\Windows\SysWOW64\Olnpnc32.exe

MD5
a1f27a8532a970bce9642d0fbb92fb33

SHA1
c48c9ae371fdde91cde1dd364a86fa42a2e18008

SHA256
4001dec44f4824328dd296fb68de655480195dc986d9bc14141e5f73e851caf5

SHA512
8e1042b3a4a1cc6dae9d702463f36b7a23ff5e07246bc52e06af4731aa72cc9f0c980731b5cda2f566df7b56ec8631e5d4364871c5c04aafa3a20c2a3e1baeb0

Download Submit
C:\Windows\SysWOW64\Pboefbnp.exe

MD5
b166721ee716be7d5782eae26332fbdf

SHA1
eb5b754dd2b2b779d8d50319ce346e926332cf38

SHA256
c99605800496123feabc67ff45f2297687073c8c0663be9c0564c845f732999a

SHA512
8bc5d7b9d8fec4c40a536d98b96766920b1d14af8a4a91782d553dc02b3e90578a81e6ee37efbc190d79218888bb407c3b805b772597ab587d378a1afdb01640

Download Submit
C:\Windows\SysWOW64\Pboefbnp.exe

MD5
b166721ee716be7d5782eae26332fbdf

SHA1
eb5b754dd2b2b779d8d50319ce346e926332cf38

SHA256
c99605800496123feabc67ff45f2297687073c8c0663be9c0564c845f732999a

SHA512
8bc5d7b9d8fec4c40a536d98b96766920b1d14af8a4a91782d553dc02b3e90578a81e6ee37efbc190d79218888bb407c3b805b772597ab587d378a1afdb01640

Download Submit
C:\Windows\SysWOW64\Piljhl32.exe

MD5
cad9510e8cbbecdb7b8c654c6df24d64

SHA1
85baf77228aaf926b8137b24c78c22c2ed83c20c

SHA256
da82aa31b3a3b62387c89cedd25cc3b2ca3e0d4b5cccf1e4cedda49399558c79

SHA512
cbbdaa7e68a6539a744d67e53ed46b36d862fe81e8f3d5c314ecd5a55dc18a65c87c4f9f1fb5f16259cb535989968789fbe37fe9891b5c626b3516adaaaf0b87

Download Submit
C:\Windows\SysWOW64\Piljhl32.exe

MD5
cad9510e8cbbecdb7b8c654c6df24d64

SHA1
85baf77228aaf926b8137b24c78c22c2ed83c20c

SHA256
da82aa31b3a3b62387c89cedd25cc3b2ca3e0d4b5cccf1e4cedda49399558c79

SHA512
cbbdaa7e68a6539a744d67e53ed46b36d862fe81e8f3d5c314ecd5a55dc18a65c87c4f9f1fb5f16259cb535989968789fbe37fe9891b5c626b3516adaaaf0b87

Download Submit
C:\Windows\SysWOW64\Poopjdjl.exe

MD5
aacca6998fe80dc81bebdca7033271d8

SHA1
66958d569c89be4390a2c31fe4b6d42d911e9e01

SHA256
ecc19b0a7d5376b9be8c63b14715b6c66f99439d36f41fc4346bd89b3fc0a299

SHA512
3efad8b822b03160c25ba2bc16d20bf3083f1af35b8804fbd8acc7a2e522d55e9046887d6d45ae529c2fc9bc6ad591e4114824f2073960ecc79c3d8a98a25971

Download Submit
C:\Windows\SysWOW64\Poopjdjl.exe

MD5
aacca6998fe80dc81bebdca7033271d8

SHA1
66958d569c89be4390a2c31fe4b6d42d911e9e01

SHA256
ecc19b0a7d5376b9be8c63b14715b6c66f99439d36f41fc4346bd89b3fc0a299

SHA512
3efad8b822b03160c25ba2bc16d20bf3083f1af35b8804fbd8acc7a2e522d55e9046887d6d45ae529c2fc9bc6ad591e4114824f2073960ecc79c3d8a98a25971

Download Submit
C:\Windows\SysWOW64\Qcflfa32.exe

MD5
90aa9719fe9f83df27e0da88aeb95d66

SHA1
842dd42db89d3ea32b3728ca180000cb42800ae2

SHA256
c64f689c1bd8288777a87aee2ab23637a45bbd4d94658d033e5fe99bb561135f

SHA512
125b20d493063150cdfa724837ae95f003c475fe8bfbeb97739722a6694efe341bbb12dd99b4b1cb1ea18bc94b3c557b46e4d6fd56a8e15226469b5a184cf3d0

Download Submit
C:\Windows\SysWOW64\Qcflfa32.exe

MD5
90aa9719fe9f83df27e0da88aeb95d66

SHA1
842dd42db89d3ea32b3728ca180000cb42800ae2

SHA256
c64f689c1bd8288777a87aee2ab23637a45bbd4d94658d033e5fe99bb561135f

SHA512
125b20d493063150cdfa724837ae95f003c475fe8bfbeb97739722a6694efe341bbb12dd99b4b1cb1ea18bc94b3c557b46e4d6fd56a8e15226469b5a184cf3d0

Download Submit
C:\Windows\SysWOW64\Qfpmji32.exe

MD5
23bbcdedbca8626328522d5855909a4e

SHA1
2eda70618aed16e46c6a288b94b03ffa74142758

SHA256
1ce0f340b062ae9c242389eaa04f23064ae2eefe845c35e2547d67187f4b8d48

SHA512
d3a841b5a41f45e36d0dfc600dfab6e1e9cb754c445c04a93c72990ffa4633a3daad23c29ae01696b25963ba7ded497aeb887c60b10a8a3317d90231d14236ce

Download Submit
C:\Windows\SysWOW64\Qfpmji32.exe

MD5
23bbcdedbca8626328522d5855909a4e

SHA1
2eda70618aed16e46c6a288b94b03ffa74142758

SHA256
1ce0f340b062ae9c242389eaa04f23064ae2eefe845c35e2547d67187f4b8d48

SHA512
d3a841b5a41f45e36d0dfc600dfab6e1e9cb754c445c04a93c72990ffa4633a3daad23c29ae01696b25963ba7ded497aeb887c60b10a8a3317d90231d14236ce

Download Submit
C:\Windows\SysWOW64\Qhpqob32.exe

MD5
661ee2f8e6784f5e9ad5c9ced51046ae

SHA1
ddd114e27df5de57f3cf78c2bb0ee412c35a5afe

SHA256
ba3da8c460009b2e12c24d027b53e58956f5d73ed16b2e9da5c0db9f07ed05ec

SHA512
f2b9e899d8ea3432c9c6dd53233b13164341dbdfe9ba907f053eafc95cc048e631722046126b4392c1c8e5d781247e435073b815b9cbeb396b9ca38b102033b9

Download Submit
C:\Windows\SysWOW64\Qhpqob32.exe

MD5
661ee2f8e6784f5e9ad5c9ced51046ae

SHA1
ddd114e27df5de57f3cf78c2bb0ee412c35a5afe

SHA256
ba3da8c460009b2e12c24d027b53e58956f5d73ed16b2e9da5c0db9f07ed05ec

SHA512
f2b9e899d8ea3432c9c6dd53233b13164341dbdfe9ba907f053eafc95cc048e631722046126b4392c1c8e5d781247e435073b815b9cbeb396b9ca38b102033b9

Download Submit
memory/188-135-0x0000000000000000-mapping.dmp

Download
memory/416-201-0x0000000000000000-mapping.dmp

Download
memory/508-129-0x0000000000000000-mapping.dmp

Download
memory/744-189-0x0000000000000000-mapping.dmp

Download
memory/1204-186-0x0000000000000000-mapping.dmp

Download
memory/1248-183-0x0000000000000000-mapping.dmp

Download
memory/1332-144-0x0000000000000000-mapping.dmp

Download
memory/1564-192-0x0000000000000000-mapping.dmp

Download
memory/1664-168-0x0000000000000000-mapping.dmp

Download
memory/1924-165-0x0000000000000000-mapping.dmp

Download
memory/1992-171-0x0000000000000000-mapping.dmp

Download
memory/2100-147-0x0000000000000000-mapping.dmp

Download
memory/2232-123-0x0000000000000000-mapping.dmp

Download
memory/2236-177-0x0000000000000000-mapping.dmp

Download
memory/2280-180-0x0000000000000000-mapping.dmp

Download
memory/2316-138-0x0000000000000000-mapping.dmp

Download
memory/2420-174-0x0000000000000000-mapping.dmp

Download
memory/2448-126-0x0000000000000000-mapping.dmp

Download
memory/2540-114-0x0000000000000000-mapping.dmp

Download
memory/2900-150-0x0000000000000000-mapping.dmp

Download
memory/3452-198-0x0000000000000000-mapping.dmp

Download
memory/3464-117-0x0000000000000000-mapping.dmp

Download
memory/3508-141-0x0000000000000000-mapping.dmp

Download
memory/3664-120-0x0000000000000000-mapping.dmp

Download
memory/3680-162-0x0000000000000000-mapping.dmp

Download
memory/3696-195-0x0000000000000000-mapping.dmp

Download
memory/3832-153-0x0000000000000000-mapping.dmp

Download
memory/3912-132-0x0000000000000000-mapping.dmp

Download
memory/3928-159-0x0000000000000000-mapping.dmp

Download
memory/3956-156-0x0000000000000000-mapping.dmp

Download
memory/4104-204-0x0000000000000000-mapping.dmp

Download
memory/4132-207-0x0000000000000000-mapping.dmp

Download
memory/4164-210-0x0000000000000000-mapping.dmp

Download
memory/4188-211-0x0000000000000000-mapping.dmp

Download
memory/4208-212-0x0000000000000000-mapping.dmp

Download
memory/4228-213-0x0000000000000000-mapping.dmp

Download
memory/4248-214-0x0000000000000000-mapping.dmp

Download
memory/4268-215-0x0000000000000000-mapping.dmp

Download
memory/4288-216-0x0000000000000000-mapping.dmp

Download
memory/4308-217-0x0000000000000000-mapping.dmp

Download
memory/4328-218-0x0000000000000000-mapping.dmp

Download
memory/4348-219-0x0000000000000000-mapping.dmp

Download
memory/4368-220-0x0000000000000000-mapping.dmp

Download
memory/4388-221-0x0000000000000000-mapping.dmp

Download
memory/4408-222-0x0000000000000000-mapping.dmp

Download
memory/4428-223-0x0000000000000000-mapping.dmp

Download
memory/4448-224-0x0000000000000000-mapping.dmp

Download
memory/4500-225-0x0000000000000000-mapping.dmp

Download
memory/4520-226-0x0000000000000000-mapping.dmp

Download
memory/4540-227-0x0000000000000000-mapping.dmp

Download
memory/4560-228-0x0000000000000000-mapping.dmp

Download
memory/4580-229-0x0000000000000000-mapping.dmp

Download
memory/4600-230-0x0000000000000000-mapping.dmp

Download
memory/4620-231-0x0000000000000000-mapping.dmp

Download
memory/4640-232-0x0000000000000000-mapping.dmp

Download
memory/4660-233-0x0000000000000000-mapping.dmp

Download
memory/4680-234-0x0000000000000000-mapping.dmp

Download
memory/4700-235-0x0000000000000000-mapping.dmp

Download
memory/4720-236-0x0000000000000000-mapping.dmp

Download
memory/4740-237-0x0000000000000000-mapping.dmp

Download
memory/4760-238-0x0000000000000000-mapping.dmp

Download
memory/4780-239-0x0000000000000000-mapping.dmp

Download
memory/4800-240-0x0000000000000000-mapping.dmp

Download
memory/4820-241-0x0000000000000000-mapping.dmp

Download