fa7874905ed2057e3df3ea526b32474cb1953517515a77c7f20f25390a0f9cfb

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa7874905ed2057e3df3ea526b32474cb1953517515a77c7f20f25390a0f9cfb.exe
Size

92KB
MD5

11c14668a63c8102e1ce06ef6d72cbb0
SHA1

0848ce7602bdc1a87bf7695857c7ce90794fb45a
SHA256

fa7874905ed2057e3df3ea526b32474cb1953517515a77c7f20f25390a0f9cfb
SHA512

866cbdd54a739bce328025c32c9756d9a01faaa37ca80835b389b0657589a3b1b1f2351ca5b00ebdf41d9299dbed5dad368e9a55dd297afe1cc5e2045337783e
SSDEEP

1536:VhlKg00+50ZS3nYhWXxXOh20c/sJ9DR5kzBm3jLV3BGnMPJKEsztuJO:fYKZqYhWXxXOh20ckJ9DR5eKjLlBRh10

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agafph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odednmpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfcdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apbnnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmfch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pabkdmpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flnlhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plgpqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjqlca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqbpqgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkhdnppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apbnnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fngcbpom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haphoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecccci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chghdqbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jndhagqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfiekpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbqlfkmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffddka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fejenklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peajdajk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmphpqle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gplbjamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmpagnmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahkflk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkchfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhphkin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mejiqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgeac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbibki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aahdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlpodoml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnpadc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moofcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flnlhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhjfhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aekdefel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhifdimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edkdkplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgickm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaoaja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhmkef32.exe

Executes dropped EXE 64 IoCs

pid	Process
4960	Nidhmp32.exe
5028	Npnqjjgf.exe
652	Nleaok32.exe
1116	Nmdnin32.exe
4580	Nfmbacjn.exe
3172	Ofoogc32.exe
3936	Ollgoj32.exe
3460	Ofalmc32.exe
1536	Odelfg32.exe
1444	Omnqom32.exe
2260	Offehbbc.exe
1924	Opoiqh32.exe
3260	Oignimod.exe
3656	Pbobbcfd.exe
4248	Plhgkh32.exe
212	Pljcqhjb.exe
4392	Pcfhcb32.exe
3180	Pdfeme32.exe
840	Plajag32.exe
748	Qkbjooli.exe
4156	Qkdgen32.exe
4328	Admkndag.exe
1828	Anepfi32.exe
3996	Apclbe32.exe
4688	Anhlliee.exe
484	Agpqeo32.exe
3332	Almime32.exe
3368	Aknikm32.exe
2824	Apkbcd32.exe
3540	Bnobmh32.exe
4116	Bckkeo32.exe
988	Bnaobhmj.exe
3512	Bpokncln.exe
1884	Bgickm32.exe
4208	Bnclhgkh.exe
924	Bglpqm32.exe
3780	Bgnmfmpe.exe
1084	Bdbnpaoo.exe
4612	Dkhehilo.exe
1240	Ddpjao32.exe
3060	Dnhnjdip.exe
1356	Ddbffopl.exe
3804	Dgabbjpp.exe
3416	Dmnkkang.exe
4192	Dcgcgk32.exe
3752	Dkokih32.exe
3252	Dmphpqle.exe
4040	Degpanlg.exe
2856	Dgelni32.exe
4772	Dmbdfp32.exe
3564	Dclmbjao.exe
3588	Ekcedhaa.exe
3508	Emdakp32.exe
636	Ejhbedfi.exe
2436	Egmbnhec.exe
3208	Ecccci32.exe
2920	Emlglo32.exe
2104	Ejphec32.exe
4508	Fgchog32.exe
4052	Fmpagnmb.exe
4060	Fnpmaa32.exe
3616	Fejenklb.exe
3960	Fldnke32.exe
1760	Fnbjga32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jookpjlp.exe	Jlpodoml.exe
File opened for modification	C:\Windows\SysWOW64\Kkalajgf.exe	Kdgcdp32.exe
File created	C:\Windows\SysWOW64\Kfdqgelq.dll	Pedndg32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Bgnmfmpe.exe	Bglpqm32.exe
File created	C:\Windows\SysWOW64\Gejoei32.exe	Gmcfcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ganljdbj.exe	Gfhglkbd.exe
File created	C:\Windows\SysWOW64\Jfpkahde.dll	Lhkkqgml.exe
File opened for modification	C:\Windows\SysWOW64\Pahkjbop.exe	Pbekne32.exe
File created	C:\Windows\SysWOW64\Ffekegon.exe	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Ekcpbj32.exe	Ehedfo32.exe
File created	C:\Windows\SysWOW64\Bejfanad.dll	Elgfgl32.exe
File opened for modification	C:\Windows\SysWOW64\Ioeijldj.exe	Ihkpma32.exe
File opened for modification	C:\Windows\SysWOW64\Ffodfmjo.exe	Fcqhjakk.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Onkhhapm.dll	Pbobbcfd.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Aifkpk32.dll	Qbggce32.exe
File created	C:\Windows\SysWOW64\Pgemphmn.exe	Oqkdcn32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bljodmja.exe	Bjlbhbkn.exe
File created	C:\Windows\SysWOW64\Opmllk32.exe	Ogfcjnaj.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Ekakkkla.dll	Fnaclk32.exe
File opened for modification	C:\Windows\SysWOW64\Hfpnmj32.exe	Hdaaao32.exe
File created	C:\Windows\SysWOW64\Allbbo32.exe	Aebjfeod.exe
File created	C:\Windows\SysWOW64\Hmeloe32.exe	Hjfpbi32.exe
File created	C:\Windows\SysWOW64\Jondfdhd.exe	Jggmdgha.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fiknll32.dll	Febgea32.exe
File opened for modification	C:\Windows\SysWOW64\Gmoeoidl.exe	Gdhmnlcj.exe
File created	C:\Windows\SysWOW64\Bnaobhmj.exe	Bckkeo32.exe
File created	C:\Windows\SysWOW64\Nblfkobn.exe	Npnjodcj.exe
File created	C:\Windows\SysWOW64\Ikifog32.exe	Ihkick32.exe
File opened for modification	C:\Windows\SysWOW64\Fljcmlfd.exe	Edbklofb.exe
File opened for modification	C:\Windows\SysWOW64\Qidcpe32.exe	Qffgdj32.exe
File created	C:\Windows\SysWOW64\Oldfmkia.dll	Haphoc32.exe
File created	C:\Windows\SysWOW64\Febgea32.exe	Fcckif32.exe
File created	C:\Windows\SysWOW64\Fooeif32.exe	Flqimk32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Japqjf32.dll	Ddbffopl.exe
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Jianff32.exe
File opened for modification	C:\Windows\SysWOW64\Ieanleid.exe	Injekhib.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Flceckoj.exe	Ffimfqgm.exe
File created	C:\Windows\SysWOW64\Pnfeqknj.dll	Gkoiefmj.exe
File opened for modification	C:\Windows\SysWOW64\Kmkfhc32.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Abmafgei.dll	Boldjd32.exe
File opened for modification	C:\Windows\SysWOW64\Ejgdpg32.exe	Ecmlcmhe.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Eonefj32.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ehoolikk.dll	Alelbpmi.exe
File opened for modification	C:\Windows\SysWOW64\Hmnoec32.exe	Hfdghihg.exe
File created	C:\Windows\SysWOW64\Ljmpfbln.dll	Chphoh32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7264	7172	WerFault.exe	975

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dohfbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghhdfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddikg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmifaji.dll"	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmejoenk.dll"	Hmlbod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Foabofnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeaka32.dll"	Hhdjmcce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opglebkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdaji32.dll"	Amgeac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddbbeade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejjde32.dll"	Ehedfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galooolh.dll"	Fldnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nejbgkaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjadha32.dll"	Hajbpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elflbfej.dll"	Pohibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agpqeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfelpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokdnk32.dll"	Ialhkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkfblfab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffimfqgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amdilc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndebbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogjmdigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljodf32.dll"	Kbkdnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcjkppcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbggce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnaobhmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plimfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobdihjo.dll"	Chghdqbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnbhh32.dll"	Dmphpqle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbiklpin.dll"	Dabpnlkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmafgei.dll"	Boldjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkpdfdpi.dll"	Nfmbacjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmhgbijo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okjbpglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdcehdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbdipjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmlpcmce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdigcalj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifnhnno.dll"	Bgfpkgbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffmhqm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 4960	3592	fa7874905ed2057e3df3ea526b32474cb1953517515a77c7f20f25390a0f9cfb.exe	81
PID 3592 wrote to memory of 4960	3592	fa7874905ed2057e3df3ea526b32474cb1953517515a77c7f20f25390a0f9cfb.exe	81
PID 3592 wrote to memory of 4960	3592	fa7874905ed2057e3df3ea526b32474cb1953517515a77c7f20f25390a0f9cfb.exe	81
PID 4960 wrote to memory of 5028	4960	Nidhmp32.exe	82
PID 4960 wrote to memory of 5028	4960	Nidhmp32.exe	82
PID 4960 wrote to memory of 5028	4960	Nidhmp32.exe	82
PID 5028 wrote to memory of 652	5028	Npnqjjgf.exe	83
PID 5028 wrote to memory of 652	5028	Npnqjjgf.exe	83
PID 5028 wrote to memory of 652	5028	Npnqjjgf.exe	83
PID 652 wrote to memory of 1116	652	Nleaok32.exe	84
PID 652 wrote to memory of 1116	652	Nleaok32.exe	84
PID 652 wrote to memory of 1116	652	Nleaok32.exe	84
PID 1116 wrote to memory of 4580	1116	Nmdnin32.exe	85
PID 1116 wrote to memory of 4580	1116	Nmdnin32.exe	85
PID 1116 wrote to memory of 4580	1116	Nmdnin32.exe	85
PID 4580 wrote to memory of 3172	4580	Nfmbacjn.exe	86
PID 4580 wrote to memory of 3172	4580	Nfmbacjn.exe	86
PID 4580 wrote to memory of 3172	4580	Nfmbacjn.exe	86
PID 3172 wrote to memory of 3936	3172	Ofoogc32.exe	87
PID 3172 wrote to memory of 3936	3172	Ofoogc32.exe	87
PID 3172 wrote to memory of 3936	3172	Ofoogc32.exe	87
PID 3936 wrote to memory of 3460	3936	Ollgoj32.exe	88
PID 3936 wrote to memory of 3460	3936	Ollgoj32.exe	88
PID 3936 wrote to memory of 3460	3936	Ollgoj32.exe	88
PID 3460 wrote to memory of 1536	3460	Ofalmc32.exe	89
PID 3460 wrote to memory of 1536	3460	Ofalmc32.exe	89
PID 3460 wrote to memory of 1536	3460	Ofalmc32.exe	89
PID 1536 wrote to memory of 1444	1536	Odelfg32.exe	90
PID 1536 wrote to memory of 1444	1536	Odelfg32.exe	90
PID 1536 wrote to memory of 1444	1536	Odelfg32.exe	90
PID 1444 wrote to memory of 2260	1444	Omnqom32.exe	91
PID 1444 wrote to memory of 2260	1444	Omnqom32.exe	91
PID 1444 wrote to memory of 2260	1444	Omnqom32.exe	91
PID 2260 wrote to memory of 1924	2260	Offehbbc.exe	92
PID 2260 wrote to memory of 1924	2260	Offehbbc.exe	92
PID 2260 wrote to memory of 1924	2260	Offehbbc.exe	92
PID 1924 wrote to memory of 3260	1924	Opoiqh32.exe	93
PID 1924 wrote to memory of 3260	1924	Opoiqh32.exe	93
PID 1924 wrote to memory of 3260	1924	Opoiqh32.exe	93
PID 3260 wrote to memory of 3656	3260	Oignimod.exe	94
PID 3260 wrote to memory of 3656	3260	Oignimod.exe	94
PID 3260 wrote to memory of 3656	3260	Oignimod.exe	94
PID 3656 wrote to memory of 4248	3656	Pbobbcfd.exe	95
PID 3656 wrote to memory of 4248	3656	Pbobbcfd.exe	95
PID 3656 wrote to memory of 4248	3656	Pbobbcfd.exe	95
PID 4248 wrote to memory of 212	4248	Plhgkh32.exe	96
PID 4248 wrote to memory of 212	4248	Plhgkh32.exe	96
PID 4248 wrote to memory of 212	4248	Plhgkh32.exe	96
PID 212 wrote to memory of 4392	212	Pljcqhjb.exe	97
PID 212 wrote to memory of 4392	212	Pljcqhjb.exe	97
PID 212 wrote to memory of 4392	212	Pljcqhjb.exe	97
PID 4392 wrote to memory of 3180	4392	Pcfhcb32.exe	99
PID 4392 wrote to memory of 3180	4392	Pcfhcb32.exe	99
PID 4392 wrote to memory of 3180	4392	Pcfhcb32.exe	99
PID 3180 wrote to memory of 840	3180	Pdfeme32.exe	98
PID 3180 wrote to memory of 840	3180	Pdfeme32.exe	98
PID 3180 wrote to memory of 840	3180	Pdfeme32.exe	98
PID 840 wrote to memory of 748	840	Plajag32.exe	100
PID 840 wrote to memory of 748	840	Plajag32.exe	100
PID 840 wrote to memory of 748	840	Plajag32.exe	100
PID 748 wrote to memory of 4156	748	Qkbjooli.exe	101
PID 748 wrote to memory of 4156	748	Qkbjooli.exe	101
PID 748 wrote to memory of 4156	748	Qkbjooli.exe	101
PID 4156 wrote to memory of 4328	4156	Qkdgen32.exe	102

C:\Users\Admin\AppData\Local\Temp\fa7874905ed2057e3df3ea526b32474cb1953517515a77c7f20f25390a0f9cfb.exe
"C:\Users\Admin\AppData\Local\Temp\fa7874905ed2057e3df3ea526b32474cb1953517515a77c7f20f25390a0f9cfb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\Nidhmp32.exe
  C:\Windows\system32\Nidhmp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\Npnqjjgf.exe
    C:\Windows\system32\Npnqjjgf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\Nleaok32.exe
      C:\Windows\system32\Nleaok32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Windows\SysWOW64\Nmdnin32.exe
        
        C:\Windows\system32\Nmdnin32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1116
      - C:\Windows\SysWOW64\Nfmbacjn.exe
        
        C:\Windows\system32\Nfmbacjn.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Ofoogc32.exe
        
        C:\Windows\system32\Ofoogc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Ollgoj32.exe
        
        C:\Windows\system32\Ollgoj32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Ofalmc32.exe
        
        C:\Windows\system32\Ofalmc32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Odelfg32.exe
        
        C:\Windows\system32\Odelfg32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Omnqom32.exe
        
        C:\Windows\system32\Omnqom32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Offehbbc.exe
        
        C:\Windows\system32\Offehbbc.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Opoiqh32.exe
        
        C:\Windows\system32\Opoiqh32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Oignimod.exe
        
        C:\Windows\system32\Oignimod.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Pbobbcfd.exe
        
        C:\Windows\system32\Pbobbcfd.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Plhgkh32.exe
        
        C:\Windows\system32\Plhgkh32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Pljcqhjb.exe
        
        C:\Windows\system32\Pljcqhjb.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Pcfhcb32.exe
        
        C:\Windows\system32\Pcfhcb32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Pdfeme32.exe
        
        C:\Windows\system32\Pdfeme32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180

C:\Windows\SysWOW64\Plajag32.exe
C:\Windows\system32\Plajag32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\Qkbjooli.exe
  C:\Windows\system32\Qkbjooli.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\Qkdgen32.exe
    C:\Windows\system32\Qkdgen32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\Admkndag.exe
      C:\Windows\system32\Admkndag.exe
      4⤵
      Executes dropped EXE
      PID:4328
    - - C:\Windows\SysWOW64\Anepfi32.exe
        
        C:\Windows\system32\Anepfi32.exe
        5⤵
        Executes dropped EXE
        
        PID:1828
      - C:\Windows\SysWOW64\Apclbe32.exe
        
        C:\Windows\system32\Apclbe32.exe
        6⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Anhlliee.exe
        
        C:\Windows\system32\Anhlliee.exe
        7⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Agpqeo32.exe
        
        C:\Windows\system32\Agpqeo32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\Almime32.exe
        
        C:\Windows\system32\Almime32.exe
        9⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Aknikm32.exe
        
        C:\Windows\system32\Aknikm32.exe
        10⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Apkbcd32.exe
        
        C:\Windows\system32\Apkbcd32.exe
        11⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Bnobmh32.exe
        
        C:\Windows\system32\Bnobmh32.exe
        12⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Bckkeo32.exe
        
        C:\Windows\system32\Bckkeo32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Bnaobhmj.exe
        
        C:\Windows\system32\Bnaobhmj.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Bpokncln.exe
        
        C:\Windows\system32\Bpokncln.exe
        15⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Bgickm32.exe
        
        C:\Windows\system32\Bgickm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Bnclhgkh.exe
        
        C:\Windows\system32\Bnclhgkh.exe
        17⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Bglpqm32.exe
        
        C:\Windows\system32\Bglpqm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Bgnmfmpe.exe
        
        C:\Windows\system32\Bgnmfmpe.exe
        19⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Bdbnpaoo.exe
        
        C:\Windows\system32\Bdbnpaoo.exe
        20⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Dkhehilo.exe
        
        C:\Windows\system32\Dkhehilo.exe
        21⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Ddpjao32.exe
        
        C:\Windows\system32\Ddpjao32.exe
        22⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\Dnhnjdip.exe
        
        C:\Windows\system32\Dnhnjdip.exe
        23⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Ddbffopl.exe
        
        C:\Windows\system32\Ddbffopl.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Dgabbjpp.exe
        
        C:\Windows\system32\Dgabbjpp.exe
        25⤵
        Executes dropped EXE
        
        PID:3804
        
        C:\Windows\SysWOW64\Dmnkkang.exe
        
        C:\Windows\system32\Dmnkkang.exe
        26⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Dcgcgk32.exe
        
        C:\Windows\system32\Dcgcgk32.exe
        27⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Dkokih32.exe
        
        C:\Windows\system32\Dkokih32.exe
        28⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Dmphpqle.exe
        
        C:\Windows\system32\Dmphpqle.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Degpanlg.exe
        
        C:\Windows\system32\Degpanlg.exe
        30⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Dgelni32.exe
        
        C:\Windows\system32\Dgelni32.exe
        31⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Dmbdfp32.exe
        
        C:\Windows\system32\Dmbdfp32.exe
        32⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Dclmbjao.exe
        
        C:\Windows\system32\Dclmbjao.exe
        33⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Ekcedhaa.exe
        
        C:\Windows\system32\Ekcedhaa.exe
        34⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Emdakp32.exe
        
        C:\Windows\system32\Emdakp32.exe
        35⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Ejhbedfi.exe
        
        C:\Windows\system32\Ejhbedfi.exe
        36⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Egmbnhec.exe
        
        C:\Windows\system32\Egmbnhec.exe
        37⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\Ecccci32.exe
        
        C:\Windows\system32\Ecccci32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Emlglo32.exe
        
        C:\Windows\system32\Emlglo32.exe
        39⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Ejphec32.exe
        
        C:\Windows\system32\Ejphec32.exe
        40⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Fgchog32.exe
        
        C:\Windows\system32\Fgchog32.exe
        41⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Fmpagnmb.exe
        
        C:\Windows\system32\Fmpagnmb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Fnpmaa32.exe
        
        C:\Windows\system32\Fnpmaa32.exe
        43⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Fejenklb.exe
        
        C:\Windows\system32\Fejenklb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Fldnke32.exe
        
        C:\Windows\system32\Fldnke32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Fnbjga32.exe
        
        C:\Windows\system32\Fnbjga32.exe
        46⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Felbck32.exe
        
        C:\Windows\system32\Felbck32.exe
        47⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Fhkopf32.exe
        
        C:\Windows\system32\Fhkopf32.exe
        48⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\Fndglqqp.exe
        
        C:\Windows\system32\Fndglqqp.exe
        49⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Facchlpc.exe
        
        C:\Windows\system32\Facchlpc.exe
        50⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Feooik32.exe
        
        C:\Windows\system32\Feooik32.exe
        51⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\Fhmkef32.exe
        
        C:\Windows\system32\Fhmkef32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3532
        
        C:\Windows\SysWOW64\Fngcbpom.exe
        
        C:\Windows\system32\Fngcbpom.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3940
        
        C:\Windows\SysWOW64\Faepnlnq.exe
        
        C:\Windows\system32\Faepnlnq.exe
        54⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Gdcljg32.exe
        
        C:\Windows\system32\Gdcljg32.exe
        55⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\Ghohkfen.exe
        
        C:\Windows\system32\Ghohkfen.exe
        56⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Gmlpcmce.exe
        
        C:\Windows\system32\Gmlpcmce.exe
        57⤵
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Gdfipg32.exe
        
        C:\Windows\system32\Gdfipg32.exe
        58⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Glmqad32.exe
        
        C:\Windows\system32\Glmqad32.exe
        59⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Golmmp32.exe
        
        C:\Windows\system32\Golmmp32.exe
        60⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Geeejj32.exe
        
        C:\Windows\system32\Geeejj32.exe
        61⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Ghdafe32.exe
        
        C:\Windows\system32\Ghdafe32.exe
        62⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\Gjbnbq32.exe
        
        C:\Windows\system32\Gjbnbq32.exe
        63⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Gehboi32.exe
        
        C:\Windows\system32\Gehboi32.exe
        64⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Gjdjgp32.exe
        
        C:\Windows\system32\Gjdjgp32.exe
        65⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Gmcfcl32.exe
        
        C:\Windows\system32\Gmcfcl32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Gejoei32.exe
        
        C:\Windows\system32\Gejoei32.exe
        67⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\Gldgac32.exe
        
        C:\Windows\system32\Gldgac32.exe
        68⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\Gmecikkj.exe
        
        C:\Windows\system32\Gmecikkj.exe
        69⤵
        
        PID:3412
- - C:\Windows\SysWOW64\Dddojq32.exe
    C:\Windows\system32\Dddojq32.exe
    3⤵
    PID:4372
  - - C:\Windows\SysWOW64\Dllfkn32.exe
      C:\Windows\system32\Dllfkn32.exe
      4⤵
      PID:2336
    - - C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        5⤵
        
        PID:4832
      - C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        6⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        7⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        8⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        9⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        10⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        11⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        12⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        13⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:924
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        15⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        16⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        17⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        18⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        19⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        20⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        21⤵
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        22⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        23⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        24⤵
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        25⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        26⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14264
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1240
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        29⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        30⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        31⤵
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        32⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        33⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        34⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        35⤵
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        36⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3196
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        38⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        39⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        40⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        41⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        42⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        43⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        44⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        45⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        46⤵
        
        PID:480
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        47⤵
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        48⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        49⤵
        
        PID:428
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        50⤵
        Drops file in System32 directory
        
        PID:364
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        51⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        52⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        53⤵
        
        PID:772
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        54⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        55⤵
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        56⤵
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        57⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        58⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        59⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        60⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        61⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        62⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3628
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        64⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2472
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5000
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        67⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        68⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        69⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        70⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        71⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        72⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        73⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        74⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        75⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        76⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        77⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        78⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        79⤵
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        80⤵
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        81⤵
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        82⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        83⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        84⤵
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        85⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        86⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        87⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        88⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:948
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        90⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        91⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        92⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        93⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        94⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        95⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        96⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        97⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        98⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        99⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        100⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        101⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        102⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        103⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        104⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        105⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        106⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        107⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        108⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        109⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        110⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        111⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        112⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        113⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        114⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        115⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        116⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        117⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        118⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        119⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        120⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        121⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        122⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        123⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        124⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        125⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        128⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        129⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        130⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        131⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        132⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        133⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        134⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        135⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        136⤵
        
        PID:6236

C:\Windows\SysWOW64\Hoepcn32.exe
C:\Windows\system32\Hoepcn32.exe
1⤵
PID:1188
- C:\Windows\SysWOW64\Hlipmbag.exe
  C:\Windows\system32\Hlipmbag.exe
  2⤵
  PID:948
- - C:\Windows\SysWOW64\Hmjmdk32.exe
    C:\Windows\system32\Hmjmdk32.exe
    3⤵
    PID:1408
  - - C:\Windows\SysWOW64\Headeh32.exe
      C:\Windows\system32\Headeh32.exe
      4⤵
      PID:1568
    - - C:\Windows\SysWOW64\Hknmno32.exe
        
        C:\Windows\system32\Hknmno32.exe
        5⤵
        
        PID:4184
      - C:\Windows\SysWOW64\Hojinnnh.exe
        
        C:\Windows\system32\Hojinnnh.exe
        6⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Hahejimk.exe
        
        C:\Windows\system32\Hahejimk.exe
        7⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Holfdm32.exe
        
        C:\Windows\system32\Holfdm32.exe
        8⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Hajbpi32.exe
        
        C:\Windows\system32\Hajbpi32.exe
        9⤵
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Hdinld32.exe
        
        C:\Windows\system32\Hdinld32.exe
        10⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\Hhdjmcce.exe
        
        C:\Windows\system32\Hhdjmcce.exe
        11⤵
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Iehkfgao.exe
        
        C:\Windows\system32\Iehkfgao.exe
        12⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ikecnnpf.exe
        
        C:\Windows\system32\Ikecnnpf.exe
        13⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Iaokkhgc.exe
        
        C:\Windows\system32\Iaokkhgc.exe
        14⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ihichb32.exe
        
        C:\Windows\system32\Ihichb32.exe
        15⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Ildphqgi.exe
        
        C:\Windows\system32\Ildphqgi.exe
        16⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Iocldlfm.exe
        
        C:\Windows\system32\Iocldlfm.exe
        17⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Iaahqheq.exe
        
        C:\Windows\system32\Iaahqheq.exe
        18⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Ihkpma32.exe
        
        C:\Windows\system32\Ihkpma32.exe
        19⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Ioeijldj.exe
        
        C:\Windows\system32\Ioeijldj.exe
        20⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Inhiei32.exe
        
        C:\Windows\system32\Inhiei32.exe
        21⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Ieoagflg.exe
        
        C:\Windows\system32\Ieoagflg.exe
        22⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Ihnmcakk.exe
        
        C:\Windows\system32\Ihnmcakk.exe
        23⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Ikliomjo.exe
        
        C:\Windows\system32\Ikliomjo.exe
        24⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Injekhib.exe
        
        C:\Windows\system32\Injekhib.exe
        25⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Ieanleid.exe
        
        C:\Windows\system32\Ieanleid.exe
        26⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Ihpjhaih.exe
        
        C:\Windows\system32\Ihpjhaih.exe
        27⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Iojbek32.exe
        
        C:\Windows\system32\Iojbek32.exe
        28⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Jahnag32.exe
        
        C:\Windows\system32\Jahnag32.exe
        29⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Jlnbopoo.exe
        
        C:\Windows\system32\Jlnbopoo.exe
        30⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Jkacjl32.exe
        
        C:\Windows\system32\Jkacjl32.exe
        31⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Jakkgfmf.exe
        
        C:\Windows\system32\Jakkgfmf.exe
        32⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Jdigcalj.exe
        
        C:\Windows\system32\Jdigcalj.exe
        33⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Jlpodoml.exe
        
        C:\Windows\system32\Jlpodoml.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Jookpjlp.exe
        
        C:\Windows\system32\Jookpjlp.exe
        35⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Jdkdha32.exe
        
        C:\Windows\system32\Jdkdha32.exe
        36⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Jlbljo32.exe
        
        C:\Windows\system32\Jlbljo32.exe
        37⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Jndhagqg.exe
        
        C:\Windows\system32\Jndhagqg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Jekpbdaj.exe
        
        C:\Windows\system32\Jekpbdaj.exe
        39⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Jhimopqn.exe
        
        C:\Windows\system32\Jhimopqn.exe
        40⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Jkhikkpa.exe
        
        C:\Windows\system32\Jkhikkpa.exe
        41⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Jabage32.exe
        
        C:\Windows\system32\Jabage32.exe
        42⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Jlgeengd.exe
        
        C:\Windows\system32\Jlgeengd.exe
        43⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Knhblf32.exe
        
        C:\Windows\system32\Knhblf32.exe
        44⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Kdbjiqdo.exe
        
        C:\Windows\system32\Kdbjiqdo.exe
        45⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Kklbfj32.exe
        
        C:\Windows\system32\Kklbfj32.exe
        46⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Kafjbdci.exe
        
        C:\Windows\system32\Kafjbdci.exe
        47⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Khqcoo32.exe
        
        C:\Windows\system32\Khqcoo32.exe
        48⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Knmkgeim.exe
        
        C:\Windows\system32\Knmkgeim.exe
        49⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Kdgcdp32.exe
        
        C:\Windows\system32\Kdgcdp32.exe
        50⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Kkalajgf.exe
        
        C:\Windows\system32\Kkalajgf.exe
        51⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Kbkdnd32.exe
        
        C:\Windows\system32\Kbkdnd32.exe
        52⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Kheljnfp.exe
        
        C:\Windows\system32\Kheljnfp.exe
        53⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Kkchfi32.exe
        
        C:\Windows\system32\Kkchfi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Kfimdb32.exe
        
        C:\Windows\system32\Kfimdb32.exe
        55⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Khgipn32.exe
        
        C:\Windows\system32\Khgipn32.exe
        56⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Kkfeli32.exe
        
        C:\Windows\system32\Kkfeli32.exe
        57⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lbpmickn.exe
        
        C:\Windows\system32\Lbpmickn.exe
        58⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Lhjeem32.exe
        
        C:\Windows\system32\Lhjeem32.exe
        59⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Lkohbh32.exe
        
        C:\Windows\system32\Lkohbh32.exe
        60⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Lfelpq32.exe
        
        C:\Windows\system32\Lfelpq32.exe
        61⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Lmodlkbi.exe
        
        C:\Windows\system32\Lmodlkbi.exe
        62⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Mnpadc32.exe
        
        C:\Windows\system32\Mnpadc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Mejiqm32.exe
        
        C:\Windows\system32\Mejiqm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Mopmnf32.exe
        
        C:\Windows\system32\Mopmnf32.exe
        65⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Mfiekpgg.exe
        
        C:\Windows\system32\Mfiekpgg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Mihbgkfk.exe
        
        C:\Windows\system32\Mihbgkfk.exe
        67⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Mndjobdb.exe
        
        C:\Windows\system32\Mndjobdb.exe
        68⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Mijolk32.exe
        
        C:\Windows\system32\Mijolk32.exe
        69⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Mkikhf32.exe
        
        C:\Windows\system32\Mkikhf32.exe
        70⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Mfnofo32.exe
        
        C:\Windows\system32\Mfnofo32.exe
        71⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Mimkbk32.exe
        
        C:\Windows\system32\Mimkbk32.exe
        72⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Mmhgbijo.exe
        
        C:\Windows\system32\Mmhgbijo.exe
        73⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Mbepkphf.exe
        
        C:\Windows\system32\Mbepkphf.exe
        74⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Miohgjpc.exe
        
        C:\Windows\system32\Miohgjpc.exe
        75⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Nnlqpanj.exe
        
        C:\Windows\system32\Nnlqpanj.exe
        76⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Nfchaool.exe
        
        C:\Windows\system32\Nfchaool.exe
        77⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Niadmjnp.exe
        
        C:\Windows\system32\Niadmjnp.exe
        78⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Nnnmealg.exe
        
        C:\Windows\system32\Nnnmealg.exe
        79⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Nfeefnmj.exe
        
        C:\Windows\system32\Nfeefnmj.exe
        80⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Nehebk32.exe
        
        C:\Windows\system32\Nehebk32.exe
        81⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Nmomchdg.exe
        
        C:\Windows\system32\Nmomchdg.exe
        82⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Npnjodcj.exe
        
        C:\Windows\system32\Npnjodcj.exe
        83⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Nblfkobn.exe
        
        C:\Windows\system32\Nblfkobn.exe
        84⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Nejbgkaa.exe
        
        C:\Windows\system32\Nejbgkaa.exe
        85⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Nldjde32.exe
        
        C:\Windows\system32\Nldjde32.exe
        86⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Nnbfpp32.exe
        
        C:\Windows\system32\Nnbfpp32.exe
        87⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Nbnbaoqk.exe
        
        C:\Windows\system32\Nbnbaoqk.exe
        88⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Nemomjpo.exe
        
        C:\Windows\system32\Nemomjpo.exe
        89⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Npbcjc32.exe
        
        C:\Windows\system32\Npbcjc32.exe
        90⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Omfcdg32.exe
        
        C:\Windows\system32\Omfcdg32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Ofohmmeo.exe
        
        C:\Windows\system32\Ofohmmeo.exe
        92⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Omhpig32.exe
        
        C:\Windows\system32\Omhpig32.exe
        93⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Opglebkp.exe
        
        C:\Windows\system32\Opglebkp.exe
        94⤵
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Ofaebm32.exe
        
        C:\Windows\system32\Ofaebm32.exe
        95⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Opiikbim.exe
        
        C:\Windows\system32\Opiikbim.exe
        96⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Ofcahl32.exe
        
        C:\Windows\system32\Ofcahl32.exe
        97⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Oiandh32.exe
        
        C:\Windows\system32\Oiandh32.exe
        98⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Onnflo32.exe
        
        C:\Windows\system32\Onnflo32.exe
        99⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Oehnii32.exe
        
        C:\Windows\system32\Oehnii32.exe
        100⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Ooqcanlb.exe
        
        C:\Windows\system32\Ooqcanlb.exe
        101⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Ofhkclmd.exe
        
        C:\Windows\system32\Ofhkclmd.exe
        102⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Pleckbkl.exe
        
        C:\Windows\system32\Pleckbkl.exe
        103⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Pocpgnjp.exe
        
        C:\Windows\system32\Pocpgnjp.exe
        104⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Pemhdhal.exe
        
        C:\Windows\system32\Pemhdhal.exe
        105⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Plgpqb32.exe
        
        C:\Windows\system32\Plgpqb32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6740
        
        C:\Windows\SysWOW64\Pbahmlpf.exe
        
        C:\Windows\system32\Pbahmlpf.exe
        107⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Pikqjf32.exe
        
        C:\Windows\system32\Pikqjf32.exe
        108⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Plimfb32.exe
        
        C:\Windows\system32\Plimfb32.exe
        109⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Pohibm32.exe
        
        C:\Windows\system32\Pohibm32.exe
        110⤵
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Pfoackfl.exe
        
        C:\Windows\system32\Pfoackfl.exe
        111⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Pmiipe32.exe
        
        C:\Windows\system32\Pmiipe32.exe
        112⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Ppgelp32.exe
        
        C:\Windows\system32\Ppgelp32.exe
        113⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Pbfahl32.exe
        
        C:\Windows\system32\Pbfahl32.exe
        114⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Pedndg32.exe
        
        C:\Windows\system32\Pedndg32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Pmkffd32.exe
        
        C:\Windows\system32\Pmkffd32.exe
        116⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Ppjbbp32.exe
        
        C:\Windows\system32\Ppjbbp32.exe
        117⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Pfcjojbg.exe
        
        C:\Windows\system32\Pfcjojbg.exe
        118⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Qefkjg32.exe
        
        C:\Windows\system32\Qefkjg32.exe
        119⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Qmnbkdjd.exe
        
        C:\Windows\system32\Qmnbkdjd.exe
        120⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Qplogpih.exe
        
        C:\Windows\system32\Qplogpih.exe
        121⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        73⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        74⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        75⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        76⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        77⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        78⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        79⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        80⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        81⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        82⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        83⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        84⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        85⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        86⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        87⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        88⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        89⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        90⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        91⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        92⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        93⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        94⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        95⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        96⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        97⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        98⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        99⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        100⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        101⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        102⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        103⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        104⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        105⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        106⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        107⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        108⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        109⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        58⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        59⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        60⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        61⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        62⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        63⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        64⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        67⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        68⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        69⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        70⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        71⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        72⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        73⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        74⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        75⤵
        Modifies registry class
        
        PID:7408
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        76⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        77⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7172 -s 396
        78⤵
        Program crash
        
        PID:7264

C:\Windows\SysWOW64\Qbjkckhk.exe
C:\Windows\system32\Qbjkckhk.exe
1⤵
PID:7140
- C:\Windows\SysWOW64\Qffgdj32.exe
  C:\Windows\system32\Qffgdj32.exe
  2⤵
  - Drops file in System32 directory
  PID:6228
- - C:\Windows\SysWOW64\Qidcpe32.exe
    C:\Windows\system32\Qidcpe32.exe
    3⤵
    PID:6364
  - - C:\Windows\SysWOW64\Qpnlmoge.exe
      C:\Windows\system32\Qpnlmoge.exe
      4⤵
      PID:6452
    - - C:\Windows\SysWOW64\Qbmhikfi.exe
        
        C:\Windows\system32\Qbmhikfi.exe
        5⤵
        
        PID:6900
      - C:\Windows\SysWOW64\Aekdefel.exe
        
        C:\Windows\system32\Aekdefel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7048
        
        C:\Windows\SysWOW64\Amblfc32.exe
        
        C:\Windows\system32\Amblfc32.exe
        7⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Alelbpmi.exe
        
        C:\Windows\system32\Alelbpmi.exe
        8⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Aochnllm.exe
        
        C:\Windows\system32\Aochnllm.exe
        9⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Aenqkf32.exe
        
        C:\Windows\system32\Aenqkf32.exe
        10⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Aenqkf32.exe
        
        C:\Windows\system32\Aenqkf32.exe
        11⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Amdilc32.exe
        
        C:\Windows\system32\Amdilc32.exe
        12⤵
        Modifies registry class
        
        PID:7228
        
        C:\Windows\SysWOW64\Apceho32.exe
        
        C:\Windows\system32\Apceho32.exe
        13⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Abaadj32.exe
        
        C:\Windows\system32\Abaadj32.exe
        14⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Aikiadip.exe
        
        C:\Windows\system32\Aikiadip.exe
        15⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Amgeac32.exe
        
        C:\Windows\system32\Amgeac32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Apeannam.exe
        
        C:\Windows\system32\Apeannam.exe
        17⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Aebjfeod.exe
        
        C:\Windows\system32\Aebjfeod.exe
        18⤵
        Drops file in System32 directory
        
        PID:7332
        
        C:\Windows\SysWOW64\Allbbo32.exe
        
        C:\Windows\system32\Allbbo32.exe
        19⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Aokook32.exe
        
        C:\Windows\system32\Aokook32.exe
        20⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Agafph32.exe
        
        C:\Windows\system32\Agafph32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7380
        
        C:\Windows\SysWOW64\Apjkin32.exe
        
        C:\Windows\system32\Apjkin32.exe
        22⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Bgdcehdd.exe
        
        C:\Windows\system32\Bgdcehdd.exe
        23⤵
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Begcad32.exe
        
        C:\Windows\system32\Begcad32.exe
        24⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Blalnobl.exe
        
        C:\Windows\system32\Blalnobl.exe
        25⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Bgfpkgbb.exe
        
        C:\Windows\system32\Bgfpkgbb.exe
        26⤵
        Modifies registry class
        
        PID:7460
        
        C:\Windows\SysWOW64\Blchcnpi.exe
        
        C:\Windows\system32\Blchcnpi.exe
        27⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Belmldgj.exe
        
        C:\Windows\system32\Belmldgj.exe
        28⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Bleein32.exe
        
        C:\Windows\system32\Bleein32.exe
        29⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Benjaceg.exe
        
        C:\Windows\system32\Benjaceg.exe
        30⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Bpcnoldm.exe
        
        C:\Windows\system32\Bpcnoldm.exe
        31⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Bgmflflj.exe
        
        C:\Windows\system32\Bgmflflj.exe
        32⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Bjlbhbkn.exe
        
        C:\Windows\system32\Bjlbhbkn.exe
        33⤵
        Drops file in System32 directory
        
        PID:7576
        
        C:\Windows\SysWOW64\Bljodmja.exe
        
        C:\Windows\system32\Bljodmja.exe
        34⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Ccdgqg32.exe
        
        C:\Windows\system32\Ccdgqg32.exe
        35⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Cebcmc32.exe
        
        C:\Windows\system32\Cebcmc32.exe
        36⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Cnjknp32.exe
        
        C:\Windows\system32\Cnjknp32.exe
        37⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Cphgjl32.exe
        
        C:\Windows\system32\Cphgjl32.exe
        38⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Cgbpgf32.exe
        
        C:\Windows\system32\Cgbpgf32.exe
        39⤵
        
        PID:7720

C:\Windows\SysWOW64\Cjqlca32.exe
C:\Windows\system32\Cjqlca32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7736
- C:\Windows\SysWOW64\Cnlhcppa.exe
  C:\Windows\system32\Cnlhcppa.exe
  2⤵
  PID:7760
- - C:\Windows\SysWOW64\Cpjdpkoe.exe
    C:\Windows\system32\Cpjdpkoe.exe
    3⤵
    PID:7788
  - - C:\Windows\SysWOW64\Cciplgni.exe
      C:\Windows\system32\Cciplgni.exe
      4⤵
      PID:7804
    - - C:\Windows\SysWOW64\Cgdlle32.exe
        
        C:\Windows\system32\Cgdlle32.exe
        5⤵
        
        PID:7836
      - C:\Windows\SysWOW64\Cjchha32.exe
        
        C:\Windows\system32\Cjchha32.exe
        6⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Cckmaflf.exe
        
        C:\Windows\system32\Cckmaflf.exe
        7⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Cfjimbkj.exe
        
        C:\Windows\system32\Cfjimbkj.exe
        8⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Cjeenqcc.exe
        
        C:\Windows\system32\Cjeenqcc.exe
        9⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Clcajlbf.exe
        
        C:\Windows\system32\Clcajlbf.exe
        10⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Cobnfgaj.exe
        
        C:\Windows\system32\Cobnfgaj.exe
        11⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Cflfca32.exe
        
        C:\Windows\system32\Cflfca32.exe
        12⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Cjgbcpap.exe
        
        C:\Windows\system32\Cjgbcpap.exe
        13⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Clfnplpd.exe
        
        C:\Windows\system32\Clfnplpd.exe
        14⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Dodjlgog.exe
        
        C:\Windows\system32\Dodjlgog.exe
        15⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Dcpflf32.exe
        
        C:\Windows\system32\Dcpflf32.exe
        16⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Fqiihgdb.exe
        
        C:\Windows\system32\Fqiihgdb.exe
        17⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Fcgedbcf.exe
        
        C:\Windows\system32\Fcgedbcf.exe
        18⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Fjanqm32.exe
        
        C:\Windows\system32\Fjanqm32.exe
        19⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Ffhnen32.exe
        
        C:\Windows\system32\Ffhnen32.exe
        20⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Fmbgbhhd.exe
        
        C:\Windows\system32\Fmbgbhhd.exe
        21⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Ffjkkm32.exe
        
        C:\Windows\system32\Ffjkkm32.exe
        22⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Fnaclk32.exe
        
        C:\Windows\system32\Fnaclk32.exe
        23⤵
        Drops file in System32 directory
        
        PID:7868
        
        C:\Windows\SysWOW64\Fapohf32.exe
        
        C:\Windows\system32\Fapohf32.exe
        24⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Fcnlda32.exe
        
        C:\Windows\system32\Fcnlda32.exe
        25⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Ffmhqm32.exe
        
        C:\Windows\system32\Ffmhqm32.exe
        26⤵
        Modifies registry class
        
        PID:7976
        
        C:\Windows\SysWOW64\Fndpbjmd.exe
        
        C:\Windows\system32\Fndpbjmd.exe
        27⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Fablnflh.exe
        
        C:\Windows\system32\Fablnflh.exe
        28⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Fcqhjakk.exe
        
        C:\Windows\system32\Fcqhjakk.exe
        29⤵
        Drops file in System32 directory
        
        PID:8140
        
        C:\Windows\SysWOW64\Ffodfmjo.exe
        
        C:\Windows\system32\Ffodfmjo.exe
        30⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Gmimcg32.exe
        
        C:\Windows\system32\Gmimcg32.exe
        31⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Gpgiob32.exe
        
        C:\Windows\system32\Gpgiob32.exe
        32⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Gjmmlk32.exe
        
        C:\Windows\system32\Gjmmlk32.exe
        33⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Gpjfdbom.exe
        
        C:\Windows\system32\Gpjfdbom.exe
        34⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Gnkfbi32.exe
        
        C:\Windows\system32\Gnkfbi32.exe
        35⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Gplbjamj.exe
        
        C:\Windows\system32\Gplbjamj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8212
        
        C:\Windows\SysWOW64\Gchnkp32.exe
        
        C:\Windows\system32\Gchnkp32.exe
        37⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Gffkgl32.exe
        
        C:\Windows\system32\Gffkgl32.exe
        38⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Gjaggjlp.exe
        
        C:\Windows\system32\Gjaggjlp.exe
        39⤵
        
        PID:8256

C:\Windows\SysWOW64\Gmpcce32.exe
C:\Windows\system32\Gmpcce32.exe
1⤵
PID:8272
- C:\Windows\SysWOW64\Galodddm.exe
  C:\Windows\system32\Galodddm.exe
  2⤵
  PID:8288
- - C:\Windows\SysWOW64\Gcjkppcq.exe
    C:\Windows\system32\Gcjkppcq.exe
    3⤵
    - Modifies registry class
    PID:8308
  - - C:\Windows\SysWOW64\Gfhglkbd.exe
      C:\Windows\system32\Gfhglkbd.exe
      4⤵
      Drops file in System32 directory
      PID:8328
    - - C:\Windows\SysWOW64\Ganljdbj.exe
        
        C:\Windows\system32\Ganljdbj.exe
        5⤵
        
        PID:8344
      - C:\Windows\SysWOW64\Gclhfpan.exe
        
        C:\Windows\system32\Gclhfpan.exe
        6⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Ghhdfn32.exe
        
        C:\Windows\system32\Ghhdfn32.exe
        7⤵
        Modifies registry class
        
        PID:8384
        
        C:\Windows\SysWOW64\Hjfpbi32.exe
        
        C:\Windows\system32\Hjfpbi32.exe
        8⤵
        Drops file in System32 directory
        
        PID:8412
        
        C:\Windows\SysWOW64\Hmeloe32.exe
        
        C:\Windows\system32\Hmeloe32.exe
        9⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Haphoc32.exe
        
        C:\Windows\system32\Haphoc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8448
        
        C:\Windows\SysWOW64\Hdodko32.exe
        
        C:\Windows\system32\Hdodko32.exe
        11⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Hfmagk32.exe
        
        C:\Windows\system32\Hfmagk32.exe
        12⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Hmgiddel.exe
        
        C:\Windows\system32\Hmgiddel.exe
        13⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Habeec32.exe
        
        C:\Windows\system32\Habeec32.exe
        14⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Hdaaao32.exe
        
        C:\Windows\system32\Hdaaao32.exe
        15⤵
        Drops file in System32 directory
        
        PID:8560
        
        C:\Windows\SysWOW64\Hfpnmj32.exe
        
        C:\Windows\system32\Hfpnmj32.exe
        16⤵
        Modifies registry class
        
        PID:8588
        
        C:\Windows\SysWOW64\Hjkinide.exe
        
        C:\Windows\system32\Hjkinide.exe
        17⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Hmifjdci.exe
        
        C:\Windows\system32\Hmifjdci.exe
        18⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Hdcnfnkf.exe
        
        C:\Windows\system32\Hdcnfnkf.exe
        19⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\Hhojgm32.exe
        
        C:\Windows\system32\Hhojgm32.exe
        20⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Hjmfch32.exe
        
        C:\Windows\system32\Hjmfch32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8708
        
        C:\Windows\SysWOW64\Hmlbod32.exe
        
        C:\Windows\system32\Hmlbod32.exe
        22⤵
        Modifies registry class
        
        PID:8732
        
        C:\Windows\SysWOW64\Hagnpbjp.exe
        
        C:\Windows\system32\Hagnpbjp.exe
        23⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Hfdghihg.exe
        
        C:\Windows\system32\Hfdghihg.exe
        24⤵
        Drops file in System32 directory
        
        PID:8772
        
        C:\Windows\SysWOW64\Hmnoec32.exe
        
        C:\Windows\system32\Hmnoec32.exe
        25⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Hdhgangq.exe
        
        C:\Windows\system32\Hdhgangq.exe
        26⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\Ialhkb32.exe
        
        C:\Windows\system32\Ialhkb32.exe
        27⤵
        Modifies registry class
        
        PID:8820
        
        C:\Windows\SysWOW64\Imchpcko.exe
        
        C:\Windows\system32\Imchpcko.exe
        28⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Idmamm32.exe
        
        C:\Windows\system32\Idmamm32.exe
        29⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Iobejfba.exe
        
        C:\Windows\system32\Iobejfba.exe
        30⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Ipcaan32.exe
        
        C:\Windows\system32\Ipcaan32.exe
        31⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Ihkick32.exe
        
        C:\Windows\system32\Ihkick32.exe
        32⤵
        Drops file in System32 directory
        
        PID:8900
        
        C:\Windows\SysWOW64\Ikifog32.exe
        
        C:\Windows\system32\Ikifog32.exe
        33⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Ipfngn32.exe
        
        C:\Windows\system32\Ipfngn32.exe
        34⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Ikkbdffc.exe
        
        C:\Windows\system32\Ikkbdffc.exe
        35⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Iaekaq32.exe
        
        C:\Windows\system32\Iaekaq32.exe
        36⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Ihocnkel.exe
        
        C:\Windows\system32\Ihocnkel.exe
        37⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Joikke32.exe
        
        C:\Windows\system32\Joikke32.exe
        38⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\Jpkhbmbg.exe
        
        C:\Windows\system32\Jpkhbmbg.exe
        39⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Jhapcjcj.exe
        
        C:\Windows\system32\Jhapcjcj.exe
        40⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Jmohla32.exe
        
        C:\Windows\system32\Jmohla32.exe
        41⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Jdhphkin.exe
        
        C:\Windows\system32\Jdhphkin.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9060
        
        C:\Windows\SysWOW64\Jggmdgha.exe
        
        C:\Windows\system32\Jggmdgha.exe
        43⤵
        Drops file in System32 directory
        
        PID:9076
        
        C:\Windows\SysWOW64\Jondfdhd.exe
        
        C:\Windows\system32\Jondfdhd.exe
        44⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Jdkmnkfk.exe
        
        C:\Windows\system32\Jdkmnkfk.exe
        45⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Jhfioj32.exe
        
        C:\Windows\system32\Jhfioj32.exe
        46⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Jkeeke32.exe
        
        C:\Windows\system32\Jkeeke32.exe
        47⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Jmcagqml.exe
        
        C:\Windows\system32\Jmcagqml.exe
        48⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Jpancllp.exe
        
        C:\Windows\system32\Jpancllp.exe
        49⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Jhifdimb.exe
        
        C:\Windows\system32\Jhifdimb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8356
        
        C:\Windows\SysWOW64\Jglfpf32.exe
        
        C:\Windows\system32\Jglfpf32.exe
        51⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\Jobnac32.exe
        
        C:\Windows\system32\Jobnac32.exe
        52⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Jaajmo32.exe
        
        C:\Windows\system32\Jaajmo32.exe
        53⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Jdpfij32.exe
        
        C:\Windows\system32\Jdpfij32.exe
        54⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Kkiofdjc.exe
        
        C:\Windows\system32\Kkiofdjc.exe
        55⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Knhkbpif.exe
        
        C:\Windows\system32\Knhkbpif.exe
        56⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Kpfgnk32.exe
        
        C:\Windows\system32\Kpfgnk32.exe
        57⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\Khmooi32.exe
        
        C:\Windows\system32\Khmooi32.exe
        58⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Kgpokepg.exe
        
        C:\Windows\system32\Kgpokepg.exe
        59⤵
        
        PID:732
        
        C:\Windows\SysWOW64\Kogglcpi.exe
        
        C:\Windows\system32\Kogglcpi.exe
        60⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Kafchnom.exe
        
        C:\Windows\system32\Kafchnom.exe
        61⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Khpleh32.exe
        
        C:\Windows\system32\Khpleh32.exe
        62⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\Kknhad32.exe
        
        C:\Windows\system32\Kknhad32.exe
        63⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Knmdmo32.exe
        
        C:\Windows\system32\Knmdmo32.exe
        64⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Kpkqik32.exe
        
        C:\Windows\system32\Kpkqik32.exe
        65⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Kdfmji32.exe
        
        C:\Windows\system32\Kdfmji32.exe
        66⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Kkqefcdk.exe
        
        C:\Windows\system32\Kkqefcdk.exe
        67⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\Kolagb32.exe
        
        C:\Windows\system32\Kolagb32.exe
        68⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\Kdiioi32.exe
        
        C:\Windows\system32\Kdiioi32.exe
        69⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\Kamjim32.exe
        
        C:\Windows\system32\Kamjim32.exe
        70⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\Loqjbaho.exe
        
        C:\Windows\system32\Loqjbaho.exe
        71⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\Laofnmgb.exe
        
        C:\Windows\system32\Laofnmgb.exe
        72⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Lhiokg32.exe
        
        C:\Windows\system32\Lhiokg32.exe
        73⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Lkgkgb32.exe
        
        C:\Windows\system32\Lkgkgb32.exe
        74⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Ldpophdc.exe
        
        C:\Windows\system32\Ldpophdc.exe
        75⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\Lhkkqgml.exe
        
        C:\Windows\system32\Lhkkqgml.exe
        76⤵
        Drops file in System32 directory
        
        PID:9432
        
        C:\Windows\SysWOW64\Ladpil32.exe
        
        C:\Windows\system32\Ladpil32.exe
        77⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\Lhnhffkj.exe
        
        C:\Windows\system32\Lhnhffkj.exe
        78⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\Lnkqnmia.exe
        
        C:\Windows\system32\Lnkqnmia.exe
        79⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Lddikg32.exe
        
        C:\Windows\system32\Lddikg32.exe
        80⤵
        Modifies registry class
        
        PID:9496
        
        C:\Windows\SysWOW64\Lkoaha32.exe
        
        C:\Windows\system32\Lkoaha32.exe
        81⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\Lnmmdm32.exe
        
        C:\Windows\system32\Lnmmdm32.exe
        82⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\Mhbaaf32.exe
        
        C:\Windows\system32\Mhbaaf32.exe
        83⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Mkanma32.exe
        
        C:\Windows\system32\Mkanma32.exe
        84⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\Mqnfeh32.exe
        
        C:\Windows\system32\Mqnfeh32.exe
        85⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Mhenge32.exe
        
        C:\Windows\system32\Mhenge32.exe
        86⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\Moofcp32.exe
        
        C:\Windows\system32\Moofcp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9608
        
        C:\Windows\SysWOW64\Mqpckhbm.exe
        
        C:\Windows\system32\Mqpckhbm.exe
        88⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Mhgklebo.exe
        
        C:\Windows\system32\Mhgklebo.exe
        89⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\Mgjkhb32.exe
        
        C:\Windows\system32\Mgjkhb32.exe
        90⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Moacio32.exe
        
        C:\Windows\system32\Moacio32.exe
        91⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\Mqbpqgpj.exe
        
        C:\Windows\system32\Mqbpqgpj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9704
        
        C:\Windows\SysWOW64\Mhihbeql.exe
        
        C:\Windows\system32\Mhihbeql.exe
        93⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Mkhdnppp.exe
        
        C:\Windows\system32\Mkhdnppp.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9752
        
        C:\Windows\SysWOW64\Mnfpjl32.exe
        
        C:\Windows\system32\Mnfpjl32.exe
        95⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\Mbblkjgm.exe
        
        C:\Windows\system32\Mbblkjgm.exe
        96⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\Mhldgd32.exe
        
        C:\Windows\system32\Mhldgd32.exe
        97⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\Mgodcaed.exe
        
        C:\Windows\system32\Mgodcaed.exe
        98⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\Mnimpk32.exe
        
        C:\Windows\system32\Mnimpk32.exe
        99⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Mbdipjej.exe
        
        C:\Windows\system32\Mbdipjej.exe
        100⤵
        Modifies registry class
        
        PID:9892
        
        C:\Windows\SysWOW64\Ndbeledn.exe
        
        C:\Windows\system32\Ndbeledn.exe
        101⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Ngaahaca.exe
        
        C:\Windows\system32\Ngaahaca.exe
        102⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\Nohijndd.exe
        
        C:\Windows\system32\Nohijndd.exe
        103⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\Nqifafjb.exe
        
        C:\Windows\system32\Nqifafjb.exe
        104⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\Ndebbe32.exe
        
        C:\Windows\system32\Ndebbe32.exe
        105⤵
        Modifies registry class
        
        PID:10008
        
        C:\Windows\SysWOW64\Ngcnnq32.exe
        
        C:\Windows\system32\Ngcnnq32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10024
        
        C:\Windows\SysWOW64\Nojfon32.exe
        
        C:\Windows\system32\Nojfon32.exe
        107⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\Nbibki32.exe
        
        C:\Windows\system32\Nbibki32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10076
        
        C:\Windows\SysWOW64\Ndgoge32.exe
        
        C:\Windows\system32\Ndgoge32.exe
        109⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\Nicjhchb.exe
        
        C:\Windows\system32\Nicjhchb.exe
        110⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\Nkagdoge.exe
        
        C:\Windows\system32\Nkagdoge.exe
        111⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\Nnpcpjfi.exe
        
        C:\Windows\system32\Nnpcpjfi.exe
        112⤵
        Modifies registry class
        
        PID:10168
        
        C:\Windows\SysWOW64\Niegnc32.exe
        
        C:\Windows\system32\Niegnc32.exe
        113⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Nghgipmj.exe
        
        C:\Windows\system32\Nghgipmj.exe
        114⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\Ogdgencl.exe
        
        C:\Windows\system32\Ogdgencl.exe
        115⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\Opkoflco.exe
        
        C:\Windows\system32\Opkoflco.exe
        116⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\Oalknd32.exe
        
        C:\Windows\system32\Oalknd32.exe
        117⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\Ogfcjnaj.exe
        
        C:\Windows\system32\Ogfcjnaj.exe
        118⤵
        Drops file in System32 directory
        
        PID:9716
        
        C:\Windows\SysWOW64\Opmllk32.exe
        
        C:\Windows\system32\Opmllk32.exe
        119⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\Pblhhg32.exe
        
        C:\Windows\system32\Pblhhg32.exe
        120⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\Phhqpn32.exe
        
        C:\Windows\system32\Phhqpn32.exe
        121⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\Pnbimhfd.exe
        
        C:\Windows\system32\Pnbimhfd.exe
        122⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Pelaib32.exe
        
        C:\Windows\system32\Pelaib32.exe
        123⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\Ppbegkmg.exe
        
        C:\Windows\system32\Ppbegkmg.exe
        124⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\Pbpacfmj.exe
        
        C:\Windows\system32\Pbpacfmj.exe
        125⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\Pijjpp32.exe
        
        C:\Windows\system32\Pijjpp32.exe
        126⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Phmjkmka.exe
        
        C:\Windows\system32\Phmjkmka.exe
        127⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\Pngbhg32.exe
        
        C:\Windows\system32\Pngbhg32.exe
        128⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\Pbbnhfjh.exe
        
        C:\Windows\system32\Pbbnhfjh.exe
        129⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\Peajdajk.exe
        
        C:\Windows\system32\Peajdajk.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10276
        
        C:\Windows\SysWOW64\Phpfqmio.exe
        
        C:\Windows\system32\Phpfqmio.exe
        131⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\Plkbak32.exe
        
        C:\Windows\system32\Plkbak32.exe
        132⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\Pbekne32.exe
        
        C:\Windows\system32\Pbekne32.exe
        133⤵
        Drops file in System32 directory
        
        PID:10340
        
        C:\Windows\SysWOW64\Pahkjbop.exe
        
        C:\Windows\system32\Pahkjbop.exe
        134⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\Piockppb.exe
        
        C:\Windows\system32\Piockppb.exe
        135⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Qpikgj32.exe
        
        C:\Windows\system32\Qpikgj32.exe
        136⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\Qbggce32.exe
        
        C:\Windows\system32\Qbggce32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10436
        
        C:\Windows\SysWOW64\Qefdpq32.exe
        
        C:\Windows\system32\Qefdpq32.exe
        138⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\Qlpllkmc.exe
        
        C:\Windows\system32\Qlpllkmc.exe
        139⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\Qlpllkmc.exe
        
        C:\Windows\system32\Qlpllkmc.exe
        140⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\Qnnhhflf.exe
        
        C:\Windows\system32\Qnnhhflf.exe
        141⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\Qehqepcc.exe
        
        C:\Windows\system32\Qehqepcc.exe
        142⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\Qhfmalbg.exe
        
        C:\Windows\system32\Qhfmalbg.exe
        143⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\Apndbici.exe
        
        C:\Windows\system32\Apndbici.exe
        144⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Aoqenf32.exe
        
        C:\Windows\system32\Aoqenf32.exe
        145⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\Aaoaja32.exe
        
        C:\Windows\system32\Aaoaja32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10636
        
        C:\Windows\SysWOW64\Ahiigkqd.exe
        
        C:\Windows\system32\Ahiigkqd.exe
        147⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\Aocace32.exe
        
        C:\Windows\system32\Aocace32.exe
        148⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\Aaanpa32.exe
        
        C:\Windows\system32\Aaanpa32.exe
        149⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\Aihfanhg.exe
        
        C:\Windows\system32\Aihfanhg.exe
        150⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\Ahkflk32.exe
        
        C:\Windows\system32\Ahkflk32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10736
        
        C:\Windows\SysWOW64\Apbnnh32.exe
        
        C:\Windows\system32\Apbnnh32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10756
        
        C:\Windows\SysWOW64\Aackeqeb.exe
        
        C:\Windows\system32\Aackeqeb.exe
        153⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\Ahncbk32.exe
        
        C:\Windows\system32\Ahncbk32.exe
        154⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\Abcgoc32.exe
        
        C:\Windows\system32\Abcgoc32.exe
        155⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\Ahppgjjl.exe
        
        C:\Windows\system32\Ahppgjjl.exe
        156⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\Aahdqp32.exe
        
        C:\Windows\system32\Aahdqp32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10840
        
        C:\Windows\SysWOW64\Boldjd32.exe
        
        C:\Windows\system32\Boldjd32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10856
        
        C:\Windows\SysWOW64\Bbhqjchp.exe
        
        C:\Windows\system32\Bbhqjchp.exe
        159⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\Bhdibj32.exe
        
        C:\Windows\system32\Bhdibj32.exe
        160⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\Bpladg32.exe
        
        C:\Windows\system32\Bpladg32.exe
        161⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\Bbjmpb32.exe
        
        C:\Windows\system32\Bbjmpb32.exe
        162⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\Bhgehi32.exe
        
        C:\Windows\system32\Bhgehi32.exe
        163⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\Bbljeb32.exe
        
        C:\Windows\system32\Bbljeb32.exe
        164⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\Bekfan32.exe
        
        C:\Windows\system32\Bekfan32.exe
        165⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\Blennh32.exe
        
        C:\Windows\system32\Blennh32.exe
        166⤵
        
        PID:10984
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        167⤵
        
        PID:11000
        
        C:\Windows\SysWOW64\Baaggo32.exe
        
        C:\Windows\system32\Baaggo32.exe
        168⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        169⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        170⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        171⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        172⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        173⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        174⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        175⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        176⤵
        Drops file in System32 directory
        
        PID:11156
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        177⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        178⤵
        
        PID:11196
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        179⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        180⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        181⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        182⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        183⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        184⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        185⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        186⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        187⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        188⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        189⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        190⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        191⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        192⤵
        Modifies registry class
        
        PID:11284
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        193⤵
        
        PID:11308
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        194⤵
        
        PID:11324
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        195⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11368
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        197⤵
        
        PID:11396
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        198⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        199⤵
        
        PID:11460
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        200⤵
        
        PID:11484
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        201⤵
        
        PID:11500
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        202⤵
        
        PID:11516
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11532
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11548
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        205⤵
        Modifies registry class
        
        PID:11564
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        206⤵
        
        PID:11580
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        207⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        208⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        209⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:11628
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        210⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        211⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        212⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        213⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        214⤵
        
        PID:11708
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        215⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        216⤵
        
        PID:11740
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        217⤵
        
        PID:11756
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        218⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        219⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        220⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        221⤵
        Drops file in System32 directory
        
        PID:11820
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        222⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        223⤵
        
        PID:11852
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        224⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        225⤵
        Modifies registry class
        
        PID:11896
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        226⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        227⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        228⤵
        Modifies registry class
        
        PID:11952
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        229⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        230⤵
        
        PID:11996
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        231⤵
        
        PID:12016
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        232⤵
        Drops file in System32 directory
        
        PID:12036
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        233⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        234⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        235⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        236⤵
        
        PID:12124
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        237⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        238⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        239⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        240⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        241⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        242⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        243⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        244⤵
        Drops file in System32 directory
        
        PID:11348
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        245⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        246⤵
        
        PID:11452
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        247⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        248⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        249⤵
        
        PID:12208
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        250⤵
        
        PID:12264
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        251⤵
        Modifies registry class
        
        PID:11292
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        252⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12004
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        254⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        255⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        256⤵
        
        PID:12304
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        257⤵
        Drops file in System32 directory
        
        PID:12320
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        258⤵
        
        PID:12336
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        259⤵
        
        PID:12352
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        260⤵
        
        PID:12368
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        261⤵
        
        PID:12384
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12400
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        263⤵
        
        PID:12416
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        264⤵
        
        PID:12432
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        265⤵
        
        PID:12452
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        266⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        267⤵
        
        PID:12492
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        268⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        269⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        270⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        271⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        272⤵
        
        PID:12592
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        273⤵
        
        PID:12616
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12636
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        275⤵
        
        PID:12652
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        276⤵
        Modifies registry class
        
        PID:12676
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        277⤵
        
        PID:12692
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        278⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        279⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        280⤵
        
        PID:12764
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        281⤵
        
        PID:12788
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        282⤵
        
        PID:12812
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        283⤵
        Modifies registry class
        
        PID:12828
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        284⤵
        
        PID:12856
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        285⤵
        
        PID:12872
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        286⤵
        
        PID:12888
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        287⤵
        
        PID:12904
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        288⤵
        
        PID:12920
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        289⤵
        Drops file in System32 directory
        
        PID:12936
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        290⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        291⤵
        
        PID:12968
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        292⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        293⤵
        
        PID:12996
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        294⤵
        
        PID:13016
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        295⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        296⤵
        
        PID:13048
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        297⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        298⤵
        
        PID:13080
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        299⤵
        
        PID:13096
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13112
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        301⤵
        
        PID:13128
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        302⤵
        Drops file in System32 directory
        
        PID:13144
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        303⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13160
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        304⤵
        
        PID:13180
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        305⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        306⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        307⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        308⤵
        
        PID:13252
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        309⤵
        Modifies registry class
        
        PID:13276
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        310⤵
        
        PID:13300
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        311⤵
        
        PID:12444
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        312⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        313⤵
        
        PID:12704
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        314⤵
        
        PID:12760
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        315⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13216
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        316⤵
        
        PID:12500
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        317⤵
        
        PID:12728
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        318⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        319⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        320⤵
        
        PID:13336
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        321⤵
        
        PID:13356
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        322⤵
        
        PID:13376
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        323⤵
        
        PID:13392
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        324⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13412
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        325⤵
        
        PID:13428
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        326⤵
        
        PID:13444
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        327⤵
        
        PID:13460
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        328⤵
        
        PID:13476
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        329⤵
        
        PID:13492
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        330⤵
        
        PID:13508
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        331⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        332⤵
        
        PID:13540
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        333⤵
        
        PID:13556
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        334⤵
        
        PID:13572
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        335⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        336⤵
        Drops file in System32 directory
        
        PID:13608
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        337⤵
        Drops file in System32 directory
        
        PID:13624
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        338⤵
        
        PID:13652
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        339⤵
        
        PID:13676
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        340⤵
        
        PID:13692
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        341⤵
        Modifies registry class
        
        PID:13712
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        342⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:13732
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        343⤵
        
        PID:13748
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        344⤵
        
        PID:13780
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        345⤵
        
        PID:13796
        
        C:\Windows\SysWOW64\Nnaikd32.exe
        
        C:\Windows\system32\Nnaikd32.exe
        346⤵
        
        PID:13812
        
        C:\Windows\SysWOW64\Nqpego32.exe
        
        C:\Windows\system32\Nqpego32.exe
        347⤵
        
        PID:13832
        
        C:\Windows\SysWOW64\Ogjmdigk.exe
        
        C:\Windows\system32\Ogjmdigk.exe
        348⤵
        Modifies registry class
        
        PID:13848
        
        C:\Windows\SysWOW64\Ojhiqefo.exe
        
        C:\Windows\system32\Ojhiqefo.exe
        349⤵
        
        PID:13864
        
        C:\Windows\SysWOW64\Ocqnij32.exe
        
        C:\Windows\system32\Ocqnij32.exe
        350⤵
        
        PID:13880
        
        C:\Windows\SysWOW64\Ojjffddl.exe
        
        C:\Windows\system32\Ojjffddl.exe
        351⤵
        
        PID:13896
        
        C:\Windows\SysWOW64\Occkojkm.exe
        
        C:\Windows\system32\Occkojkm.exe
        352⤵
        
        PID:13912
        
        C:\Windows\SysWOW64\Okjbpglo.exe
        
        C:\Windows\system32\Okjbpglo.exe
        353⤵
        Modifies registry class
        
        PID:13928
        
        C:\Windows\SysWOW64\Oqgkhnjf.exe
        
        C:\Windows\system32\Oqgkhnjf.exe
        354⤵
        
        PID:13944
        
        C:\Windows\SysWOW64\Odbgim32.exe
        
        C:\Windows\system32\Odbgim32.exe
        355⤵
        
        PID:13960
        
        C:\Windows\SysWOW64\Ogaceh32.exe
        
        C:\Windows\system32\Ogaceh32.exe
        356⤵
        
        PID:13976
        
        C:\Windows\SysWOW64\Ojopad32.exe
        
        C:\Windows\system32\Ojopad32.exe
        357⤵
        
        PID:13992
        
        C:\Windows\SysWOW64\Odednmpm.exe
        
        C:\Windows\system32\Odednmpm.exe
        358⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14008
        
        C:\Windows\SysWOW64\Onmhgb32.exe
        
        C:\Windows\system32\Onmhgb32.exe
        359⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\Oqkdcn32.exe
        
        C:\Windows\system32\Oqkdcn32.exe
        360⤵
        Drops file in System32 directory
        
        PID:14040
        
        C:\Windows\SysWOW64\Pgemphmn.exe
        
        C:\Windows\system32\Pgemphmn.exe
        361⤵
        
        PID:14056
        
        C:\Windows\SysWOW64\Peimil32.exe
        
        C:\Windows\system32\Peimil32.exe
        362⤵
        
        PID:14072
        
        C:\Windows\SysWOW64\Pkceffcd.exe
        
        C:\Windows\system32\Pkceffcd.exe
        363⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\Pbmncp32.exe
        
        C:\Windows\system32\Pbmncp32.exe
        364⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\Peljol32.exe
        
        C:\Windows\system32\Peljol32.exe
        365⤵
        
        PID:14128

C:\Windows\SysWOW64\Pkfblfab.exe
C:\Windows\system32\Pkfblfab.exe
1⤵
- Modifies registry class
PID:14144
- C:\Windows\SysWOW64\Pbpjhp32.exe
  C:\Windows\system32\Pbpjhp32.exe
  2⤵
  PID:14164
- - C:\Windows\SysWOW64\Pabkdmpi.exe
    C:\Windows\system32\Pabkdmpi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:14192
  - - C:\Windows\SysWOW64\Pgmcqggf.exe
      C:\Windows\system32\Pgmcqggf.exe
      4⤵
      PID:14256
    - - C:\Windows\SysWOW64\Bhdbhcck.exe
        
        C:\Windows\system32\Bhdbhcck.exe
        5⤵
        
        PID:14272
      - C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        6⤵
        
        PID:14292
        
        C:\Windows\SysWOW64\Bbifelba.exe
        
        C:\Windows\system32\Bbifelba.exe
        7⤵
        
        PID:14316
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        8⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        9⤵
        
        PID:444
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        10⤵
        
        PID:13688
        
        C:\Windows\SysWOW64\Bejogg32.exe
        
        C:\Windows\system32\Bejogg32.exe
        11⤵
        
        PID:13756
        
        C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        12⤵
        
        PID:64
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        13⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\Bdolhc32.exe
        
        C:\Windows\system32\Bdolhc32.exe
        14⤵
        
        PID:13372
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5012
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        16⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        17⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        18⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        19⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        20⤵
        
        PID:524
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        21⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        22⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        23⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        24⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        25⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        26⤵
        
        PID:14124
        
        C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        27⤵
        
        PID:14176
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        28⤵
        
        PID:14200
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        30⤵
        
        PID:14224
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        31⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        32⤵
        
        PID:14236
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        33⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        34⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        35⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        36⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        37⤵
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        38⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        39⤵
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        40⤵
        
        PID:748

C:\Windows\SysWOW64\Pfolbmje.exe
C:\Windows\system32\Pfolbmje.exe
1⤵
PID:4984
- C:\Windows\SysWOW64\Pmidog32.exe
  C:\Windows\system32\Pmidog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6300
- - C:\Windows\SysWOW64\Pcbmka32.exe
    C:\Windows\system32\Pcbmka32.exe
    3⤵
    PID:6080
  - - C:\Windows\SysWOW64\Pjmehkqk.exe
      C:\Windows\system32\Pjmehkqk.exe
      4⤵
      Modifies registry class
      PID:6104
    - - C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        5⤵
        Drops file in System32 directory
        
        PID:6120
      - C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        6⤵
        
        PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7172 -ip 7172
1⤵
PID:7228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Admkndag.exe

Filesize
92KB

MD5
12216d4b4bc288f43beed03bb088f52a

SHA1
a1969f4c66245947c0935670407fea42273db942

SHA256
78c6c60268bd91933fa7a7e45a939af2848389dfabb93245a7fea72e698931c5

SHA512
b9e357147e6af8d979aecc2d20de431018602554ffd9b8ef7059ce09b588edfe30a1eec7ef1cbfd35bbc6feac02edd64d6d76123881ebbc9a8117cd4ec0e9d97

Download Submit
C:\Windows\SysWOW64\Admkndag.exe

Filesize
92KB

MD5
12216d4b4bc288f43beed03bb088f52a

SHA1
a1969f4c66245947c0935670407fea42273db942

SHA256
78c6c60268bd91933fa7a7e45a939af2848389dfabb93245a7fea72e698931c5

SHA512
b9e357147e6af8d979aecc2d20de431018602554ffd9b8ef7059ce09b588edfe30a1eec7ef1cbfd35bbc6feac02edd64d6d76123881ebbc9a8117cd4ec0e9d97

Download Submit
C:\Windows\SysWOW64\Agpqeo32.exe

Filesize
92KB

MD5
092e522e3c46c3cd2934277e60604004

SHA1
614845dcddd1c09bbe9cc8201b2d26893143379d

SHA256
226074ce788a9b093a6f57769c9a5be3b86e2d933d982683b16a4ee36d95c008

SHA512
d9e4a56bfb3b18dc72d2f325de0a6be88bc46e56674ecf9c07f2c6a7e4eab0a324aa95a94c0932afac2adf22c6a44bb2b6215187df1e77b4acd9e903d12fdee2

Download Submit
C:\Windows\SysWOW64\Agpqeo32.exe

Filesize
92KB

MD5
092e522e3c46c3cd2934277e60604004

SHA1
614845dcddd1c09bbe9cc8201b2d26893143379d

SHA256
226074ce788a9b093a6f57769c9a5be3b86e2d933d982683b16a4ee36d95c008

SHA512
d9e4a56bfb3b18dc72d2f325de0a6be88bc46e56674ecf9c07f2c6a7e4eab0a324aa95a94c0932afac2adf22c6a44bb2b6215187df1e77b4acd9e903d12fdee2

Download Submit
C:\Windows\SysWOW64\Aknikm32.exe

Filesize
92KB

MD5
c6a8b7dc07ee5035113a04b91e16f9ac

SHA1
fc4b8c6dd63df96eef27f1eed95732d16e7657d5

SHA256
055c5cddaaccef947bff67eb99937c0b5966ad087634d519deb1755271845526

SHA512
9ea6cd6e0a4e783443d649eb791f3f8e469d0905b800904d58b496166607d694cc1025c78d109da6eb27829d73feb7c5d24b329d331ea2dfe914590f4911beba

Download Submit
C:\Windows\SysWOW64\Aknikm32.exe

Filesize
92KB

MD5
c6a8b7dc07ee5035113a04b91e16f9ac

SHA1
fc4b8c6dd63df96eef27f1eed95732d16e7657d5

SHA256
055c5cddaaccef947bff67eb99937c0b5966ad087634d519deb1755271845526

SHA512
9ea6cd6e0a4e783443d649eb791f3f8e469d0905b800904d58b496166607d694cc1025c78d109da6eb27829d73feb7c5d24b329d331ea2dfe914590f4911beba

Download Submit
C:\Windows\SysWOW64\Almime32.exe

Filesize
92KB

MD5
e86809f22cfac942cde24675c96442da

SHA1
f26a6ba6b9fbed7b2f40772dfcd5d45deb8be5ef

SHA256
5cea6aa3933d720a2ce3226e9da8952c2a492603d35ca56f0e086a8dfb8378f2

SHA512
d642cd6b660d400de3e8e09c21a75de921f2ead9866088af98c5dfcf99c20e97b296efdee12a3c80226297cd1626b0f9bc59d06ea342c4ff3f9f07b76154f88a

Download Submit
C:\Windows\SysWOW64\Almime32.exe

Filesize
92KB

MD5
e86809f22cfac942cde24675c96442da

SHA1
f26a6ba6b9fbed7b2f40772dfcd5d45deb8be5ef

SHA256
5cea6aa3933d720a2ce3226e9da8952c2a492603d35ca56f0e086a8dfb8378f2

SHA512
d642cd6b660d400de3e8e09c21a75de921f2ead9866088af98c5dfcf99c20e97b296efdee12a3c80226297cd1626b0f9bc59d06ea342c4ff3f9f07b76154f88a

Download Submit
C:\Windows\SysWOW64\Anepfi32.exe

Filesize
92KB

MD5
39930b2e19ab9294ebbdc652907c3f5f

SHA1
9d5238349b8fa767ddfc997e0577985b013cbf2b

SHA256
b9262b58d47793864a94ebf4f7d9d2e40afc2dcb29e26acb99edf763a22ade51

SHA512
7275e3e5e130b3dd8f3450f284ec3a6c9ceed516cb6fe23f3de7d9290f02d0d181127d2a9d69c53ede9ff1bc03b750db34c7242661085a89791e90351fa3e68d

Download Submit
C:\Windows\SysWOW64\Anepfi32.exe

Filesize
92KB

MD5
39930b2e19ab9294ebbdc652907c3f5f

SHA1
9d5238349b8fa767ddfc997e0577985b013cbf2b

SHA256
b9262b58d47793864a94ebf4f7d9d2e40afc2dcb29e26acb99edf763a22ade51

SHA512
7275e3e5e130b3dd8f3450f284ec3a6c9ceed516cb6fe23f3de7d9290f02d0d181127d2a9d69c53ede9ff1bc03b750db34c7242661085a89791e90351fa3e68d

Download Submit
C:\Windows\SysWOW64\Anhlliee.exe

Filesize
92KB

MD5
11c556e6612791e423120d4c4dd13708

SHA1
86313fae7ecf34aede04bf88fb1f1e1f382e16fc

SHA256
4361568f77f7029824a7dace4d75d483de4e4dc19189e03d0630b5273f7b5409

SHA512
b1d207172bf2fab1aafc9aa49dafae63e8577fa088fda16b4796379b8dba498ad6be6f1e552dcaf7df024406eb73d4870b0cb26167e18c710bc79493077dce7e

Download Submit
C:\Windows\SysWOW64\Anhlliee.exe

Filesize
92KB

MD5
11c556e6612791e423120d4c4dd13708

SHA1
86313fae7ecf34aede04bf88fb1f1e1f382e16fc

SHA256
4361568f77f7029824a7dace4d75d483de4e4dc19189e03d0630b5273f7b5409

SHA512
b1d207172bf2fab1aafc9aa49dafae63e8577fa088fda16b4796379b8dba498ad6be6f1e552dcaf7df024406eb73d4870b0cb26167e18c710bc79493077dce7e

Download Submit
C:\Windows\SysWOW64\Apclbe32.exe

Filesize
92KB

MD5
ea0262fdf95212827a2fa318e5a7175e

SHA1
670b994c1826e289163e5dcc98e8c0192f597ac0

SHA256
d3b2fb2392107bc1f16f7cd0ceedab5941fd1ede06b919da06ac5f8dcea2394f

SHA512
9f462a357ac5ff164cdaf43cc6b8d29e4d1b8fb5662ae95cdc79426b1a82e7237a92d58c1b1ef94cd5d5f37a978cbd69f8cd347de91bd2fab5650cc193c47173

Download Submit
C:\Windows\SysWOW64\Apclbe32.exe

Filesize
92KB

MD5
ea0262fdf95212827a2fa318e5a7175e

SHA1
670b994c1826e289163e5dcc98e8c0192f597ac0

SHA256
d3b2fb2392107bc1f16f7cd0ceedab5941fd1ede06b919da06ac5f8dcea2394f

SHA512
9f462a357ac5ff164cdaf43cc6b8d29e4d1b8fb5662ae95cdc79426b1a82e7237a92d58c1b1ef94cd5d5f37a978cbd69f8cd347de91bd2fab5650cc193c47173

Download Submit
C:\Windows\SysWOW64\Apkbcd32.exe

Filesize
92KB

MD5
018eb1e7ca44db3017c459d068d091ea

SHA1
1cb1d97ec8c6b0e7c1e5b35b174fd7cbe87e695a

SHA256
a559679f92e22a42fe4bf103183149d9438c404cfafeace19545ee290baf7c40

SHA512
6dc8a5af558250e00e5eef21e304be19fe2bccf67fff1185024ce5dcdd06d1e9bb8c62b64424609a3c8d929733276e3038badc6c600352e238fb6696985bb520

Download Submit
C:\Windows\SysWOW64\Apkbcd32.exe

Filesize
92KB

MD5
018eb1e7ca44db3017c459d068d091ea

SHA1
1cb1d97ec8c6b0e7c1e5b35b174fd7cbe87e695a

SHA256
a559679f92e22a42fe4bf103183149d9438c404cfafeace19545ee290baf7c40

SHA512
6dc8a5af558250e00e5eef21e304be19fe2bccf67fff1185024ce5dcdd06d1e9bb8c62b64424609a3c8d929733276e3038badc6c600352e238fb6696985bb520

Download Submit
C:\Windows\SysWOW64\Bckkeo32.exe

Filesize
92KB

MD5
a8b4c18e30189d39067b75182c44f731

SHA1
ebd2b55279587aff35a5337f33680156c9d0da85

SHA256
aee36358464649b73f2b49f11293a4cb93c4bc8430bbf97a911bec7f5ff0b9cf

SHA512
ccfbb25d6dc096dff683913b9c7669f2f81c19945de5933ada81969d62cf8882c7c84e99ddcd11220e815ea89984bedaf6dfa1cf8f5a8bdd4f75eb9360f5d97b

Download Submit
C:\Windows\SysWOW64\Bckkeo32.exe

Filesize
92KB

MD5
a8b4c18e30189d39067b75182c44f731

SHA1
ebd2b55279587aff35a5337f33680156c9d0da85

SHA256
aee36358464649b73f2b49f11293a4cb93c4bc8430bbf97a911bec7f5ff0b9cf

SHA512
ccfbb25d6dc096dff683913b9c7669f2f81c19945de5933ada81969d62cf8882c7c84e99ddcd11220e815ea89984bedaf6dfa1cf8f5a8bdd4f75eb9360f5d97b

Download Submit
C:\Windows\SysWOW64\Bnaobhmj.exe

Filesize
92KB

MD5
87f1ac7d6cf528e1aff061633f74c6dd

SHA1
06fed654242ab68a522914a162b82c86a7a36b22

SHA256
6ea5e14bd60b3b4c8a0c840808c32140b3024829a8075191bac418f9e9ac21ff

SHA512
11094833f9cd5ce9a2fd575945de26f106c5f2f10ce2a01edb2263cb7a01b28209ead668127a89c47636e799dc5be5681e3f605d62d5d0dc2f0c97dabff61b1e

Download Submit
C:\Windows\SysWOW64\Bnaobhmj.exe

Filesize
92KB

MD5
87f1ac7d6cf528e1aff061633f74c6dd

SHA1
06fed654242ab68a522914a162b82c86a7a36b22

SHA256
6ea5e14bd60b3b4c8a0c840808c32140b3024829a8075191bac418f9e9ac21ff

SHA512
11094833f9cd5ce9a2fd575945de26f106c5f2f10ce2a01edb2263cb7a01b28209ead668127a89c47636e799dc5be5681e3f605d62d5d0dc2f0c97dabff61b1e

Download Submit
C:\Windows\SysWOW64\Bnobmh32.exe

Filesize
92KB

MD5
058263dd299657f439c5cfc4adc9e114

SHA1
ed76a369661747fb8f6a422b2880c73db59e82cc

SHA256
5a5a4f64c19c999b539a6901527b1b434e39b19e1a9df030c3ca37837098f19f

SHA512
47e7983693b3666fcdad6c3463863c4cf4dae8004b35dff7a05576845326e5bde8fc6e9caefb6a29a2163702c01f572295b29ce8c0cbddd06793d339129b427e

Download Submit
C:\Windows\SysWOW64\Bnobmh32.exe

Filesize
92KB

MD5
058263dd299657f439c5cfc4adc9e114

SHA1
ed76a369661747fb8f6a422b2880c73db59e82cc

SHA256
5a5a4f64c19c999b539a6901527b1b434e39b19e1a9df030c3ca37837098f19f

SHA512
47e7983693b3666fcdad6c3463863c4cf4dae8004b35dff7a05576845326e5bde8fc6e9caefb6a29a2163702c01f572295b29ce8c0cbddd06793d339129b427e

Download Submit
C:\Windows\SysWOW64\Nfmbacjn.exe

Filesize
92KB

MD5
cdb766eb414e6d301894399d3903a4fd

SHA1
66e20d311cb2d200fe0111b88b5d8d683f15b0ac

SHA256
8ef8580953fa705eb07b367076ed1e969549ce4de2acb46be96961f36e12f497

SHA512
6a8c6472ba611637bbe5b3065a273acf3050406db52eaa361c9a9d7d9179f131e841622eb8f308ce8dfa0e5c03cc8aaff4d014fa099326b122393904c40f2841

Download Submit
C:\Windows\SysWOW64\Nfmbacjn.exe

Filesize
92KB

MD5
cdb766eb414e6d301894399d3903a4fd

SHA1
66e20d311cb2d200fe0111b88b5d8d683f15b0ac

SHA256
8ef8580953fa705eb07b367076ed1e969549ce4de2acb46be96961f36e12f497

SHA512
6a8c6472ba611637bbe5b3065a273acf3050406db52eaa361c9a9d7d9179f131e841622eb8f308ce8dfa0e5c03cc8aaff4d014fa099326b122393904c40f2841

Download Submit
C:\Windows\SysWOW64\Nidhmp32.exe

Filesize
92KB

MD5
fc0ff81da350ed6b4a6beee7dd6da6a8

SHA1
6e928c57b5b6257f78209bc2fc71cb1f5d7a6675

SHA256
e71ef8adb25df1b0a08a2a37724d3fbb3c0166b99839dbc4734a4e99c3b8e3eb

SHA512
2a931a4e597647cea4ae84a1fbe1fc0f15539aba947be336f45b64bc13fba9e3a4c6a59627805ecc1481850c94efb8de427a76687538b1d5cf10578fe8f8f576

Download Submit
C:\Windows\SysWOW64\Nidhmp32.exe

Filesize
92KB

MD5
fc0ff81da350ed6b4a6beee7dd6da6a8

SHA1
6e928c57b5b6257f78209bc2fc71cb1f5d7a6675

SHA256
e71ef8adb25df1b0a08a2a37724d3fbb3c0166b99839dbc4734a4e99c3b8e3eb

SHA512
2a931a4e597647cea4ae84a1fbe1fc0f15539aba947be336f45b64bc13fba9e3a4c6a59627805ecc1481850c94efb8de427a76687538b1d5cf10578fe8f8f576

Download Submit
C:\Windows\SysWOW64\Nleaok32.exe

Filesize
92KB

MD5
3492feb50e17647d83407d73883b4711

SHA1
326088e2848de90e540505997f07158370da10c8

SHA256
c43bc7fd18a4c993b2574d77cb888a91d0cb1a14968315800e1965f7bef4d560

SHA512
fce15bb88888e4354a0a7b1fad02ba675819b8899d5e1741bc977afb23eaf025b331d22ee82ab4d6caf3d69d49e6410b723bb25180c97e2308143ae3759e5143

Download Submit
C:\Windows\SysWOW64\Nleaok32.exe

Filesize
92KB

MD5
3492feb50e17647d83407d73883b4711

SHA1
326088e2848de90e540505997f07158370da10c8

SHA256
c43bc7fd18a4c993b2574d77cb888a91d0cb1a14968315800e1965f7bef4d560

SHA512
fce15bb88888e4354a0a7b1fad02ba675819b8899d5e1741bc977afb23eaf025b331d22ee82ab4d6caf3d69d49e6410b723bb25180c97e2308143ae3759e5143

Download Submit
C:\Windows\SysWOW64\Nmdnin32.exe

Filesize
92KB

MD5
2a75a9e37d18fe5e5fc23b42b440c39f

SHA1
657912e8ef4df52753b2ab782cefa353485899f1

SHA256
128dab8c43cf88facf74551626939701417480ede5254d183fa2d1c7e6895ebe

SHA512
95562bb8da57e1f29e7585ec173a7e16a01c07a7aee1993e41df9ed6cdc79bf3029305df3a3b467f17df50d826946d45bdbf160cac0b97348ce6fc73289467cb

Download Submit
C:\Windows\SysWOW64\Nmdnin32.exe

Filesize
92KB

MD5
2a75a9e37d18fe5e5fc23b42b440c39f

SHA1
657912e8ef4df52753b2ab782cefa353485899f1

SHA256
128dab8c43cf88facf74551626939701417480ede5254d183fa2d1c7e6895ebe

SHA512
95562bb8da57e1f29e7585ec173a7e16a01c07a7aee1993e41df9ed6cdc79bf3029305df3a3b467f17df50d826946d45bdbf160cac0b97348ce6fc73289467cb

Download Submit
C:\Windows\SysWOW64\Npnqjjgf.exe

Filesize
92KB

MD5
f83051ebcceb16ee169279eb0178ebc6

SHA1
51e35d3fe00a31a28e2145a4258de22080f9ea7a

SHA256
d9b0b448cadab70bc3cf40ef2cae1d548fcf118695011f9e96ae2b72620a9684

SHA512
26ab22f512f02deec222f2e062cc93cdc9d01146a6d7a9f24a75f25d6fc3ed869858a70c5e4539ce176bb7f8d4c1c4e2753a47b285810ff59a93564bbc5b4b3e

Download Submit
C:\Windows\SysWOW64\Npnqjjgf.exe

Filesize
92KB

MD5
f83051ebcceb16ee169279eb0178ebc6

SHA1
51e35d3fe00a31a28e2145a4258de22080f9ea7a

SHA256
d9b0b448cadab70bc3cf40ef2cae1d548fcf118695011f9e96ae2b72620a9684

SHA512
26ab22f512f02deec222f2e062cc93cdc9d01146a6d7a9f24a75f25d6fc3ed869858a70c5e4539ce176bb7f8d4c1c4e2753a47b285810ff59a93564bbc5b4b3e

Download Submit
C:\Windows\SysWOW64\Odelfg32.exe

Filesize
92KB

MD5
66fee3334a91b8eb180e876dd426812d

SHA1
552416145110a43472e90c20dcd119cd969a3fa5

SHA256
17d1da468866e8595dda7b35346c7c3ad7b804e2d37f8bb1c59798fe30be4387

SHA512
3cd03fc15a6dda01e4d0c4b73298953f8b8624e5af0cc3fe30378115c9dade475c38c5e6901d3a9df41f4865a1626594bdef6c522313ae80152ec8c44fbfdec5

Download Submit
C:\Windows\SysWOW64\Odelfg32.exe

Filesize
92KB

MD5
66fee3334a91b8eb180e876dd426812d

SHA1
552416145110a43472e90c20dcd119cd969a3fa5

SHA256
17d1da468866e8595dda7b35346c7c3ad7b804e2d37f8bb1c59798fe30be4387

SHA512
3cd03fc15a6dda01e4d0c4b73298953f8b8624e5af0cc3fe30378115c9dade475c38c5e6901d3a9df41f4865a1626594bdef6c522313ae80152ec8c44fbfdec5

Download Submit
C:\Windows\SysWOW64\Ofalmc32.exe

Filesize
92KB

MD5
9da6c280f20f327fb5cae22dabc79b65

SHA1
41567498960cc93e200b7298f4327fbb329530ab

SHA256
bfbb89a3af1d83b5a8ef2c235572f4bcf626b86e91f6cf8c60f79fe1bfb8c137

SHA512
b53c13d4eff56cbff4265b9b7add098bbe0bda678ee9724d4db8c56d88bf350b6f8e3e05ab94b6bfa500f87d3b5fd9473d2a91e81e562669de8a261ac0f7380f

Download Submit
C:\Windows\SysWOW64\Ofalmc32.exe

Filesize
92KB

MD5
9da6c280f20f327fb5cae22dabc79b65

SHA1
41567498960cc93e200b7298f4327fbb329530ab

SHA256
bfbb89a3af1d83b5a8ef2c235572f4bcf626b86e91f6cf8c60f79fe1bfb8c137

SHA512
b53c13d4eff56cbff4265b9b7add098bbe0bda678ee9724d4db8c56d88bf350b6f8e3e05ab94b6bfa500f87d3b5fd9473d2a91e81e562669de8a261ac0f7380f

Download Submit
C:\Windows\SysWOW64\Offehbbc.exe

Filesize
92KB

MD5
197a6a2ece8fd166e403907ec447325c

SHA1
d4943fb0ef1e272153a60366d226aec897447fdb

SHA256
1239a6ef5f6b11b31015988b988743b0a396b7ec424505fd65a6d18ad9995f59

SHA512
e3820b16c7ab85ba8d128b5a68d5ca9cce635b5f113b741f0ba2d278db9ee48590c3ab5a6c7fabf08c7134cda8012bb957145d7fe2d714b4b7c8fa820c70f46f

Download Submit
C:\Windows\SysWOW64\Offehbbc.exe

Filesize
92KB

MD5
197a6a2ece8fd166e403907ec447325c

SHA1
d4943fb0ef1e272153a60366d226aec897447fdb

SHA256
1239a6ef5f6b11b31015988b988743b0a396b7ec424505fd65a6d18ad9995f59

SHA512
e3820b16c7ab85ba8d128b5a68d5ca9cce635b5f113b741f0ba2d278db9ee48590c3ab5a6c7fabf08c7134cda8012bb957145d7fe2d714b4b7c8fa820c70f46f

Download Submit
C:\Windows\SysWOW64\Ofoogc32.exe

Filesize
92KB

MD5
4dac11cda4d0100f126812e5c5457a83

SHA1
ac3e577f83dab09253ec940dbb3ada9453624f3b

SHA256
7de313e8b752a74e9ba3451cf7e1bc82319438c98790111a6d4f47459c51cb61

SHA512
07b3962c5ba55cae5da685e93956243824a4b819235ce437fdf4df4ad3d67e3c7741ced2f5c675d8f6061283be88fdcf4087205349686dffee3594db82586803

Download Submit
C:\Windows\SysWOW64\Ofoogc32.exe

Filesize
92KB

MD5
4dac11cda4d0100f126812e5c5457a83

SHA1
ac3e577f83dab09253ec940dbb3ada9453624f3b

SHA256
7de313e8b752a74e9ba3451cf7e1bc82319438c98790111a6d4f47459c51cb61

SHA512
07b3962c5ba55cae5da685e93956243824a4b819235ce437fdf4df4ad3d67e3c7741ced2f5c675d8f6061283be88fdcf4087205349686dffee3594db82586803

Download Submit
C:\Windows\SysWOW64\Oignimod.exe

Filesize
92KB

MD5
d2dfe409099a3fab2ae34fa120236d56

SHA1
69477ef23105783d29d4709c2ff27b344707cfd2

SHA256
2d4dcbde90950fc449bcbe955a454d1c81c5b0d3b88c2562bcefb80bbf88c1ff

SHA512
b3f0c3a6aeba570cc8b41c13c4d65ddfc3c02115e9a971dbba57e2b80c0764bf55ce590efa0336f80ebacbfbd587f927279ae5c97f22cb0fe48f1f132a834950

Download Submit
C:\Windows\SysWOW64\Oignimod.exe

Filesize
92KB

MD5
d2dfe409099a3fab2ae34fa120236d56

SHA1
69477ef23105783d29d4709c2ff27b344707cfd2

SHA256
2d4dcbde90950fc449bcbe955a454d1c81c5b0d3b88c2562bcefb80bbf88c1ff

SHA512
b3f0c3a6aeba570cc8b41c13c4d65ddfc3c02115e9a971dbba57e2b80c0764bf55ce590efa0336f80ebacbfbd587f927279ae5c97f22cb0fe48f1f132a834950

Download Submit
C:\Windows\SysWOW64\Ollgoj32.exe

Filesize
92KB

MD5
7abcac391ddd3b0d729ca3ad5acf212b

SHA1
29d914ad3f43bc4ead8db447b3afc3b2c10231ce

SHA256
87a85429eed4a728903a0dbcc8691586a7dd12de098ba06a03902263846bb3df

SHA512
015c2f209ea56b39975f00e018dca04a4bf28ce71bb1d69cd2cbbc01f23346c6a6b471ed07ec145926651b2d48aaa2c7d87bf228d2362c550e5b679727616af4

Download Submit
C:\Windows\SysWOW64\Ollgoj32.exe

Filesize
92KB

MD5
7abcac391ddd3b0d729ca3ad5acf212b

SHA1
29d914ad3f43bc4ead8db447b3afc3b2c10231ce

SHA256
87a85429eed4a728903a0dbcc8691586a7dd12de098ba06a03902263846bb3df

SHA512
015c2f209ea56b39975f00e018dca04a4bf28ce71bb1d69cd2cbbc01f23346c6a6b471ed07ec145926651b2d48aaa2c7d87bf228d2362c550e5b679727616af4

Download Submit
C:\Windows\SysWOW64\Omnqom32.exe

Filesize
92KB

MD5
9c53458f01fe8c283d97b50331b64392

SHA1
351185788a3173b9f3525c9ecd298c51e603e7af

SHA256
cc344ec3671da2137ecdfc8aa450af26a64f5c1ab34a0dd4e2ecedb28b237df9

SHA512
e2626d802392ec594015f22c314d172bc3e78a510ee8f7e5dc47654b46bb5683b304beb1b2d6c4fa108fa2b6047857be217840087faf2e9114e5871f68e99536

Download Submit
C:\Windows\SysWOW64\Omnqom32.exe

Filesize
92KB

MD5
9c53458f01fe8c283d97b50331b64392

SHA1
351185788a3173b9f3525c9ecd298c51e603e7af

SHA256
cc344ec3671da2137ecdfc8aa450af26a64f5c1ab34a0dd4e2ecedb28b237df9

SHA512
e2626d802392ec594015f22c314d172bc3e78a510ee8f7e5dc47654b46bb5683b304beb1b2d6c4fa108fa2b6047857be217840087faf2e9114e5871f68e99536

Download Submit
C:\Windows\SysWOW64\Opoiqh32.exe

Filesize
92KB

MD5
9b44fb933ddca8bf1959dc44d4f7c5d3

SHA1
741890282108aacc9628e5159b0c1fd906d1cefe

SHA256
3c09fb5e3ed78b0791c9df20b8cf32aab23d6cc23bfd09654faae9a593b8d00d

SHA512
ad6518f8e91699158daa5a7e4b7125f4bd5d55fc55dff7121d84520c0fc55e39d31210f6b0d95e8066d2b0e5c65f83393b62ae87e05608ffde04aaba4f764d8e

Download Submit
C:\Windows\SysWOW64\Opoiqh32.exe

Filesize
92KB

MD5
9b44fb933ddca8bf1959dc44d4f7c5d3

SHA1
741890282108aacc9628e5159b0c1fd906d1cefe

SHA256
3c09fb5e3ed78b0791c9df20b8cf32aab23d6cc23bfd09654faae9a593b8d00d

SHA512
ad6518f8e91699158daa5a7e4b7125f4bd5d55fc55dff7121d84520c0fc55e39d31210f6b0d95e8066d2b0e5c65f83393b62ae87e05608ffde04aaba4f764d8e

Download Submit
C:\Windows\SysWOW64\Pbobbcfd.exe

Filesize
92KB

MD5
b58d770c807e04bc0ce1f6c4e70b5b03

SHA1
3ae848ebf8a1aa760d4751cd76201b24d804c82c

SHA256
bea4d2af5ea2d911ac3d233eac2d0c55bfe3660b586fbbbac4d30a4e50604db4

SHA512
13e721bf0be574f680830989bb6caf8f5ccf9b66deb7b698f0c8b30f0a7c0fa24c092305dba748bb7d894d40031ecb3c3a382ca17b0c3affdf5594e8e264dd98

Download Submit
C:\Windows\SysWOW64\Pbobbcfd.exe

Filesize
92KB

MD5
b58d770c807e04bc0ce1f6c4e70b5b03

SHA1
3ae848ebf8a1aa760d4751cd76201b24d804c82c

SHA256
bea4d2af5ea2d911ac3d233eac2d0c55bfe3660b586fbbbac4d30a4e50604db4

SHA512
13e721bf0be574f680830989bb6caf8f5ccf9b66deb7b698f0c8b30f0a7c0fa24c092305dba748bb7d894d40031ecb3c3a382ca17b0c3affdf5594e8e264dd98

Download Submit
C:\Windows\SysWOW64\Pcfhcb32.exe

Filesize
92KB

MD5
ddc0d4cf27d455b633a9101e8dbf6a82

SHA1
d580f64cee3f9685ea133c88eddb7be5b2c541d7

SHA256
4821da34ae36aac6e9466a51da8f47533745f3aef62d52266e413b772b7767e9

SHA512
41c301ff8385e3137b0ea3fa4a174b11ec598f22100956f090f2c7a1a45fc806fae5d7e6496865aecaead7e9a8ae1e5c374afae07068ca8db7e7d8ca8be659d1

Download Submit
C:\Windows\SysWOW64\Pcfhcb32.exe

Filesize
92KB

MD5
ddc0d4cf27d455b633a9101e8dbf6a82

SHA1
d580f64cee3f9685ea133c88eddb7be5b2c541d7

SHA256
4821da34ae36aac6e9466a51da8f47533745f3aef62d52266e413b772b7767e9

SHA512
41c301ff8385e3137b0ea3fa4a174b11ec598f22100956f090f2c7a1a45fc806fae5d7e6496865aecaead7e9a8ae1e5c374afae07068ca8db7e7d8ca8be659d1

Download Submit
C:\Windows\SysWOW64\Pdfeme32.exe

Filesize
92KB

MD5
0adc4aefa58d1d0be75895dc29c75e11

SHA1
59a083c92239a6410d3c4ce5e799a95fec8e3899

SHA256
a0cee48f5dc973a9924fdbed1bff9808dc86d7e38df408ac15ee6bfe87603cd7

SHA512
2beff1bf3aa02b27c27696418607e7545f72ab4ed9b6e2c1a8736f44d4b00065ea3834ead5a8d09b44fb7a40e630b7f65797089e2d46c85b749e52cfa7447f64

Download Submit
C:\Windows\SysWOW64\Pdfeme32.exe

Filesize
92KB

MD5
0adc4aefa58d1d0be75895dc29c75e11

SHA1
59a083c92239a6410d3c4ce5e799a95fec8e3899

SHA256
a0cee48f5dc973a9924fdbed1bff9808dc86d7e38df408ac15ee6bfe87603cd7

SHA512
2beff1bf3aa02b27c27696418607e7545f72ab4ed9b6e2c1a8736f44d4b00065ea3834ead5a8d09b44fb7a40e630b7f65797089e2d46c85b749e52cfa7447f64

Download Submit
C:\Windows\SysWOW64\Plajag32.exe

Filesize
92KB

MD5
3a9abf72a8a8184cd6371b1cfb51a4f0

SHA1
353fe7240dc637c08f89b9f9d105cd1000cd54bf

SHA256
c7addde95c6f09a4aa0575e021164850b9702528525f9aa1089a6cd52c6c1053

SHA512
d5d2da139b595cc8a8a9583053b31aaf7a8876d9a40c51df577df2ceffcfb481fd2e0afd3d43ffb7a17960eb12cdb162c7f08b09bb597b433077f6afee116857

Download Submit
C:\Windows\SysWOW64\Plajag32.exe

Filesize
92KB

MD5
3a9abf72a8a8184cd6371b1cfb51a4f0

SHA1
353fe7240dc637c08f89b9f9d105cd1000cd54bf

SHA256
c7addde95c6f09a4aa0575e021164850b9702528525f9aa1089a6cd52c6c1053

SHA512
d5d2da139b595cc8a8a9583053b31aaf7a8876d9a40c51df577df2ceffcfb481fd2e0afd3d43ffb7a17960eb12cdb162c7f08b09bb597b433077f6afee116857

Download Submit
C:\Windows\SysWOW64\Plhgkh32.exe

Filesize
92KB

MD5
0b046c1c6b7849bd42a1b5eb2e3b1908

SHA1
38cd6fd7c5d11c00f115f52a3bdaed789e31ad07

SHA256
233d6d35cdc3db09813fb86d83ea9762baec863ece2f43936b84e4077c5e48e0

SHA512
b49a3dac23719f651ef66a7244167bbfa4ac6f402ad9b0a6bc8ab4fe41a37cafbf29e3b5fec142131d90c34bdb7193bea5b7605275ef6b5e35478e13a0f12b66

Download Submit
C:\Windows\SysWOW64\Plhgkh32.exe

Filesize
92KB

MD5
0b046c1c6b7849bd42a1b5eb2e3b1908

SHA1
38cd6fd7c5d11c00f115f52a3bdaed789e31ad07

SHA256
233d6d35cdc3db09813fb86d83ea9762baec863ece2f43936b84e4077c5e48e0

SHA512
b49a3dac23719f651ef66a7244167bbfa4ac6f402ad9b0a6bc8ab4fe41a37cafbf29e3b5fec142131d90c34bdb7193bea5b7605275ef6b5e35478e13a0f12b66

Download Submit
C:\Windows\SysWOW64\Pljcqhjb.exe

Filesize
92KB

MD5
8ced2d7eac40676f97e40601e6e3707b

SHA1
362772c5823da0892fb02d200152a9760b511550

SHA256
93b1e45e063e9c5e6a10a3ae45eacf75aba46c657216f06ac3c4cd711d3f69e7

SHA512
f21e2a65ed73bbc9ea50694ded55f5a296c8c46d7d757659b6cfde2431e9c34d5534b2760e0d651dd7fa160bad18d575936e2297e4896ce3aca07031af300bf1

Download Submit
C:\Windows\SysWOW64\Pljcqhjb.exe

Filesize
92KB

MD5
8ced2d7eac40676f97e40601e6e3707b

SHA1
362772c5823da0892fb02d200152a9760b511550

SHA256
93b1e45e063e9c5e6a10a3ae45eacf75aba46c657216f06ac3c4cd711d3f69e7

SHA512
f21e2a65ed73bbc9ea50694ded55f5a296c8c46d7d757659b6cfde2431e9c34d5534b2760e0d651dd7fa160bad18d575936e2297e4896ce3aca07031af300bf1

Download Submit
C:\Windows\SysWOW64\Qkbjooli.exe

Filesize
92KB

MD5
dbf7924df62646d021869ffb5539b2c5

SHA1
7851570346aa88fa8b227d1e5a36e5856b18a6b5

SHA256
634e7409d3c654964819f33b5faefc5950fada1279c58cbc3bf93b609aa8a7f4

SHA512
df3d6fed1c1e6f7ef35dd5da686a655ad104b412773b9c5f8eac5e878255d16cbc3c135a7f88d69882166a897329d768c2987c3f081e4dd133ff400cc43e0237

Download Submit
C:\Windows\SysWOW64\Qkbjooli.exe

Filesize
92KB

MD5
dbf7924df62646d021869ffb5539b2c5

SHA1
7851570346aa88fa8b227d1e5a36e5856b18a6b5

SHA256
634e7409d3c654964819f33b5faefc5950fada1279c58cbc3bf93b609aa8a7f4

SHA512
df3d6fed1c1e6f7ef35dd5da686a655ad104b412773b9c5f8eac5e878255d16cbc3c135a7f88d69882166a897329d768c2987c3f081e4dd133ff400cc43e0237

Download Submit
C:\Windows\SysWOW64\Qkdgen32.exe

Filesize
92KB

MD5
bb8feb53ad5732223ea293318545da34

SHA1
6003adc98daec9631211ca30d65e5ff50b9a79ae

SHA256
57de196886bca7bab2a5965ba64f9d2e38c84e9d3e6b8da3744f4d022256cb1d

SHA512
5f51c292390c8e3761ac49a2ec6a6dd49f6156f58b1de0cf469806fe95ba82ef95e659639a81ab83a7875a163ee68268d96cb7e1ee9bb717d47d8cb45f6189e6

Download Submit
C:\Windows\SysWOW64\Qkdgen32.exe

Filesize
92KB

MD5
bb8feb53ad5732223ea293318545da34

SHA1
6003adc98daec9631211ca30d65e5ff50b9a79ae

SHA256
57de196886bca7bab2a5965ba64f9d2e38c84e9d3e6b8da3744f4d022256cb1d

SHA512
5f51c292390c8e3761ac49a2ec6a6dd49f6156f58b1de0cf469806fe95ba82ef95e659639a81ab83a7875a163ee68268d96cb7e1ee9bb717d47d8cb45f6189e6

Download Submit
memory/212-246-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/212-183-0x0000000000000000-mapping.dmp

Download
memory/484-260-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/484-222-0x0000000000000000-mapping.dmp

Download
memory/636-287-0x0000000000000000-mapping.dmp

Download
memory/636-314-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/652-178-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/652-140-0x0000000000000000-mapping.dmp

Download
memory/748-204-0x0000000000000000-mapping.dmp

Download
memory/748-252-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/840-200-0x0000000000000000-mapping.dmp

Download
memory/840-250-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/924-285-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/924-251-0x0000000000000000-mapping.dmp

Download
memory/988-266-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/988-240-0x0000000000000000-mapping.dmp

Download
memory/1084-288-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1084-259-0x0000000000000000-mapping.dmp

Download
memory/1116-181-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1116-143-0x0000000000000000-mapping.dmp

Download
memory/1240-269-0x0000000000000000-mapping.dmp

Download
memory/1240-291-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1356-271-0x0000000000000000-mapping.dmp

Download
memory/1356-294-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1444-193-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1444-161-0x0000000000000000-mapping.dmp

Download
memory/1536-158-0x0000000000000000-mapping.dmp

Download
memory/1536-190-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1760-312-0x0000000000000000-mapping.dmp

Download
memory/1828-256-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1828-213-0x0000000000000000-mapping.dmp

Download
memory/1884-283-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1884-244-0x0000000000000000-mapping.dmp

Download
memory/1924-196-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1924-167-0x0000000000000000-mapping.dmp

Download
memory/2104-301-0x0000000000000000-mapping.dmp

Download
memory/2104-318-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-195-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-164-0x0000000000000000-mapping.dmp

Download
memory/2436-290-0x0000000000000000-mapping.dmp

Download
memory/2436-315-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2824-263-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2824-231-0x0000000000000000-mapping.dmp

Download
memory/2856-278-0x0000000000000000-mapping.dmp

Download
memory/2856-303-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2920-296-0x0000000000000000-mapping.dmp

Download
memory/2920-317-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3060-270-0x0000000000000000-mapping.dmp

Download
memory/3060-292-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3172-149-0x0000000000000000-mapping.dmp

Download
memory/3172-184-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3180-249-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3180-194-0x0000000000000000-mapping.dmp

Download
memory/3208-293-0x0000000000000000-mapping.dmp

Download
memory/3208-316-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3252-300-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3252-276-0x0000000000000000-mapping.dmp

Download
memory/3260-170-0x0000000000000000-mapping.dmp

Download
memory/3260-199-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3332-261-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3332-225-0x0000000000000000-mapping.dmp

Download
memory/3368-228-0x0000000000000000-mapping.dmp

Download
memory/3368-262-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3416-297-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3416-273-0x0000000000000000-mapping.dmp

Download
memory/3460-189-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3460-155-0x0000000000000000-mapping.dmp

Download
memory/3508-313-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3508-282-0x0000000000000000-mapping.dmp

Download
memory/3512-267-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3512-243-0x0000000000000000-mapping.dmp

Download
memory/3540-264-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3540-234-0x0000000000000000-mapping.dmp

Download
memory/3564-306-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3564-280-0x0000000000000000-mapping.dmp

Download
memory/3588-281-0x0000000000000000-mapping.dmp

Download
memory/3588-307-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3592-135-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3616-322-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3616-310-0x0000000000000000-mapping.dmp

Download
memory/3656-173-0x0000000000000000-mapping.dmp

Download
memory/3656-201-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3752-299-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3752-275-0x0000000000000000-mapping.dmp

Download
memory/3780-254-0x0000000000000000-mapping.dmp

Download
memory/3780-286-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3804-272-0x0000000000000000-mapping.dmp

Download
memory/3804-295-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3936-152-0x0000000000000000-mapping.dmp

Download
memory/3936-186-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3960-311-0x0000000000000000-mapping.dmp

Download
memory/3960-323-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3996-216-0x0000000000000000-mapping.dmp

Download
memory/3996-257-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4040-302-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4040-277-0x0000000000000000-mapping.dmp

Download
memory/4052-320-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4052-308-0x0000000000000000-mapping.dmp

Download
memory/4060-309-0x0000000000000000-mapping.dmp

Download
memory/4060-321-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4116-265-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4116-237-0x0000000000000000-mapping.dmp

Download
memory/4156-253-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4156-207-0x0000000000000000-mapping.dmp

Download
memory/4192-298-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4192-274-0x0000000000000000-mapping.dmp

Download
memory/4208-248-0x0000000000000000-mapping.dmp

Download
memory/4208-284-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4248-245-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4248-176-0x0000000000000000-mapping.dmp

Download
memory/4328-210-0x0000000000000000-mapping.dmp

Download
memory/4328-255-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4392-188-0x0000000000000000-mapping.dmp

Download
memory/4392-247-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4508-319-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4508-305-0x0000000000000000-mapping.dmp

Download
memory/4580-146-0x0000000000000000-mapping.dmp

Download
memory/4580-182-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4612-289-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4612-268-0x0000000000000000-mapping.dmp

Download
memory/4688-219-0x0000000000000000-mapping.dmp

Download
memory/4688-258-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4772-304-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4772-279-0x0000000000000000-mapping.dmp

Download
memory/4960-132-0x0000000000000000-mapping.dmp

Download
memory/4960-138-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5028-136-0x0000000000000000-mapping.dmp

Download
memory/5028-177-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download