aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d

Analysis

max time kernel
148s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d.exe
Size

50KB
MD5

108bcb4eaf19673388f666c4c80a75d0
SHA1

5b60b61d92da37e1f0ec20d307811bda8ffffff2
SHA256

aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d
SHA512

b7c7ed6bdcf5f509c36dfbf953c1188449a22a0d6d795a524581435254228d0dc8ed31c7d201ececec04c78e24a9210a18750269e5fdbaf5427c648830039f80
SSDEEP

768:kDSHMFBYLYbVOzIF4MpTDESrbsu/g1O5VXpgC262PM3t/1H5Z:SSsFBjbkXyTYSF5VZ52DMX/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aedjlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mioeamqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhkhci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdhdhji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nageleie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knmmdgbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbgikqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhjkimcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmkqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdidnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obmbkbbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnapaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlkio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahleo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ingbkppc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlbmdqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfklfhb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjdgdgha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicilkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mngemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akabdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfobbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgmjae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amdllaei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edhpnekf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkjgmm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgfigg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdidnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magdmaec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomnkh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhddohe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglmnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logpkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akhqgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpnnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncoff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnifhapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmqqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nedibbne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndplcjgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfgpja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poogpkdo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iilcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfnpao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihlcdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgciqfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieajgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqnoianm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelgmlpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmcpeinn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iodclgjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieokia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdaoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbkffgfe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgcqccb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nholabfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgpifn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pchfkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcedgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihmjne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baphmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chlioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdpiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joiifjih.exe

Executes dropped EXE 64 IoCs

pid	Process
1560	Glnnfp32.exe
612	Hchbbm32.exe
832	Hjdgdgha.exe
1052	Ipfihm32.exe
548	Inmbni32.exe
468	Idlhlpam.exe
2024	Jjfpij32.exe
820	Kdldkc32.exe
108	Kmdhdhji.exe
896	Kdoqqb32.exe
1072	Kkhimmib.exe
1380	Kpeaecgj.exe
1736	Kgojbnnf.exe
1680	Kaenpfnm.exe
1760	Kdcjlbmp.exe
1952	Kipbdikh.exe
1928	Lohkhn32.exe
852	Ihlcdk32.exe
672	Ibgdbq32.exe
1252	Kjikfe32.exe
1472	Lhjkimcn.exe
1648	Llhdol32.exe
1128	Logpkg32.exe
1600	Mmlmlc32.exe
1708	Majfbadg.exe
1572	Mcmopjhb.exe
1452	Mjggld32.exe
1960	Mlhpnolp.exe
1212	Njlqgckj.exe
520	Nageleie.exe
660	Njnmmbig.exe
1336	Nkbfjkmc.exe
620	Ndjkcp32.exe
552	Ngigol32.exe
1496	Obqhbdqj.exe
1368	Ogmqjkoa.exe
1712	Omjibb32.exe
1620	Oqjonp32.exe
2000	Opplplfe.exe
1580	Obnhlheh.exe
288	Ofjdlf32.exe
1148	Paeabdhn.exe
1668	Pgpjon32.exe
1616	Pjpbqilk.exe
1936	Phdcjmke.exe
1748	Qhfppm32.exe
1576	Qihlgeoq.exe
1136	Qpbddo32.exe
1972	Qdmqdnog.exe
1296	Afnifi32.exe
1700	Aiobhd32.exe
1592	Aiaondgf.exe
540	Akblel32.exe
1512	Bdpiia32.exe
1988	Bkibfkgl.exe
1624	Bdbfoq32.exe
1196	Bpigca32.exe
2012	Bgbopljn.exe
1172	Biaklgia.exe
1232	Bhfhncni.exe
556	Cejighmc.exe
1132	Cfobbg32.exe
1548	Chpkdb32.exe
676	Ckngpneb.exe

Loads dropped DLL 64 IoCs

pid	Process
1756	aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d.exe
1756	aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d.exe
1560	Glnnfp32.exe
1560	Glnnfp32.exe
612	Hchbbm32.exe
612	Hchbbm32.exe
832	Hjdgdgha.exe
832	Hjdgdgha.exe
1052	Ipfihm32.exe
1052	Ipfihm32.exe
548	Inmbni32.exe
548	Inmbni32.exe
468	Idlhlpam.exe
468	Idlhlpam.exe
2024	Jjfpij32.exe
2024	Jjfpij32.exe
820	Kdldkc32.exe
820	Kdldkc32.exe
108	Kmdhdhji.exe
108	Kmdhdhji.exe
896	Kdoqqb32.exe
896	Kdoqqb32.exe
1072	Kkhimmib.exe
1072	Kkhimmib.exe
1380	Kpeaecgj.exe
1380	Kpeaecgj.exe
1736	Kgojbnnf.exe
1736	Kgojbnnf.exe
1680	Kaenpfnm.exe
1680	Kaenpfnm.exe
1760	Kdcjlbmp.exe
1760	Kdcjlbmp.exe
1952	Kipbdikh.exe
1952	Kipbdikh.exe
1928	Lohkhn32.exe
1928	Lohkhn32.exe
852	Ihlcdk32.exe
852	Ihlcdk32.exe
672	Ibgdbq32.exe
672	Ibgdbq32.exe
1252	Kjikfe32.exe
1252	Kjikfe32.exe
1472	Lhjkimcn.exe
1472	Lhjkimcn.exe
1648	Llhdol32.exe
1648	Llhdol32.exe
1128	Logpkg32.exe
1128	Logpkg32.exe
1600	Mmlmlc32.exe
1600	Mmlmlc32.exe
1708	Majfbadg.exe
1708	Majfbadg.exe
1572	Mcmopjhb.exe
1572	Mcmopjhb.exe
1452	Mjggld32.exe
1452	Mjggld32.exe
1960	Mlhpnolp.exe
1960	Mlhpnolp.exe
1212	Njlqgckj.exe
1212	Njlqgckj.exe
520	Nageleie.exe
520	Nageleie.exe
660	Njnmmbig.exe
660	Njnmmbig.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fmahdoei.dll	Limlmj32.exe
File opened for modification	C:\Windows\SysWOW64\Hjdgdgha.exe	Hchbbm32.exe
File created	C:\Windows\SysWOW64\Kdmihihk.exe	Kaomlmih.exe
File created	C:\Windows\SysWOW64\Fbipqm32.exe	Enpdfj32.exe
File created	C:\Windows\SysWOW64\Fmodne32.exe	Feglmh32.exe
File created	C:\Windows\SysWOW64\Idahoe32.exe	Ipflnfjc.exe
File opened for modification	C:\Windows\SysWOW64\Kqjahi32.exe	Knleln32.exe
File created	C:\Windows\SysWOW64\Moegjd32.exe	Mlgjni32.exe
File opened for modification	C:\Windows\SysWOW64\Imgpbkkp.exe	Iilcal32.exe
File opened for modification	C:\Windows\SysWOW64\Ogjhkdlb.exe	Oobpjfkp.exe
File created	C:\Windows\SysWOW64\Onpdiaef.dll	Anciedhf.exe
File opened for modification	C:\Windows\SysWOW64\Fdccpmge.exe	Fbegcaha.exe
File opened for modification	C:\Windows\SysWOW64\Agjcpgnl.exe	Appkcm32.exe
File created	C:\Windows\SysWOW64\Fhboek32.dll	Mbdklj32.exe
File created	C:\Windows\SysWOW64\Ngeahi32.exe	Nefeln32.exe
File created	C:\Windows\SysWOW64\Mioeamqe.exe	Mfqiebaa.exe
File opened for modification	C:\Windows\SysWOW64\Daekdnef.exe	Dkkbhcni.exe
File created	C:\Windows\SysWOW64\Idokiedo.exe	Iaaomjek.exe
File created	C:\Windows\SysWOW64\Idlhlpam.exe	Inmbni32.exe
File created	C:\Windows\SysWOW64\Iglgmn32.dll	Hbiilgic.exe
File created	C:\Windows\SysWOW64\Iajeibcm.exe	Igdali32.exe
File created	C:\Windows\SysWOW64\Jbcion32.dll	Ekahjo32.exe
File created	C:\Windows\SysWOW64\Iolgiafh.dll	Kjqikoam.exe
File created	C:\Windows\SysWOW64\Oblpdeel.exe	Opmchjfh.exe
File created	C:\Windows\SysWOW64\Enaifl32.exe	Ekbmjp32.exe
File created	C:\Windows\SysWOW64\Pkakfcfb.exe	Pbifnnpa.exe
File opened for modification	C:\Windows\SysWOW64\Lkpbdekk.exe	Lgdfdf32.exe
File created	C:\Windows\SysWOW64\Ibnkaf32.dll	Pnbgikqh.exe
File created	C:\Windows\SysWOW64\Ahdjpn32.dll	Oafhgnca.exe
File created	C:\Windows\SysWOW64\Bhillkpf.dll	Dkkfkm32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpeohdb.exe	Ppbibmeo.exe
File created	C:\Windows\SysWOW64\Gcljal32.dll	Njlqgckj.exe
File created	C:\Windows\SysWOW64\Chifphpq.dll	Mbcqmg32.exe
File created	C:\Windows\SysWOW64\Phigbl32.exe	Pekkfqdn.exe
File created	C:\Windows\SysWOW64\Apeobn32.dll	Khmpngma.exe
File opened for modification	C:\Windows\SysWOW64\Ibgdbq32.exe	Ihlcdk32.exe
File opened for modification	C:\Windows\SysWOW64\Lnaboj32.exe	Lanaef32.exe
File opened for modification	C:\Windows\SysWOW64\Iacoicie.exe	Ibpomf32.exe
File created	C:\Windows\SysWOW64\Pekkfqdn.exe	Pblnjeej.exe
File opened for modification	C:\Windows\SysWOW64\Plgpijih.exe	Pbokpe32.exe
File opened for modification	C:\Windows\SysWOW64\Ejofgnbb.exe	Mbdklj32.exe
File created	C:\Windows\SysWOW64\Hkconmml.dll	Qceedn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhjihe32.exe	Dekmli32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdaoc32.exe	Ihmjne32.exe
File created	C:\Windows\SysWOW64\Phpecm32.dll	Lldnhi32.exe
File created	C:\Windows\SysWOW64\Gemoga32.dll	Nbelkc32.exe
File created	C:\Windows\SysWOW64\Blofjnec.exe	Aiqjnbep.exe
File created	C:\Windows\SysWOW64\Hgnpeojb.dll	Ebidailb.exe
File created	C:\Windows\SysWOW64\Lnnnqqjo.exe	Lkpbdekk.exe
File created	C:\Windows\SysWOW64\Bnkbnq32.exe	Bjpfmbek.exe
File created	C:\Windows\SysWOW64\Pffldo32.dll	Kdkmbijn.exe
File created	C:\Windows\SysWOW64\Omklgo32.exe	Ojmpkc32.exe
File created	C:\Windows\SysWOW64\Qcfdmbmi.dll	Qdgnhl32.exe
File created	C:\Windows\SysWOW64\Qceedn32.exe	Qqgihb32.exe
File created	C:\Windows\SysWOW64\Jldhlj32.dll	Nofgkijn.exe
File created	C:\Windows\SysWOW64\Aigfhdnm.dll	Cedjlg32.exe
File created	C:\Windows\SysWOW64\Aegdoh32.dll	Gmmigjdh.exe
File created	C:\Windows\SysWOW64\Pkdmio32.dll	Pjihnl32.exe
File created	C:\Windows\SysWOW64\Dmeeipab.exe	Dkfimd32.exe
File created	C:\Windows\SysWOW64\Nghgleio.dll	Jlibnhck.exe
File created	C:\Windows\SysWOW64\Abbdcq32.dll	Kolheb32.exe
File created	C:\Windows\SysWOW64\Dobeko32.dll	Ppnbnjff.exe
File created	C:\Windows\SysWOW64\Iilcal32.exe	Igngeacc.exe
File created	C:\Windows\SysWOW64\Lkneoe32.exe	Lioicj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbigbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjignkjb.dll"	Mmoncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pidjap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccmfmnd.dll"	Pbokpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nojafh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poacek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geilghpo.dll"	Cmlbmdqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjpbqilk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjnpo32.dll"	Aqdbgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkpoflbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgcdgp32.dll"	Ejofgnbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phgkiqko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhongjcn.dll"	Iaaomjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfnpao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phpecm32.dll"	Lldnhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjccl32.dll"	Okcnpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdkeob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgmcdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqkjda32.dll"	Kckjjdfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecbfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mimiln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akbpdike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dakokpbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chifphpq.dll"	Mbcqmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inefhdgo.dll"	Kocnea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akoenj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iglgmn32.dll"	Hbiilgic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nomnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdhdg32.dll"	Ehobcdgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agiqij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lihpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdmio32.dll"	Pjihnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihcanhkn.dll"	Nefeln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoclmdg.dll"	Bmgibe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgfpkmgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnaboj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elhnkjij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbmclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekbmjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjclkpab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opepcodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgfiden.dll"	Aljmoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgikghpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdalkpo.dll"	Llpdmjpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqipgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdehlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egfmhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keiopekg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjoompc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abplqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjkhcbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacham32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhgheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clqdde32.dll"	Oiamlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keiopekg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oeabapoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnaboj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lobhllci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbngdfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igngeacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaiadbgd.dll"	Pajolqbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qoibiigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aonldh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1560	1756	aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d.exe	28
PID 1756 wrote to memory of 1560	1756	aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d.exe	28
PID 1756 wrote to memory of 1560	1756	aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d.exe	28
PID 1756 wrote to memory of 1560	1756	aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d.exe	28
PID 1560 wrote to memory of 612	1560	Glnnfp32.exe	29
PID 1560 wrote to memory of 612	1560	Glnnfp32.exe	29
PID 1560 wrote to memory of 612	1560	Glnnfp32.exe	29
PID 1560 wrote to memory of 612	1560	Glnnfp32.exe	29
PID 612 wrote to memory of 832	612	Hchbbm32.exe	30
PID 612 wrote to memory of 832	612	Hchbbm32.exe	30
PID 612 wrote to memory of 832	612	Hchbbm32.exe	30
PID 612 wrote to memory of 832	612	Hchbbm32.exe	30
PID 832 wrote to memory of 1052	832	Hjdgdgha.exe	31
PID 832 wrote to memory of 1052	832	Hjdgdgha.exe	31
PID 832 wrote to memory of 1052	832	Hjdgdgha.exe	31
PID 832 wrote to memory of 1052	832	Hjdgdgha.exe	31
PID 1052 wrote to memory of 548	1052	Ipfihm32.exe	32
PID 1052 wrote to memory of 548	1052	Ipfihm32.exe	32
PID 1052 wrote to memory of 548	1052	Ipfihm32.exe	32
PID 1052 wrote to memory of 548	1052	Ipfihm32.exe	32
PID 548 wrote to memory of 468	548	Inmbni32.exe	33
PID 548 wrote to memory of 468	548	Inmbni32.exe	33
PID 548 wrote to memory of 468	548	Inmbni32.exe	33
PID 548 wrote to memory of 468	548	Inmbni32.exe	33
PID 468 wrote to memory of 2024	468	Idlhlpam.exe	34
PID 468 wrote to memory of 2024	468	Idlhlpam.exe	34
PID 468 wrote to memory of 2024	468	Idlhlpam.exe	34
PID 468 wrote to memory of 2024	468	Idlhlpam.exe	34
PID 2024 wrote to memory of 820	2024	Jjfpij32.exe	35
PID 2024 wrote to memory of 820	2024	Jjfpij32.exe	35
PID 2024 wrote to memory of 820	2024	Jjfpij32.exe	35
PID 2024 wrote to memory of 820	2024	Jjfpij32.exe	35
PID 820 wrote to memory of 108	820	Kdldkc32.exe	36
PID 820 wrote to memory of 108	820	Kdldkc32.exe	36
PID 820 wrote to memory of 108	820	Kdldkc32.exe	36
PID 820 wrote to memory of 108	820	Kdldkc32.exe	36
PID 108 wrote to memory of 896	108	Kmdhdhji.exe	37
PID 108 wrote to memory of 896	108	Kmdhdhji.exe	37
PID 108 wrote to memory of 896	108	Kmdhdhji.exe	37
PID 108 wrote to memory of 896	108	Kmdhdhji.exe	37
PID 896 wrote to memory of 1072	896	Kdoqqb32.exe	38
PID 896 wrote to memory of 1072	896	Kdoqqb32.exe	38
PID 896 wrote to memory of 1072	896	Kdoqqb32.exe	38
PID 896 wrote to memory of 1072	896	Kdoqqb32.exe	38
PID 1072 wrote to memory of 1380	1072	Kkhimmib.exe	39
PID 1072 wrote to memory of 1380	1072	Kkhimmib.exe	39
PID 1072 wrote to memory of 1380	1072	Kkhimmib.exe	39
PID 1072 wrote to memory of 1380	1072	Kkhimmib.exe	39
PID 1380 wrote to memory of 1736	1380	Kpeaecgj.exe	40
PID 1380 wrote to memory of 1736	1380	Kpeaecgj.exe	40
PID 1380 wrote to memory of 1736	1380	Kpeaecgj.exe	40
PID 1380 wrote to memory of 1736	1380	Kpeaecgj.exe	40
PID 1736 wrote to memory of 1680	1736	Kgojbnnf.exe	41
PID 1736 wrote to memory of 1680	1736	Kgojbnnf.exe	41
PID 1736 wrote to memory of 1680	1736	Kgojbnnf.exe	41
PID 1736 wrote to memory of 1680	1736	Kgojbnnf.exe	41
PID 1680 wrote to memory of 1760	1680	Kaenpfnm.exe	42
PID 1680 wrote to memory of 1760	1680	Kaenpfnm.exe	42
PID 1680 wrote to memory of 1760	1680	Kaenpfnm.exe	42
PID 1680 wrote to memory of 1760	1680	Kaenpfnm.exe	42
PID 1760 wrote to memory of 1952	1760	Kdcjlbmp.exe	43
PID 1760 wrote to memory of 1952	1760	Kdcjlbmp.exe	43
PID 1760 wrote to memory of 1952	1760	Kdcjlbmp.exe	43
PID 1760 wrote to memory of 1952	1760	Kdcjlbmp.exe	43

C:\Users\Admin\AppData\Local\Temp\aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d.exe
"C:\Users\Admin\AppData\Local\Temp\aa91f4b5b3115fe82a36c8cbed76cfc1932b03627937363bb24a8574bf1c648d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\Glnnfp32.exe
  C:\Windows\system32\Glnnfp32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\Hchbbm32.exe
    C:\Windows\system32\Hchbbm32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Windows\SysWOW64\Hjdgdgha.exe
      C:\Windows\system32\Hjdgdgha.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\SysWOW64\Ipfihm32.exe
        
        C:\Windows\system32\Ipfihm32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\Windows\SysWOW64\Inmbni32.exe
        
        C:\Windows\system32\Inmbni32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Idlhlpam.exe
        
        C:\Windows\system32\Idlhlpam.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Jjfpij32.exe
        
        C:\Windows\system32\Jjfpij32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Kdldkc32.exe
        
        C:\Windows\system32\Kdldkc32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Kmdhdhji.exe
        
        C:\Windows\system32\Kmdhdhji.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\SysWOW64\Kdoqqb32.exe
        
        C:\Windows\system32\Kdoqqb32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Kkhimmib.exe
        
        C:\Windows\system32\Kkhimmib.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Kpeaecgj.exe
        
        C:\Windows\system32\Kpeaecgj.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Kgojbnnf.exe
        
        C:\Windows\system32\Kgojbnnf.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Kaenpfnm.exe
        
        C:\Windows\system32\Kaenpfnm.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Kdcjlbmp.exe
        
        C:\Windows\system32\Kdcjlbmp.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Kipbdikh.exe
        
        C:\Windows\system32\Kipbdikh.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1952
        
        C:\Windows\SysWOW64\Lohkhn32.exe
        
        C:\Windows\system32\Lohkhn32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1928
        
        C:\Windows\SysWOW64\Ihlcdk32.exe
        
        C:\Windows\system32\Ihlcdk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Ibgdbq32.exe
        
        C:\Windows\system32\Ibgdbq32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:672
        
        C:\Windows\SysWOW64\Kjikfe32.exe
        
        C:\Windows\system32\Kjikfe32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1252
        
        C:\Windows\SysWOW64\Lhjkimcn.exe
        
        C:\Windows\system32\Lhjkimcn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1472
        
        C:\Windows\SysWOW64\Llhdol32.exe
        
        C:\Windows\system32\Llhdol32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1648
        
        C:\Windows\SysWOW64\Logpkg32.exe
        
        C:\Windows\system32\Logpkg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1128
        
        C:\Windows\SysWOW64\Mmlmlc32.exe
        
        C:\Windows\system32\Mmlmlc32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1600
        
        C:\Windows\SysWOW64\Majfbadg.exe
        
        C:\Windows\system32\Majfbadg.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1708
        
        C:\Windows\SysWOW64\Mcmopjhb.exe
        
        C:\Windows\system32\Mcmopjhb.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1572
        
        C:\Windows\SysWOW64\Mjggld32.exe
        
        C:\Windows\system32\Mjggld32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1452
        
        C:\Windows\SysWOW64\Mlhpnolp.exe
        
        C:\Windows\system32\Mlhpnolp.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1960
        
        C:\Windows\SysWOW64\Njlqgckj.exe
        
        C:\Windows\system32\Njlqgckj.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Nageleie.exe
        
        C:\Windows\system32\Nageleie.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:520
        
        C:\Windows\SysWOW64\Njnmmbig.exe
        
        C:\Windows\system32\Njnmmbig.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:660
        
        C:\Windows\SysWOW64\Nkbfjkmc.exe
        
        C:\Windows\system32\Nkbfjkmc.exe
        33⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Ndjkcp32.exe
        
        C:\Windows\system32\Ndjkcp32.exe
        34⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\Ngigol32.exe
        
        C:\Windows\system32\Ngigol32.exe
        35⤵
        Executes dropped EXE
        
        PID:552

C:\Windows\SysWOW64\Obqhbdqj.exe
C:\Windows\system32\Obqhbdqj.exe
1⤵
- Executes dropped EXE
PID:1496
- C:\Windows\SysWOW64\Ogmqjkoa.exe
  C:\Windows\system32\Ogmqjkoa.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- - C:\Windows\SysWOW64\Omjibb32.exe
    C:\Windows\system32\Omjibb32.exe
    3⤵
    - Executes dropped EXE
    PID:1712
  - - C:\Windows\SysWOW64\Oqjonp32.exe
      C:\Windows\system32\Oqjonp32.exe
      4⤵
      Executes dropped EXE
      PID:1620
    - - C:\Windows\SysWOW64\Opplplfe.exe
        
        C:\Windows\system32\Opplplfe.exe
        5⤵
        Executes dropped EXE
        
        PID:2000
      - C:\Windows\SysWOW64\Obnhlheh.exe
        
        C:\Windows\system32\Obnhlheh.exe
        6⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Ofjdlf32.exe
        
        C:\Windows\system32\Ofjdlf32.exe
        7⤵
        Executes dropped EXE
        
        PID:288
        
        C:\Windows\SysWOW64\Paeabdhn.exe
        
        C:\Windows\system32\Paeabdhn.exe
        8⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Pgpjon32.exe
        
        C:\Windows\system32\Pgpjon32.exe
        9⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Pjpbqilk.exe
        
        C:\Windows\system32\Pjpbqilk.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Phdcjmke.exe
        
        C:\Windows\system32\Phdcjmke.exe
        11⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Qhfppm32.exe
        
        C:\Windows\system32\Qhfppm32.exe
        12⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\Qihlgeoq.exe
        
        C:\Windows\system32\Qihlgeoq.exe
        13⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Qpbddo32.exe
        
        C:\Windows\system32\Qpbddo32.exe
        14⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\Qdmqdnog.exe
        
        C:\Windows\system32\Qdmqdnog.exe
        15⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Afnifi32.exe
        
        C:\Windows\system32\Afnifi32.exe
        16⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\Aiobhd32.exe
        
        C:\Windows\system32\Aiobhd32.exe
        17⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Aiaondgf.exe
        
        C:\Windows\system32\Aiaondgf.exe
        18⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Akblel32.exe
        
        C:\Windows\system32\Akblel32.exe
        19⤵
        Executes dropped EXE
        
        PID:540

C:\Windows\SysWOW64\Bdpiia32.exe
C:\Windows\system32\Bdpiia32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512
- C:\Windows\SysWOW64\Bkibfkgl.exe
  C:\Windows\system32\Bkibfkgl.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- - C:\Windows\SysWOW64\Bdbfoq32.exe
    C:\Windows\system32\Bdbfoq32.exe
    3⤵
    - Executes dropped EXE
    PID:1624
  - - C:\Windows\SysWOW64\Bpigca32.exe
      C:\Windows\system32\Bpigca32.exe
      4⤵
      Executes dropped EXE
      PID:1196

C:\Windows\SysWOW64\Bgbopljn.exe
C:\Windows\system32\Bgbopljn.exe
1⤵
- Executes dropped EXE
PID:2012
- C:\Windows\SysWOW64\Biaklgia.exe
  C:\Windows\system32\Biaklgia.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- - C:\Windows\SysWOW64\Bhfhncni.exe
    C:\Windows\system32\Bhfhncni.exe
    3⤵
    - Executes dropped EXE
    PID:1232
  - - C:\Windows\SysWOW64\Cejighmc.exe
      C:\Windows\system32\Cejighmc.exe
      4⤵
      Executes dropped EXE
      PID:556
    - - C:\Windows\SysWOW64\Cfobbg32.exe
        
        C:\Windows\system32\Cfobbg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1132

C:\Windows\SysWOW64\Ckngpneb.exe
C:\Windows\system32\Ckngpneb.exe
1⤵
- Executes dropped EXE
PID:676
- C:\Windows\SysWOW64\Cnldlidf.exe
  C:\Windows\system32\Cnldlidf.exe
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\Cqkphdcj.exe
    C:\Windows\system32\Cqkphdcj.exe
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\Djcdaj32.exe
      C:\Windows\system32\Djcdaj32.exe
      4⤵
      PID:1112
    - - C:\Windows\SysWOW64\Dnamgh32.exe
        
        C:\Windows\system32\Dnamgh32.exe
        5⤵
        
        PID:892
      - C:\Windows\SysWOW64\Dcneoo32.exe
        
        C:\Windows\system32\Dcneoo32.exe
        6⤵
        
        PID:1908

C:\Windows\SysWOW64\Chpkdb32.exe
C:\Windows\system32\Chpkdb32.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\Dodfdpdl.exe
C:\Windows\system32\Dodfdpdl.exe
1⤵
PID:1796
- C:\Windows\SysWOW64\Dcpbeo32.exe
  C:\Windows\system32\Dcpbeo32.exe
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\Dfooaj32.exe
    C:\Windows\system32\Dfooaj32.exe
    3⤵
    PID:1040
  - - C:\Windows\SysWOW64\Diogceij.exe
      C:\Windows\system32\Diogceij.exe
      4⤵
      PID:1104
    - - C:\Windows\SysWOW64\Doippp32.exe
        
        C:\Windows\system32\Doippp32.exe
        5⤵
        
        PID:1044
      - C:\Windows\SysWOW64\Dbhllk32.exe
        
        C:\Windows\system32\Dbhllk32.exe
        6⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Eiadhegg.exe
        
        C:\Windows\system32\Eiadhegg.exe
        7⤵
        
        PID:2056

C:\Windows\SysWOW64\Egdddb32.exe
C:\Windows\system32\Egdddb32.exe
1⤵
PID:2072
- C:\Windows\SysWOW64\Eolleond.exe
  C:\Windows\system32\Eolleond.exe
  2⤵
  PID:2088

C:\Windows\SysWOW64\Enomql32.exe
C:\Windows\system32\Enomql32.exe
1⤵
PID:2104
- C:\Windows\SysWOW64\Eamimg32.exe
  C:\Windows\system32\Eamimg32.exe
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\Ekbmjp32.exe
    C:\Windows\system32\Ekbmjp32.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:2204

C:\Windows\SysWOW64\Enaifl32.exe
C:\Windows\system32\Enaifl32.exe
1⤵
PID:2220
- C:\Windows\SysWOW64\Eblegjke.exe
  C:\Windows\system32\Eblegjke.exe
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\Ecnbnb32.exe
    C:\Windows\system32\Ecnbnb32.exe
    3⤵
    PID:2312
  - - C:\Windows\SysWOW64\Eginoaim.exe
      C:\Windows\system32\Eginoaim.exe
      4⤵
      PID:2400

C:\Windows\SysWOW64\Gmmigjdh.exe
C:\Windows\system32\Gmmigjdh.exe
1⤵
- Drops file in System32 directory
PID:2408
- C:\Windows\SysWOW64\Gpkecf32.exe
  C:\Windows\system32\Gpkecf32.exe
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\Gdgacdld.exe
    C:\Windows\system32\Gdgacdld.exe
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\Gicilkjl.exe
      C:\Windows\system32\Gicilkjl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:2504
    - - C:\Windows\SysWOW64\Pipolpam.exe
        
        C:\Windows\system32\Pipolpam.exe
        5⤵
        
        PID:2520
      - C:\Windows\SysWOW64\Dakokpbq.exe
        
        C:\Windows\system32\Dakokpbq.exe
        6⤵
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Fkehgl32.exe
        
        C:\Windows\system32\Fkehgl32.exe
        7⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Hlqdbndc.exe
        
        C:\Windows\system32\Hlqdbndc.exe
        8⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Ichlhk32.exe
        
        C:\Windows\system32\Ichlhk32.exe
        9⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Ilpqaago.exe
        
        C:\Windows\system32\Ilpqaago.exe
        10⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\Jcjink32.exe
        
        C:\Windows\system32\Jcjink32.exe
        11⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Jamiihef.exe
        
        C:\Windows\system32\Jamiihef.exe
        12⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\Jhgafblc.exe
        
        C:\Windows\system32\Jhgafblc.exe
        13⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Jdnbkc32.exe
        
        C:\Windows\system32\Jdnbkc32.exe
        14⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Jkjgmm32.exe
        
        C:\Windows\system32\Jkjgmm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2668
        
        C:\Windows\SysWOW64\Knmmdgbp.exe
        
        C:\Windows\system32\Knmmdgbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2676
        
        C:\Windows\SysWOW64\Kqliqcad.exe
        
        C:\Windows\system32\Kqliqcad.exe
        17⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Kmgcqccb.exe
        
        C:\Windows\system32\Kmgcqccb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2692
        
        C:\Windows\SysWOW64\Koeomobf.exe
        
        C:\Windows\system32\Koeomobf.exe
        19⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\Lnklnkgn.exe
        
        C:\Windows\system32\Lnklnkgn.exe
        20⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Lfbdohhq.exe
        
        C:\Windows\system32\Lfbdohhq.exe
        21⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\Lkomgofh.exe
        
        C:\Windows\system32\Lkomgofh.exe
        22⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Lnmickek.exe
        
        C:\Windows\system32\Lnmickek.exe
        23⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Lgemlp32.exe
        
        C:\Windows\system32\Lgemlp32.exe
        24⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Lanaef32.exe
        
        C:\Windows\system32\Lanaef32.exe
        25⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Lnaboj32.exe
        
        C:\Windows\system32\Lnaboj32.exe
        26⤵
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Lapnke32.exe
        
        C:\Windows\system32\Lapnke32.exe
        27⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Lpeklb32.exe
        
        C:\Windows\system32\Lpeklb32.exe
        28⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\Ljkpik32.exe
        
        C:\Windows\system32\Ljkpik32.exe
        29⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Minpdgkb.exe
        
        C:\Windows\system32\Minpdgkb.exe
        30⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Mphhaa32.exe
        
        C:\Windows\system32\Mphhaa32.exe
        31⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Mccdbpkh.exe
        
        C:\Windows\system32\Mccdbpkh.exe
        32⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\Mfdmck32.exe
        
        C:\Windows\system32\Mfdmck32.exe
        33⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\Mbknhlnm.exe
        
        C:\Windows\system32\Mbknhlnm.exe
        34⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Mapkjibe.exe
        
        C:\Windows\system32\Mapkjibe.exe
        35⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Nencpg32.exe
        
        C:\Windows\system32\Nencpg32.exe
        36⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Naddeh32.exe
        
        C:\Windows\system32\Naddeh32.exe
        37⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Nholabfm.exe
        
        C:\Windows\system32\Nholabfm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3012
        
        C:\Windows\SysWOW64\Nagajh32.exe
        
        C:\Windows\system32\Nagajh32.exe
        39⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Nainpgjk.exe
        
        C:\Windows\system32\Nainpgjk.exe
        40⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Ndhjlcjn.exe
        
        C:\Windows\system32\Ndhjlcjn.exe
        41⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\Oocgbp32.exe
        
        C:\Windows\system32\Oocgbp32.exe
        42⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\Oenpojkg.exe
        
        C:\Windows\system32\Oenpojkg.exe
        43⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Oljdad32.exe
        
        C:\Windows\system32\Oljdad32.exe
        44⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Oebijj32.exe
        
        C:\Windows\system32\Oebijj32.exe
        45⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Ohqefe32.exe
        
        C:\Windows\system32\Ohqefe32.exe
        46⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Ooknbonb.exe
        
        C:\Windows\system32\Ooknbonb.exe
        47⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Onnnnl32.exe
        
        C:\Windows\system32\Onnnnl32.exe
        48⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Oedfoi32.exe
        
        C:\Windows\system32\Oedfoi32.exe
        49⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Odgfkflj.exe
        
        C:\Windows\system32\Odgfkflj.exe
        50⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Ogfbgakn.exe
        
        C:\Windows\system32\Ogfbgakn.exe
        51⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Pnbgikqh.exe
        
        C:\Windows\system32\Pnbgikqh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Pjihnl32.exe
        
        C:\Windows\system32\Pjihnl32.exe
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Pfpicm32.exe
        
        C:\Windows\system32\Pfpicm32.exe
        54⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Pjkddldi.exe
        
        C:\Windows\system32\Pjkddldi.exe
        55⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Pljapgcm.exe
        
        C:\Windows\system32\Pljapgcm.exe
        56⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Pohmlcbq.exe
        
        C:\Windows\system32\Pohmlcbq.exe
        57⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Pfbeim32.exe
        
        C:\Windows\system32\Pfbeim32.exe
        58⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Phqaeh32.exe
        
        C:\Windows\system32\Phqaeh32.exe
        59⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Pqhjff32.exe
        
        C:\Windows\system32\Pqhjff32.exe
        60⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Pbifnnpa.exe
        
        C:\Windows\system32\Pbifnnpa.exe
        61⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Pkakfcfb.exe
        
        C:\Windows\system32\Pkakfcfb.exe
        62⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Qfikilde.exe
        
        C:\Windows\system32\Qfikilde.exe
        63⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Qhgheg32.exe
        
        C:\Windows\system32\Qhgheg32.exe
        64⤵
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Akhqgb32.exe
        
        C:\Windows\system32\Akhqgb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2044
        
        C:\Windows\SysWOW64\Anijinmk.exe
        
        C:\Windows\system32\Anijinmk.exe
        66⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Aqgfeilo.exe
        
        C:\Windows\system32\Aqgfeilo.exe
        67⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Aecbfh32.exe
        
        C:\Windows\system32\Aecbfh32.exe
        68⤵
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Ajbgcnqm.exe
        
        C:\Windows\system32\Ajbgcnqm.exe
        69⤵
        
        PID:988
        
        C:\Windows\SysWOW64\Bmcpeinn.exe
        
        C:\Windows\system32\Bmcpeinn.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1036
        
        C:\Windows\SysWOW64\Beneilki.exe
        
        C:\Windows\system32\Beneilki.exe
        71⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Bpfeld32.exe
        
        C:\Windows\system32\Bpfeld32.exe
        72⤵
        
        PID:572
        
        C:\Windows\SysWOW64\Bnifhapg.exe
        
        C:\Windows\system32\Bnifhapg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1480
        
        C:\Windows\SysWOW64\Bagbdloj.exe
        
        C:\Windows\system32\Bagbdloj.exe
        74⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Binjejpm.exe
        
        C:\Windows\system32\Binjejpm.exe
        75⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Blmfae32.exe
        
        C:\Windows\system32\Blmfae32.exe
        76⤵
        
        PID:788
        
        C:\Windows\SysWOW64\Bjpfmbek.exe
        
        C:\Windows\system32\Bjpfmbek.exe
        77⤵
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\Bnkbnq32.exe
        
        C:\Windows\system32\Bnkbnq32.exe
        78⤵
        
        PID:268
        
        C:\Windows\SysWOW64\Cfmmbbeg.exe
        
        C:\Windows\system32\Cfmmbbeg.exe
        79⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Cebjcojo.exe
        
        C:\Windows\system32\Cebjcojo.exe
        80⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Dbigbb32.exe
        
        C:\Windows\system32\Dbigbb32.exe
        81⤵
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Dkdlgd32.exe
        
        C:\Windows\system32\Dkdlgd32.exe
        82⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Dkfimd32.exe
        
        C:\Windows\system32\Dkfimd32.exe
        83⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Dmeeipab.exe
        
        C:\Windows\system32\Dmeeipab.exe
        84⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\Dgmjae32.exe
        
        C:\Windows\system32\Dgmjae32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2956
        
        C:\Windows\SysWOW64\Dodabb32.exe
        
        C:\Windows\system32\Dodabb32.exe
        86⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Dgpfge32.exe
        
        C:\Windows\system32\Dgpfge32.exe
        87⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Dkkbhcni.exe
        
        C:\Windows\system32\Dkkbhcni.exe
        88⤵
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Daekdnef.exe
        
        C:\Windows\system32\Daekdnef.exe
        89⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Enlkio32.exe
        
        C:\Windows\system32\Enlkio32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:744
        
        C:\Windows\SysWOW64\Edfcfibg.exe
        
        C:\Windows\system32\Edfcfibg.exe
        91⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Ecidaf32.exe
        
        C:\Windows\system32\Ecidaf32.exe
        92⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Eegpna32.exe
        
        C:\Windows\system32\Eegpna32.exe
        93⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\Egfmhd32.exe
        
        C:\Windows\system32\Egfmhd32.exe
        94⤵
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Ejgeio32.exe
        
        C:\Windows\system32\Ejgeio32.exe
        95⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\Elhnkjij.exe
        
        C:\Windows\system32\Elhnkjij.exe
        96⤵
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Fbegcaha.exe
        
        C:\Windows\system32\Fbegcaha.exe
        97⤵
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Fdccpmge.exe
        
        C:\Windows\system32\Fdccpmge.exe
        98⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Fnlhhb32.exe
        
        C:\Windows\system32\Fnlhhb32.exe
        99⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\Fbgciqfo.exe
        
        C:\Windows\system32\Fbgciqfo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2248
        
        C:\Windows\SysWOW64\Fdfpel32.exe
        
        C:\Windows\system32\Fdfpel32.exe
        101⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Fgdlah32.exe
        
        C:\Windows\system32\Fgdlah32.exe
        102⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Fbjpnq32.exe
        
        C:\Windows\system32\Fbjpnq32.exe
        103⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Fdhmkl32.exe
        
        C:\Windows\system32\Fdhmkl32.exe
        104⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\Fgfigg32.exe
        
        C:\Windows\system32\Fgfigg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2288
        
        C:\Windows\SysWOW64\Fnpacaip.exe
        
        C:\Windows\system32\Fnpacaip.exe
        106⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Fqompmhd.exe
        
        C:\Windows\system32\Fqompmhd.exe
        107⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Fcmilh32.exe
        
        C:\Windows\system32\Fcmilh32.exe
        108⤵
        
        PID:576
        
        C:\Windows\SysWOW64\Hphpkl32.exe
        
        C:\Windows\system32\Hphpkl32.exe
        109⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Hhphli32.exe
        
        C:\Windows\system32\Hhphli32.exe
        110⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\Hahleo32.exe
        
        C:\Windows\system32\Hahleo32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1400
        
        C:\Windows\SysWOW64\Hbiilgic.exe
        
        C:\Windows\system32\Hbiilgic.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Hicaia32.exe
        
        C:\Windows\system32\Hicaia32.exe
        113⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\Hpmifkgm.exe
        
        C:\Windows\system32\Hpmifkgm.exe
        114⤵
        
        PID:904
        
        C:\Windows\SysWOW64\Hfgabe32.exe
        
        C:\Windows\system32\Hfgabe32.exe
        115⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\Ildjklmq.exe
        
        C:\Windows\system32\Ildjklmq.exe
        116⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Iobfghld.exe
        
        C:\Windows\system32\Iobfghld.exe
        117⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Iihjdqlj.exe
        
        C:\Windows\system32\Iihjdqlj.exe
        118⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Iodclgjb.exe
        
        C:\Windows\system32\Iodclgjb.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2608
        
        C:\Windows\SysWOW64\Ibpomf32.exe
        
        C:\Windows\system32\Ibpomf32.exe
        120⤵
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\Iacoicie.exe
        
        C:\Windows\system32\Iacoicie.exe
        121⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Ieokia32.exe
        
        C:\Windows\system32\Ieokia32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2632
        
        C:\Windows\SysWOW64\Ikkdahpf.exe
        
        C:\Windows\system32\Ikkdahpf.exe
        123⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Iaelnb32.exe
        
        C:\Windows\system32\Iaelnb32.exe
        124⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Ilkpkk32.exe
        
        C:\Windows\system32\Ilkpkk32.exe
        125⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Ioilgg32.exe
        
        C:\Windows\system32\Ioilgg32.exe
        126⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Iahidb32.exe
        
        C:\Windows\system32\Iahidb32.exe
        127⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Idfepn32.exe
        
        C:\Windows\system32\Idfepn32.exe
        128⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Igdali32.exe
        
        C:\Windows\system32\Igdali32.exe
        129⤵
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Iajeibcm.exe
        
        C:\Windows\system32\Iajeibcm.exe
        130⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Jdhaemba.exe
        
        C:\Windows\system32\Jdhaemba.exe
        131⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Jkbjbg32.exe
        
        C:\Windows\system32\Jkbjbg32.exe
        132⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Jiejndqh.exe
        
        C:\Windows\system32\Jiejndqh.exe
        133⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Jpobjn32.exe
        
        C:\Windows\system32\Jpobjn32.exe
        134⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Jgikghpb.exe
        
        C:\Windows\system32\Jgikghpb.exe
        135⤵
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Jkefhg32.exe
        
        C:\Windows\system32\Jkefhg32.exe
        136⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Jihgcdof.exe
        
        C:\Windows\system32\Jihgcdof.exe
        137⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Jlfcoo32.exe
        
        C:\Windows\system32\Jlfcoo32.exe
        138⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Jdmkqm32.exe
        
        C:\Windows\system32\Jdmkqm32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:968
        
        C:\Windows\SysWOW64\Jcpklief.exe
        
        C:\Windows\system32\Jcpklief.exe
        140⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Jijcic32.exe
        
        C:\Windows\system32\Jijcic32.exe
        141⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Jlhpeo32.exe
        
        C:\Windows\system32\Jlhpeo32.exe
        142⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Jcbhaicd.exe
        
        C:\Windows\system32\Jcbhaicd.exe
        143⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\Jilpnc32.exe
        
        C:\Windows\system32\Jilpnc32.exe
        144⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Jlkljojd.exe
        
        C:\Windows\system32\Jlkljojd.exe
        145⤵
        
        PID:440
        
        C:\Windows\SysWOW64\Joiifjih.exe
        
        C:\Windows\system32\Joiifjih.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2328
        
        C:\Windows\SysWOW64\Jcedgi32.exe
        
        C:\Windows\system32\Jcedgi32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2340
        
        C:\Windows\SysWOW64\Jecacd32.exe
        
        C:\Windows\system32\Jecacd32.exe
        148⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Lfgfmgok.exe
        
        C:\Windows\system32\Lfgfmgok.exe
        149⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Lifcibno.exe
        
        C:\Windows\system32\Lifcibno.exe
        150⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Lopkfl32.exe
        
        C:\Windows\system32\Lopkfl32.exe
        151⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Lfjccf32.exe
        
        C:\Windows\system32\Lfjccf32.exe
        152⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Lihpob32.exe
        
        C:\Windows\system32\Lihpob32.exe
        153⤵
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Lobhllci.exe
        
        C:\Windows\system32\Lobhllci.exe
        154⤵
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Leopdcap.exe
        
        C:\Windows\system32\Leopdcap.exe
        155⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\Lkihqm32.exe
        
        C:\Windows\system32\Lkihqm32.exe
        156⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Mngemh32.exe
        
        C:\Windows\system32\Mngemh32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1044
        
        C:\Windows\SysWOW64\Mbcqmg32.exe
        
        C:\Windows\system32\Mbcqmg32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Mgpifn32.exe
        
        C:\Windows\system32\Mgpifn32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2056
        
        C:\Windows\SysWOW64\Mjnebi32.exe
        
        C:\Windows\system32\Mjnebi32.exe
        160⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Mbemcg32.exe
        
        C:\Windows\system32\Mbemcg32.exe
        161⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Mahnocea.exe
        
        C:\Windows\system32\Mahnocea.exe
        162⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Mcgjkode.exe
        
        C:\Windows\system32\Mcgjkode.exe
        163⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Mjqbgi32.exe
        
        C:\Windows\system32\Mjqbgi32.exe
        164⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Mmoncd32.exe
        
        C:\Windows\system32\Mmoncd32.exe
        165⤵
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Hmjfgidb.exe
        
        C:\Windows\system32\Hmjfgidb.exe
        166⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Ibqafojo.exe
        
        C:\Windows\system32\Ibqafojo.exe
        167⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Ieonbjib.exe
        
        C:\Windows\system32\Ieonbjib.exe
        168⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Ihmjne32.exe
        
        C:\Windows\system32\Ihmjne32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ipdaoc32.exe
        
        C:\Windows\system32\Ipdaoc32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:612
        
        C:\Windows\SysWOW64\Ingbkppc.exe
        
        C:\Windows\system32\Ingbkppc.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:520
        
        C:\Windows\SysWOW64\Iafngkog.exe
        
        C:\Windows\system32\Iafngkog.exe
        172⤵
        
        PID:660
        
        C:\Windows\SysWOW64\Ieajgj32.exe
        
        C:\Windows\system32\Ieajgj32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1336
        
        C:\Windows\SysWOW64\Ilkbddom.exe
        
        C:\Windows\system32\Ilkbddom.exe
        174⤵
        
        PID:684
        
        C:\Windows\SysWOW64\Ijnbpq32.exe
        
        C:\Windows\system32\Ijnbpq32.exe
        175⤵
        
        PID:816
        
        C:\Windows\SysWOW64\Injoponq.exe
        
        C:\Windows\system32\Injoponq.exe
        176⤵
        
        PID:564
        
        C:\Windows\SysWOW64\Icfgiflh.exe
        
        C:\Windows\system32\Icfgiflh.exe
        177⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\Ihbcie32.exe
        
        C:\Windows\system32\Ihbcie32.exe
        178⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Ijqoeqce.exe
        
        C:\Windows\system32\Ijqoeqce.exe
        179⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Jnlkfo32.exe
        
        C:\Windows\system32\Jnlkfo32.exe
        180⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Jajhbj32.exe
        
        C:\Windows\system32\Jajhbj32.exe
        181⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Jdidnf32.exe
        
        C:\Windows\system32\Jdidnf32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1972
        
        C:\Windows\SysWOW64\Jfgpja32.exe
        
        C:\Windows\system32\Jfgpja32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1916
        
        C:\Windows\SysWOW64\Jjclkpab.exe
        
        C:\Windows\system32\Jjclkpab.exe
        184⤵
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Jmahglqf.exe
        
        C:\Windows\system32\Jmahglqf.exe
        185⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Jamdgj32.exe
        
        C:\Windows\system32\Jamdgj32.exe
        186⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Jdkqde32.exe
        
        C:\Windows\system32\Jdkqde32.exe
        187⤵
        
        PID:856
        
        C:\Windows\SysWOW64\Jhgmddpl.exe
        
        C:\Windows\system32\Jhgmddpl.exe
        188⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Jjeiqp32.exe
        
        C:\Windows\system32\Jjeiqp32.exe
        189⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Jmcemk32.exe
        
        C:\Windows\system32\Jmcemk32.exe
        190⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Jpbaif32.exe
        
        C:\Windows\system32\Jpbaif32.exe
        191⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Jbqneb32.exe
        
        C:\Windows\system32\Jbqneb32.exe
        192⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Jflieqec.exe
        
        C:\Windows\system32\Jflieqec.exe
        193⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Jijfaldg.exe
        
        C:\Windows\system32\Jijfaldg.exe
        194⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Jlibnhck.exe
        
        C:\Windows\system32\Jlibnhck.exe
        195⤵
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Jpdnnf32.exe
        
        C:\Windows\system32\Jpdnnf32.exe
        196⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Jbcjja32.exe
        
        C:\Windows\system32\Jbcjja32.exe
        197⤵
        
        PID:2360

C:\Windows\SysWOW64\Jfnfkqca.exe
C:\Windows\system32\Jfnfkqca.exe
1⤵
PID:2368
- C:\Windows\SysWOW64\Jimbglbd.exe
  C:\Windows\system32\Jimbglbd.exe
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\Jlkocg32.exe
    C:\Windows\system32\Jlkocg32.exe
    3⤵
    PID:3776
  - - C:\Windows\SysWOW64\Jbegpaie.exe
      C:\Windows\system32\Jbegpaie.exe
      4⤵
      PID:3784
    - - C:\Windows\SysWOW64\Kioomk32.exe
        
        C:\Windows\system32\Kioomk32.exe
        5⤵
        
        PID:3792
      - C:\Windows\SysWOW64\Klnkig32.exe
        
        C:\Windows\system32\Klnkig32.exe
        6⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Kolheb32.exe
        
        C:\Windows\system32\Kolheb32.exe
        7⤵
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Kefpamff.exe
        
        C:\Windows\system32\Kefpamff.exe
        8⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Khdlnhej.exe
        
        C:\Windows\system32\Khdlnhej.exe
        9⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Klphnfmc.exe
        
        C:\Windows\system32\Klphnfmc.exe
        10⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Kdkmbijn.exe
        
        C:\Windows\system32\Kdkmbijn.exe
        11⤵
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\Khfich32.exe
        
        C:\Windows\system32\Khfich32.exe
        12⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Koqapajd.exe
        
        C:\Windows\system32\Koqapajd.exe
        13⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Kmcalo32.exe
        
        C:\Windows\system32\Kmcalo32.exe
        14⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Kaomlmih.exe
        
        C:\Windows\system32\Kaomlmih.exe
        15⤵
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Kdmihihk.exe
        
        C:\Windows\system32\Kdmihihk.exe
        16⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Kglfddgo.exe
        
        C:\Windows\system32\Kglfddgo.exe
        17⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Kocnea32.exe
        
        C:\Windows\system32\Kocnea32.exe
        18⤵
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Kdpfnh32.exe
        
        C:\Windows\system32\Kdpfnh32.exe
        19⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\Kgnbjd32.exe
        
        C:\Windows\system32\Kgnbjd32.exe
        20⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Kkjojbne.exe
        
        C:\Windows\system32\Kkjojbne.exe
        21⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Knhkgnmi.exe
        
        C:\Windows\system32\Knhkgnmi.exe
        22⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Lpfgcilm.exe
        
        C:\Windows\system32\Lpfgcilm.exe
        23⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Lcecoekq.exe
        
        C:\Windows\system32\Lcecoekq.exe
        24⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Lklkpblc.exe
        
        C:\Windows\system32\Lklkpblc.exe
        25⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Llmhhjaa.exe
        
        C:\Windows\system32\Llmhhjaa.exe
        26⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Lpichi32.exe
        
        C:\Windows\system32\Lpichi32.exe
        27⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\Llpdmjpo.exe
        
        C:\Windows\system32\Llpdmjpo.exe
        28⤵
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Lhfebk32.exe
        
        C:\Windows\system32\Lhfebk32.exe
        29⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\Lclipdei.exe
        
        C:\Windows\system32\Lclipdei.exe
        30⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Lfjelodl.exe
        
        C:\Windows\system32\Lfjelodl.exe
        31⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Lldnhi32.exe
        
        C:\Windows\system32\Lldnhi32.exe
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Lkgndfbc.exe
        
        C:\Windows\system32\Lkgndfbc.exe
        33⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Laafqp32.exe
        
        C:\Windows\system32\Laafqp32.exe
        34⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Ldpbml32.exe
        
        C:\Windows\system32\Ldpbml32.exe
        35⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Mlgjni32.exe
        
        C:\Windows\system32\Mlgjni32.exe
        36⤵
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Moegjd32.exe
        
        C:\Windows\system32\Moegjd32.exe
        37⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Mbccfphn.exe
        
        C:\Windows\system32\Mbccfphn.exe
        38⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Mklgoe32.exe
        
        C:\Windows\system32\Mklgoe32.exe
        39⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Mogcpdgg.exe
        
        C:\Windows\system32\Mogcpdgg.exe
        40⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Mqipgl32.exe
        
        C:\Windows\system32\Mqipgl32.exe
        41⤵
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Mddlhkeo.exe
        
        C:\Windows\system32\Mddlhkeo.exe
        42⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\Mkndde32.exe
        
        C:\Windows\system32\Mkndde32.exe
        43⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\Mnmqqq32.exe
        
        C:\Windows\system32\Mnmqqq32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:188
        
        C:\Windows\SysWOW64\Mqkmmljc.exe
        
        C:\Windows\system32\Mqkmmljc.exe
        45⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Mciiigjg.exe
        
        C:\Windows\system32\Mciiigjg.exe
        46⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\Mkqajeji.exe
        
        C:\Windows\system32\Mkqajeji.exe
        47⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Mdiecj32.exe
        
        C:\Windows\system32\Mdiecj32.exe
        48⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Mcleoghd.exe
        
        C:\Windows\system32\Mcleoghd.exe
        49⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Mfjbkbgh.exe
        
        C:\Windows\system32\Mfjbkbgh.exe
        50⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\Mjfnka32.exe
        
        C:\Windows\system32\Mjfnka32.exe
        51⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\Mmdjgm32.exe
        
        C:\Windows\system32\Mmdjgm32.exe
        52⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Ncnbdg32.exe
        
        C:\Windows\system32\Ncnbdg32.exe
        53⤵
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Ngjndenk.exe
        
        C:\Windows\system32\Ngjndenk.exe
        54⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Njhkaamn.exe
        
        C:\Windows\system32\Njhkaamn.exe
        55⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Nikkln32.exe
        
        C:\Windows\system32\Nikkln32.exe
        56⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Nbcoecji.exe
        
        C:\Windows\system32\Nbcoecji.exe
        57⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Nimgbm32.exe
        
        C:\Windows\system32\Nimgbm32.exe
        58⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Nogpogic.exe
        
        C:\Windows\system32\Nogpogic.exe
        59⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\Nbelkc32.exe
        
        C:\Windows\system32\Nbelkc32.exe
        60⤵
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\Nedhgn32.exe
        
        C:\Windows\system32\Nedhgn32.exe
        61⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\Nmkphl32.exe
        
        C:\Windows\system32\Nmkphl32.exe
        62⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Nnlmpdnk.exe
        
        C:\Windows\system32\Nnlmpdnk.exe
        63⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Nefeln32.exe
        
        C:\Windows\system32\Nefeln32.exe
        64⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Ngeahi32.exe
        
        C:\Windows\system32\Ngeahi32.exe
        65⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\Nnoieclh.exe
        
        C:\Windows\system32\Nnoieclh.exe
        66⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Nameaokl.exe
        
        C:\Windows\system32\Nameaokl.exe
        67⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Nidnbl32.exe
        
        C:\Windows\system32\Nidnbl32.exe
        68⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Nkbjoh32.exe
        
        C:\Windows\system32\Nkbjoh32.exe
        69⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Obmbkbbo.exe
        
        C:\Windows\system32\Obmbkbbo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4220
        
        C:\Windows\SysWOW64\Oekngmab.exe
        
        C:\Windows\system32\Oekngmab.exe
        71⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Ogikciqf.exe
        
        C:\Windows\system32\Ogikciqf.exe
        72⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Onccpc32.exe
        
        C:\Windows\system32\Onccpc32.exe
        73⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Omfclpom.exe
        
        C:\Windows\system32\Omfclpom.exe
        74⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\Oglgih32.exe
        
        C:\Windows\system32\Oglgih32.exe
        75⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Onfpfbfp.exe
        
        C:\Windows\system32\Onfpfbfp.exe
        76⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Omipao32.exe
        
        C:\Windows\system32\Omipao32.exe
        77⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Ohndoh32.exe
        
        C:\Windows\system32\Ohndoh32.exe
        78⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Ojmpkc32.exe
        
        C:\Windows\system32\Ojmpkc32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Omklgo32.exe
        
        C:\Windows\system32\Omklgo32.exe
        80⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Oafhgnca.exe
        
        C:\Windows\system32\Oafhgnca.exe
        81⤵
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Oceedibe.exe
        
        C:\Windows\system32\Oceedibe.exe
        82⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Ofcapd32.exe
        
        C:\Windows\system32\Ofcapd32.exe
        83⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Oiamlp32.exe
        
        C:\Windows\system32\Oiamlp32.exe
        84⤵
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Olpihk32.exe
        
        C:\Windows\system32\Olpihk32.exe
        85⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Opleijhi.exe
        
        C:\Windows\system32\Opleijhi.exe
        86⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Pehnaafq.exe
        
        C:\Windows\system32\Pehnaafq.exe
        87⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Pidjap32.exe
        
        C:\Windows\system32\Pidjap32.exe
        88⤵
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Plbfnk32.exe
        
        C:\Windows\system32\Plbfnk32.exe
        89⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Ppnbnjff.exe
        
        C:\Windows\system32\Ppnbnjff.exe
        90⤵
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Pblnjeej.exe
        
        C:\Windows\system32\Pblnjeej.exe
        91⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Pekkfqdn.exe
        
        C:\Windows\system32\Pekkfqdn.exe
        92⤵
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Phigbl32.exe
        
        C:\Windows\system32\Phigbl32.exe
        93⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Pppodi32.exe
        
        C:\Windows\system32\Pppodi32.exe
        94⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Pbokpe32.exe
        
        C:\Windows\system32\Pbokpe32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Plgpijih.exe
        
        C:\Windows\system32\Plgpijih.exe
        96⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Poelefhl.exe
        
        C:\Windows\system32\Poelefhl.exe
        97⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Pklmjgnp.exe
        
        C:\Windows\system32\Pklmjgnp.exe
        98⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Pmkifbmc.exe
        
        C:\Windows\system32\Pmkifbmc.exe
        99⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Pebqgpnf.exe
        
        C:\Windows\system32\Pebqgpnf.exe
        100⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Pdeabl32.exe
        
        C:\Windows\system32\Pdeabl32.exe
        101⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Qaialq32.exe
        
        C:\Windows\system32\Qaialq32.exe
        102⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Qdgnhl32.exe
        
        C:\Windows\system32\Qdgnhl32.exe
        103⤵
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Qgejdg32.exe
        
        C:\Windows\system32\Qgejdg32.exe
        104⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Qkafef32.exe
        
        C:\Windows\system32\Qkafef32.exe
        105⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Qmpbaa32.exe
        
        C:\Windows\system32\Qmpbaa32.exe
        106⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Qpnnmm32.exe
        
        C:\Windows\system32\Qpnnmm32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4660
        
        C:\Windows\SysWOW64\Qghfjgpo.exe
        
        C:\Windows\system32\Qghfjgpo.exe
        108⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Aifcfbob.exe
        
        C:\Windows\system32\Aifcfbob.exe
        109⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\Amboga32.exe
        
        C:\Windows\system32\Amboga32.exe
        110⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Appkcm32.exe
        
        C:\Windows\system32\Appkcm32.exe
        111⤵
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Agjcpgnl.exe
        
        C:\Windows\system32\Agjcpgnl.exe
        112⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Aihplbmp.exe
        
        C:\Windows\system32\Aihplbmp.exe
        113⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Amdllaei.exe
        
        C:\Windows\system32\Amdllaei.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4716
        
        C:\Windows\SysWOW64\Apbhhldm.exe
        
        C:\Windows\system32\Apbhhldm.exe
        115⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Aoehdi32.exe
        
        C:\Windows\system32\Aoehdi32.exe
        116⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Agmpef32.exe
        
        C:\Windows\system32\Agmpef32.exe
        117⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Accqjgan.exe
        
        C:\Windows\system32\Accqjgan.exe
        118⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Aeamfcpa.exe
        
        C:\Windows\system32\Aeamfcpa.exe
        119⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Ahpibnpe.exe
        
        C:\Windows\system32\Ahpibnpe.exe
        120⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\Akoenj32.exe
        
        C:\Windows\system32\Akoenj32.exe
        121⤵
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Aedjlb32.exe
        
        C:\Windows\system32\Aedjlb32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4780
        
        C:\Windows\SysWOW64\Akabdi32.exe
        
        C:\Windows\system32\Akabdi32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4788
        
        C:\Windows\SysWOW64\Aeffab32.exe
        
        C:\Windows\system32\Aeffab32.exe
        124⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Bnakedjg.exe
        
        C:\Windows\system32\Bnakedjg.exe
        125⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Bppgbpik.exe
        
        C:\Windows\system32\Bppgbpik.exe
        126⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Bdnphn32.exe
        
        C:\Windows\system32\Bdnphn32.exe
        127⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Keiopekg.exe
        
        C:\Windows\system32\Keiopekg.exe
        128⤵
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Mbdklj32.exe
        
        C:\Windows\system32\Mbdklj32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Ejofgnbb.exe
        
        C:\Windows\system32\Ejofgnbb.exe
        130⤵
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Mncoff32.exe
        
        C:\Windows\system32\Mncoff32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5096
        
        C:\Windows\SysWOW64\Mnfklfhb.exe
        
        C:\Windows\system32\Mnfklfhb.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Magdmaec.exe
        
        C:\Windows\system32\Magdmaec.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Mmmebbjg.exe
        
        C:\Windows\system32\Mmmebbjg.exe
        134⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Mhcipkjn.exe
        
        C:\Windows\system32\Mhcipkjn.exe
        135⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Mdjjdl32.exe
        
        C:\Windows\system32\Mdjjdl32.exe
        136⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Nfhfqg32.exe
        
        C:\Windows\system32\Nfhfqg32.exe
        137⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Nbogeh32.exe
        
        C:\Windows\system32\Nbogeh32.exe
        138⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\Nemcbc32.exe
        
        C:\Windows\system32\Nemcbc32.exe
        139⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\Nlgkonkj.exe
        
        C:\Windows\system32\Nlgkonkj.exe
        140⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Nofgkijn.exe
        
        C:\Windows\system32\Nofgkijn.exe
        141⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\Ngmplfkp.exe
        
        C:\Windows\system32\Ngmplfkp.exe
        142⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Niklhbjd.exe
        
        C:\Windows\system32\Niklhbjd.exe
        143⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Nljhdmig.exe
        
        C:\Windows\system32\Nljhdmig.exe
        144⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Nohdpi32.exe
        
        C:\Windows\system32\Nohdpi32.exe
        145⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Nccpqgqd.exe
        
        C:\Windows\system32\Nccpqgqd.exe
        146⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Nojafh32.exe
        
        C:\Windows\system32\Nojafh32.exe
        147⤵
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Nedibbne.exe
        
        C:\Windows\system32\Nedibbne.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4372
        
        C:\Windows\SysWOW64\Nomnkh32.exe
        
        C:\Windows\system32\Nomnkh32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Oakjgcci.exe
        
        C:\Windows\system32\Oakjgcci.exe
        150⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Oegfhb32.exe
        
        C:\Windows\system32\Oegfhb32.exe
        151⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Odifcobm.exe
        
        C:\Windows\system32\Odifcobm.exe
        152⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Okcnpi32.exe
        
        C:\Windows\system32\Okcnpi32.exe
        153⤵
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Oanfmcag.exe
        
        C:\Windows\system32\Oanfmcag.exe
        154⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Odlciopj.exe
        
        C:\Windows\system32\Odlciopj.exe
        155⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Oapcbc32.exe
        
        C:\Windows\system32\Oapcbc32.exe
        156⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Ojkhge32.exe
        
        C:\Windows\system32\Ojkhge32.exe
        157⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Opepcodl.exe
        
        C:\Windows\system32\Opepcodl.exe
        158⤵
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Ofbilfbc.exe
        
        C:\Windows\system32\Ofbilfbc.exe
        159⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Opgmiobi.exe
        
        C:\Windows\system32\Opgmiobi.exe
        160⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\Ocfiej32.exe
        
        C:\Windows\system32\Ocfiej32.exe
        161⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\Phbana32.exe
        
        C:\Windows\system32\Phbana32.exe
        162⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Plnnnpgn.exe
        
        C:\Windows\system32\Plnnnpgn.exe
        163⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\Pchfkj32.exe
        
        C:\Windows\system32\Pchfkj32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Pbkffgfe.exe
        
        C:\Windows\system32\Pbkffgfe.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2800
        
        C:\Windows\SysWOW64\Pjbngdfg.exe
        
        C:\Windows\system32\Pjbngdfg.exe
        166⤵
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Phenca32.exe
        
        C:\Windows\system32\Phenca32.exe
        167⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Poogpkdo.exe
        
        C:\Windows\system32\Poogpkdo.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2816
        
        C:\Windows\SysWOW64\Pcjbpjmh.exe
        
        C:\Windows\system32\Pcjbpjmh.exe
        169⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Pbmclf32.exe
        
        C:\Windows\system32\Pbmclf32.exe
        170⤵
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Pdlohb32.exe
        
        C:\Windows\system32\Pdlohb32.exe
        171⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Phgkiqko.exe
        
        C:\Windows\system32\Phgkiqko.exe
        172⤵
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Poacek32.exe
        
        C:\Windows\system32\Poacek32.exe
        173⤵
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Pbppaf32.exe
        
        C:\Windows\system32\Pbppaf32.exe
        174⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Phjhnpil.exe
        
        C:\Windows\system32\Phjhnpil.exe
        175⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\Pocpkj32.exe
        
        C:\Windows\system32\Pocpkj32.exe
        176⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Pnfpfggd.exe
        
        C:\Windows\system32\Pnfpfggd.exe
        177⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\Pqembbfg.exe
        
        C:\Windows\system32\Pqembbfg.exe
        178⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Phlddp32.exe
        
        C:\Windows\system32\Phlddp32.exe
        179⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Pkjqpk32.exe
        
        C:\Windows\system32\Pkjqpk32.exe
        180⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\Pjmakhmh.exe
        
        C:\Windows\system32\Pjmakhmh.exe
        181⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Qqgihb32.exe
        
        C:\Windows\system32\Qqgihb32.exe
        182⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Qceedn32.exe
        
        C:\Windows\system32\Qceedn32.exe
        183⤵
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Qkmnek32.exe
        
        C:\Windows\system32\Qkmnek32.exe
        184⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Qjpnahke.exe
        
        C:\Windows\system32\Qjpnahke.exe
        185⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Qgcnjl32.exe
        
        C:\Windows\system32\Qgcnjl32.exe
        186⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Ampgbc32.exe
        
        C:\Windows\system32\Ampgbc32.exe
        187⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Aqlbcapp.exe
        
        C:\Windows\system32\Aqlbcapp.exe
        188⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Acjoompc.exe
        
        C:\Windows\system32\Acjoompc.exe
        189⤵
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Afikkhog.exe
        
        C:\Windows\system32\Afikkhog.exe
        190⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Aqnoianm.exe
        
        C:\Windows\system32\Aqnoianm.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2112
        
        C:\Windows\SysWOW64\Abplqi32.exe
        
        C:\Windows\system32\Abplqi32.exe
        192⤵
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Afkhah32.exe
        
        C:\Windows\system32\Afkhah32.exe
        193⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Aiidmc32.exe
        
        C:\Windows\system32\Aiidmc32.exe
        194⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Amepnbda.exe
        
        C:\Windows\system32\Amepnbda.exe
        195⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Alhpio32.exe
        
        C:\Windows\system32\Alhpio32.exe
        196⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Acohjl32.exe
        
        C:\Windows\system32\Acohjl32.exe
        197⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Afmdfh32.exe
        
        C:\Windows\system32\Afmdfh32.exe
        198⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Ailabc32.exe
        
        C:\Windows\system32\Ailabc32.exe
        199⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Aljmoo32.exe
        
        C:\Windows\system32\Aljmoo32.exe
        200⤵
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Aebahdoi.exe
        
        C:\Windows\system32\Aebahdoi.exe
        201⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\Ahandp32.exe
        
        C:\Windows\system32\Ahandp32.exe
        202⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Aphfem32.exe
        
        C:\Windows\system32\Aphfem32.exe
        203⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Aiqjnbep.exe
        
        C:\Windows\system32\Aiqjnbep.exe
        204⤵
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Blofjnec.exe
        
        C:\Windows\system32\Blofjnec.exe
        205⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Bnmbfidg.exe
        
        C:\Windows\system32\Bnmbfidg.exe
        206⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Balobeck.exe
        
        C:\Windows\system32\Balobeck.exe
        207⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Begkcc32.exe
        
        C:\Windows\system32\Begkcc32.exe
        208⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Blacpn32.exe
        
        C:\Windows\system32\Blacpn32.exe
        209⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Bnpoli32.exe
        
        C:\Windows\system32\Bnpoli32.exe
        210⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Bmbpgfho.exe
        
        C:\Windows\system32\Bmbpgfho.exe
        211⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Beihhcia.exe
        
        C:\Windows\system32\Beihhcia.exe
        212⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Bhhddohe.exe
        
        C:\Windows\system32\Bhhddohe.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4968
        
        C:\Windows\SysWOW64\Bnblai32.exe
        
        C:\Windows\system32\Bnblai32.exe
        214⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Baphmd32.exe
        
        C:\Windows\system32\Baphmd32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4984
        
        C:\Windows\SysWOW64\Bdodip32.exe
        
        C:\Windows\system32\Bdodip32.exe
        216⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Bhjqjnfb.exe
        
        C:\Windows\system32\Bhjqjnfb.exe
        217⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Bjimfj32.exe
        
        C:\Windows\system32\Bjimfj32.exe
        218⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Bmgibe32.exe
        
        C:\Windows\system32\Bmgibe32.exe
        219⤵
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Bpeenq32.exe
        
        C:\Windows\system32\Bpeenq32.exe
        220⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Bbdakl32.exe
        
        C:\Windows\system32\Bbdakl32.exe
        221⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Bfpnkkkj.exe
        
        C:\Windows\system32\Bfpnkkkj.exe
        222⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\Bjkili32.exe
        
        C:\Windows\system32\Bjkili32.exe
        223⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Bmifhe32.exe
        
        C:\Windows\system32\Bmifhe32.exe
        224⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Bphbdp32.exe
        
        C:\Windows\system32\Bphbdp32.exe
        225⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Cedjlg32.exe
        
        C:\Windows\system32\Cedjlg32.exe
        226⤵
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Cmlbmdqd.exe
        
        C:\Windows\system32\Cmlbmdqd.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Clobia32.exe
        
        C:\Windows\system32\Clobia32.exe
        228⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\Comoem32.exe
        
        C:\Windows\system32\Comoem32.exe
        229⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Cbikekol.exe
        
        C:\Windows\system32\Cbikekol.exe
        230⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Cfdgfj32.exe
        
        C:\Windows\system32\Cfdgfj32.exe
        231⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Cibcbe32.exe
        
        C:\Windows\system32\Cibcbe32.exe
        232⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\Clapoa32.exe
        
        C:\Windows\system32\Clapoa32.exe
        233⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Coolkl32.exe
        
        C:\Windows\system32\Coolkl32.exe
        234⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Cbkhkkmi.exe
        
        C:\Windows\system32\Cbkhkkmi.exe
        235⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Ceidgflm.exe
        
        C:\Windows\system32\Ceidgflm.exe
        236⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Clcldqcj.exe
        
        C:\Windows\system32\Clcldqcj.exe
        237⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Coahplbn.exe
        
        C:\Windows\system32\Coahplbn.exe
        238⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Codeflpk.exe
        
        C:\Windows\system32\Codeflpk.exe
        239⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Cababgoo.exe
        
        C:\Windows\system32\Cababgoo.exe
        240⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Chlioa32.exe
        
        C:\Windows\system32\Chlioa32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3500
        
        C:\Windows\SysWOW64\Dkkfkm32.exe
        
        C:\Windows\system32\Dkkfkm32.exe
        242⤵
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Dmibgheb.exe
        
        C:\Windows\system32\Dmibgheb.exe
        243⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Ddcjcb32.exe
        
        C:\Windows\system32\Ddcjcb32.exe
        244⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Dgafpn32.exe
        
        C:\Windows\system32\Dgafpn32.exe
        245⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Dkmbpldl.exe
        
        C:\Windows\system32\Dkmbpldl.exe
        246⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\Dpjkhcbd.exe
        
        C:\Windows\system32\Dpjkhcbd.exe
        247⤵
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Dchgdoag.exe
        
        C:\Windows\system32\Dchgdoag.exe
        248⤵
        
        PID:988
        
        C:\Windows\SysWOW64\Dkpoflbj.exe
        
        C:\Windows\system32\Dkpoflbj.exe
        249⤵
        Modifies registry class
        
        PID:108
        
        C:\Windows\SysWOW64\Dnnkbg32.exe
        
        C:\Windows\system32\Dnnkbg32.exe
        250⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\Dplhnc32.exe
        
        C:\Windows\system32\Dplhnc32.exe
        251⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Ddhcoahj.exe
        
        C:\Windows\system32\Ddhcoahj.exe
        252⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Dgfpkmgn.exe
        
        C:\Windows\system32\Dgfpkmgn.exe
        253⤵
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Dnphgg32.exe
        
        C:\Windows\system32\Dnphgg32.exe
        254⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Dlchcdfe.exe
        
        C:\Windows\system32\Dlchcdfe.exe
        255⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\Doadopei.exe
        
        C:\Windows\system32\Doadopei.exe
        256⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\Dekmli32.exe
        
        C:\Windows\system32\Dekmli32.exe
        257⤵
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Dhjihe32.exe
        
        C:\Windows\system32\Dhjihe32.exe
        258⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\Dpaaibll.exe
        
        C:\Windows\system32\Dpaaibll.exe
        259⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Dodaeo32.exe
        
        C:\Windows\system32\Dodaeo32.exe
        260⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\Eabnaj32.exe
        
        C:\Windows\system32\Eabnaj32.exe
        261⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Ehlfndig.exe
        
        C:\Windows\system32\Ehlfndig.exe
        262⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Ekkbjphj.exe
        
        C:\Windows\system32\Ekkbjphj.exe
        263⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Ecbjkmim.exe
        
        C:\Windows\system32\Ecbjkmim.exe
        264⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Efpfgihq.exe
        
        C:\Windows\system32\Efpfgihq.exe
        265⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Ehobcdgd.exe
        
        C:\Windows\system32\Ehobcdgd.exe
        266⤵
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Eohkpnoa.exe
        
        C:\Windows\system32\Eohkpnoa.exe
        267⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Ebggljnd.exe
        
        C:\Windows\system32\Ebggljnd.exe
        268⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Edechemh.exe
        
        C:\Windows\system32\Edechemh.exe
        269⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\Ekokep32.exe
        
        C:\Windows\system32\Ekokep32.exe
        270⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Eokgenmn.exe
        
        C:\Windows\system32\Eokgenmn.exe
        271⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\Ebidailb.exe
        
        C:\Windows\system32\Ebidailb.exe
        272⤵
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Edhpnekf.exe
        
        C:\Windows\system32\Edhpnekf.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2968
        
        C:\Windows\SysWOW64\Ekahjo32.exe
        
        C:\Windows\system32\Ekahjo32.exe
        274⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Enpdfj32.exe
        
        C:\Windows\system32\Enpdfj32.exe
        275⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Fbipqm32.exe
        
        C:\Windows\system32\Fbipqm32.exe
        276⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Feglmh32.exe
        
        C:\Windows\system32\Feglmh32.exe
        277⤵
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Fmodne32.exe
        
        C:\Windows\system32\Fmodne32.exe
        278⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Ffgifkdd.exe
        
        C:\Windows\system32\Ffgifkdd.exe
        279⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Gghenc32.exe
        
        C:\Windows\system32\Gghenc32.exe
        280⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Gkdaobck.exe
        
        C:\Windows\system32\Gkdaobck.exe
        281⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Hdkeob32.exe
        
        C:\Windows\system32\Hdkeob32.exe
        282⤵
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Hijkmibn.exe
        
        C:\Windows\system32\Hijkmibn.exe
        283⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Idhehf32.exe
        
        C:\Windows\system32\Idhehf32.exe
        284⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\Igfadb32.exe
        
        C:\Windows\system32\Igfadb32.exe
        285⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Ikbmeqbd.exe
        
        C:\Windows\system32\Ikbmeqbd.exe
        286⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Imqialah.exe
        
        C:\Windows\system32\Imqialah.exe
        287⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\Iehabibj.exe
        
        C:\Windows\system32\Iehabibj.exe
        288⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\Ihfnoean.exe
        
        C:\Windows\system32\Ihfnoean.exe
        289⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Ikdjkp32.exe
        
        C:\Windows\system32\Ikdjkp32.exe
        290⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Iopfkohj.exe
        
        C:\Windows\system32\Iopfkohj.exe
        291⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\Iaobgjgn.exe
        
        C:\Windows\system32\Iaobgjgn.exe
        292⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\Idmncffb.exe
        
        C:\Windows\system32\Idmncffb.exe
        293⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\Ihhjdd32.exe
        
        C:\Windows\system32\Ihhjdd32.exe
        294⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Ikggpp32.exe
        
        C:\Windows\system32\Ikggpp32.exe
        295⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Imeclk32.exe
        
        C:\Windows\system32\Imeclk32.exe
        296⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Iaaomjek.exe
        
        C:\Windows\system32\Iaaomjek.exe
        297⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Idokiedo.exe
        
        C:\Windows\system32\Idokiedo.exe
        298⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Igngeacc.exe
        
        C:\Windows\system32\Igngeacc.exe
        299⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Iilcal32.exe
        
        C:\Windows\system32\Iilcal32.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Imgpbkkp.exe
        
        C:\Windows\system32\Imgpbkkp.exe
        301⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Ipflnfjc.exe
        
        C:\Windows\system32\Ipflnfjc.exe
        302⤵
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Idahoe32.exe
        
        C:\Windows\system32\Idahoe32.exe
        303⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Jgpdkq32.exe
        
        C:\Windows\system32\Jgpdkq32.exe
        304⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Jinpgl32.exe
        
        C:\Windows\system32\Jinpgl32.exe
        305⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Jlmmcg32.exe
        
        C:\Windows\system32\Jlmmcg32.exe
        306⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\Jokioc32.exe
        
        C:\Windows\system32\Jokioc32.exe
        307⤵
        
        PID:576
        
        C:\Windows\SysWOW64\Jgbapp32.exe
        
        C:\Windows\system32\Jgbapp32.exe
        308⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Jeealmfh.exe
        
        C:\Windows\system32\Jeealmfh.exe
        309⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\Jhcmhhel.exe
        
        C:\Windows\system32\Jhcmhhel.exe
        310⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\Jpkeif32.exe
        
        C:\Windows\system32\Jpkeif32.exe
        311⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Jciaea32.exe
        
        C:\Windows\system32\Jciaea32.exe
        312⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Jalaanll.exe
        
        C:\Windows\system32\Jalaanll.exe
        313⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Jjcjbkmo.exe
        
        C:\Windows\system32\Jjcjbkmo.exe
        314⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Jhfjnh32.exe
        
        C:\Windows\system32\Jhfjnh32.exe
        315⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Jkdfjc32.exe
        
        C:\Windows\system32\Jkdfjc32.exe
        316⤵
        
        PID:904
        
        C:\Windows\SysWOW64\Jopbjbkf.exe
        
        C:\Windows\system32\Jopbjbkf.exe
        317⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Jannfnjj.exe
        
        C:\Windows\system32\Jannfnjj.exe
        318⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\Jdmkbiim.exe
        
        C:\Windows\system32\Jdmkbiim.exe
        319⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Jhhgch32.exe
        
        C:\Windows\system32\Jhhgch32.exe
        320⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\Jldbcfjp.exe
        
        C:\Windows\system32\Jldbcfjp.exe
        321⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Jobopb32.exe
        
        C:\Windows\system32\Jobopb32.exe
        322⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Jelgmlpp.exe
        
        C:\Windows\system32\Jelgmlpp.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2612
        
        C:\Windows\SysWOW64\Jdoghi32.exe
        
        C:\Windows\system32\Jdoghi32.exe
        324⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Jgmcdd32.exe
        
        C:\Windows\system32\Jgmcdd32.exe
        325⤵
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Knglannk.exe
        
        C:\Windows\system32\Knglannk.exe
        326⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\Kacham32.exe
        
        C:\Windows\system32\Kacham32.exe
        327⤵
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Kqfhmjmo.exe
        
        C:\Windows\system32\Kqfhmjmo.exe
        328⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Khmpngma.exe
        
        C:\Windows\system32\Khmpngma.exe
        329⤵
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\Knjhfn32.exe
        
        C:\Windows\system32\Knjhfn32.exe
        330⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Kqhebi32.exe
        
        C:\Windows\system32\Kqhebi32.exe
        331⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Kcfaoe32.exe
        
        C:\Windows\system32\Kcfaoe32.exe
        332⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\Kgbmocbi.exe
        
        C:\Windows\system32\Kgbmocbi.exe
        333⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\Kjqikoam.exe
        
        C:\Windows\system32\Kjqikoam.exe
        334⤵
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Knleln32.exe
        
        C:\Windows\system32\Knleln32.exe
        335⤵
        Drops file in System32 directory
        
        PID:276
        
        C:\Windows\SysWOW64\Kqjahi32.exe
        
        C:\Windows\system32\Kqjahi32.exe
        336⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Kcindd32.exe
        
        C:\Windows\system32\Kcindd32.exe
        337⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Kfgjpp32.exe
        
        C:\Windows\system32\Kfgjpp32.exe
        338⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Knnbam32.exe
        
        C:\Windows\system32\Knnbam32.exe
        339⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Kqmnnigg.exe
        
        C:\Windows\system32\Kqmnnigg.exe
        340⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Kckjjdfk.exe
        
        C:\Windows\system32\Kckjjdfk.exe
        341⤵
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Kfjgfpen.exe
        
        C:\Windows\system32\Kfjgfpen.exe
        342⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Kihcbkdb.exe
        
        C:\Windows\system32\Kihcbkdb.exe
        343⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Kqokchdd.exe
        
        C:\Windows\system32\Kqokchdd.exe
        344⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Kobkoe32.exe
        
        C:\Windows\system32\Kobkoe32.exe
        345⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Kbqgkq32.exe
        
        C:\Windows\system32\Kbqgkq32.exe
        346⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Ljgoln32.exe
        
        C:\Windows\system32\Ljgoln32.exe
        347⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Lijphkbo.exe
        
        C:\Windows\system32\Lijphkbo.exe
        348⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Lkildfac.exe
        
        C:\Windows\system32\Lkildfac.exe
        349⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Lbcdqphp.exe
        
        C:\Windows\system32\Lbcdqphp.exe
        350⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Lfnpao32.exe
        
        C:\Windows\system32\Lfnpao32.exe
        351⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Limlmj32.exe
        
        C:\Windows\system32\Limlmj32.exe
        352⤵
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Lmhhnihf.exe
        
        C:\Windows\system32\Lmhhnihf.exe
        353⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Logdjdgi.exe
        
        C:\Windows\system32\Logdjdgi.exe
        354⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Lbeafpfm.exe
        
        C:\Windows\system32\Lbeafpfm.exe
        355⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Lecmbkea.exe
        
        C:\Windows\system32\Lecmbkea.exe
        356⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\Lioicj32.exe
        
        C:\Windows\system32\Lioicj32.exe
        357⤵
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Lkneoe32.exe
        
        C:\Windows\system32\Lkneoe32.exe
        358⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Lnlaka32.exe
        
        C:\Windows\system32\Lnlaka32.exe
        359⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Lbgnlp32.exe
        
        C:\Windows\system32\Lbgnlp32.exe
        360⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Lefjhk32.exe
        
        C:\Windows\system32\Lefjhk32.exe
        361⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Lgdfdf32.exe
        
        C:\Windows\system32\Lgdfdf32.exe
        362⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\Lkpbdekk.exe
        
        C:\Windows\system32\Lkpbdekk.exe
        363⤵
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\Lnnnqqjo.exe
        
        C:\Windows\system32\Lnnnqqjo.exe
        364⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Mfnlpb32.exe
        
        C:\Windows\system32\Mfnlpb32.exe
        365⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Mimiln32.exe
        
        C:\Windows\system32\Mimiln32.exe
        366⤵
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Mmhdmlka.exe
        
        C:\Windows\system32\Mmhdmlka.exe
        367⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Mpfaihje.exe
        
        C:\Windows\system32\Mpfaihje.exe
        368⤵
        
        PID:596
        
        C:\Windows\SysWOW64\Mbemec32.exe
        
        C:\Windows\system32\Mbemec32.exe
        369⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Mfqiebaa.exe
        
        C:\Windows\system32\Mfqiebaa.exe
        370⤵
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Mioeamqe.exe
        
        C:\Windows\system32\Mioeamqe.exe
        371⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1204
        
        C:\Windows\SysWOW64\Mmjabl32.exe
        
        C:\Windows\system32\Mmjabl32.exe
        372⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Mpinng32.exe
        
        C:\Windows\system32\Mpinng32.exe
        373⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Mcdjofpk.exe
        
        C:\Windows\system32\Mcdjofpk.exe
        374⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Mbgjkc32.exe
        
        C:\Windows\system32\Mbgjkc32.exe
        375⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\Meefgn32.exe
        
        C:\Windows\system32\Meefgn32.exe
        376⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\Nemlgm32.exe
        
        C:\Windows\system32\Nemlgm32.exe
        377⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\Ndplcjgl.exe
        
        C:\Windows\system32\Ndplcjgl.exe
        378⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3136
        
        C:\Windows\SysWOW64\Nhkhci32.exe
        
        C:\Windows\system32\Nhkhci32.exe
        379⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1104
        
        C:\Windows\SysWOW64\Noeqpcfb.exe
        
        C:\Windows\system32\Noeqpcfb.exe
        380⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Nacmlnff.exe
        
        C:\Windows\system32\Nacmlnff.exe
        381⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Neoimm32.exe
        
        C:\Windows\system32\Neoimm32.exe
        382⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Nhmeih32.exe
        
        C:\Windows\system32\Nhmeih32.exe
        383⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Nklaed32.exe
        
        C:\Windows\system32\Nklaed32.exe
        384⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Nogmfbdp.exe
        
        C:\Windows\system32\Nogmfbdp.exe
        385⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Opmchjfh.exe
        
        C:\Windows\system32\Opmchjfh.exe
        386⤵
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Oblpdeel.exe
        
        C:\Windows\system32\Oblpdeel.exe
        387⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Oggked32.exe
        
        C:\Windows\system32\Oggked32.exe
        388⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Oifhapmi.exe
        
        C:\Windows\system32\Oifhapmi.exe
        389⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Omadbn32.exe
        
        C:\Windows\system32\Omadbn32.exe
        390⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Olddnklm.exe
        
        C:\Windows\system32\Olddnklm.exe
        391⤵
        
        PID:756
        
        C:\Windows\SysWOW64\Oobpjfkp.exe
        
        C:\Windows\system32\Oobpjfkp.exe
        392⤵
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Ogjhkdlb.exe
        
        C:\Windows\system32\Ogjhkdlb.exe
        393⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Oihdgokf.exe
        
        C:\Windows\system32\Oihdgokf.exe
        394⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Ohkebl32.exe
        
        C:\Windows\system32\Ohkebl32.exe
        395⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Ooemofin.exe
        
        C:\Windows\system32\Ooemofin.exe
        396⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Ocqipe32.exe
        
        C:\Windows\system32\Ocqipe32.exe
        397⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Oeoelp32.exe
        
        C:\Windows\system32\Oeoelp32.exe
        398⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Oeabapoh.exe
        
        C:\Windows\system32\Oeabapoh.exe
        399⤵
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Oddbmm32.exe
        
        C:\Windows\system32\Oddbmm32.exe
        400⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Olkjnj32.exe
        
        C:\Windows\system32\Olkjnj32.exe
        401⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\Poifje32.exe
        
        C:\Windows\system32\Poifje32.exe
        402⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\Pnlffblc.exe
        
        C:\Windows\system32\Pnlffblc.exe
        403⤵
        
        PID:612
        
        C:\Windows\SysWOW64\Pecogple.exe
        
        C:\Windows\system32\Pecogple.exe
        404⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\Pdfobl32.exe
        
        C:\Windows\system32\Pdfobl32.exe
        405⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\Pgekoh32.exe
        
        C:\Windows\system32\Pgekoh32.exe
        406⤵
        
        PID:660
        
        C:\Windows\SysWOW64\Pkpgof32.exe
        
        C:\Windows\system32\Pkpgof32.exe
        407⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\Pnockb32.exe
        
        C:\Windows\system32\Pnockb32.exe
        408⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Pajolqbi.exe
        
        C:\Windows\system32\Pajolqbi.exe
        409⤵
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Pdilhlam.exe
        
        C:\Windows\system32\Pdilhlam.exe
        410⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Pgghdgpq.exe
        
        C:\Windows\system32\Pgghdgpq.exe
        411⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Pjedpcpd.exe
        
        C:\Windows\system32\Pjedpcpd.exe
        412⤵
        
        PID:564
        
        C:\Windows\SysWOW64\Pnapaa32.exe
        
        C:\Windows\system32\Pnapaa32.exe
        413⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2220
        
        C:\Windows\SysWOW64\Pncmfafk.exe
        
        C:\Windows\system32\Pncmfafk.exe
        414⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Ppbibmeo.exe
        
        C:\Windows\system32\Ppbibmeo.exe
        415⤵
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Pcpeohdb.exe
        
        C:\Windows\system32\Pcpeohdb.exe
        416⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Pfoakccf.exe
        
        C:\Windows\system32\Pfoakccf.exe
        417⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Pnfiladh.exe
        
        C:\Windows\system32\Pnfiladh.exe
        418⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Pqdehlcl.exe
        
        C:\Windows\system32\Pqdehlcl.exe
        419⤵
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Pogfci32.exe
        
        C:\Windows\system32\Pogfci32.exe
        420⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\Pgnnef32.exe
        
        C:\Windows\system32\Pgnnef32.exe
        421⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Qjmjab32.exe
        
        C:\Windows\system32\Qjmjab32.exe
        422⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\Qlkfmmhp.exe
        
        C:\Windows\system32\Qlkfmmhp.exe
        423⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Qoibiigd.exe
        
        C:\Windows\system32\Qoibiigd.exe
        424⤵
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Ampphmdk.exe
        
        C:\Windows\system32\Ampphmdk.exe
        425⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Akbpdike.exe
        
        C:\Windows\system32\Akbpdike.exe
        426⤵
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Aonldh32.exe
        
        C:\Windows\system32\Aonldh32.exe
        427⤵
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Afhdabkk.exe
        
        C:\Windows\system32\Afhdabkk.exe
        428⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Adkdmo32.exe
        
        C:\Windows\system32\Adkdmo32.exe
        429⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Agiqij32.exe
        
        C:\Windows\system32\Agiqij32.exe
        430⤵
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Aopijh32.exe
        
        C:\Windows\system32\Aopijh32.exe
        431⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\Anciedhf.exe
        
        C:\Windows\system32\Anciedhf.exe
        432⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Aboefc32.exe
        
        C:\Windows\system32\Aboefc32.exe
        433⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Aiimcmhl.exe
        
        C:\Windows\system32\Aiimcmhl.exe
        434⤵
        
        PID:836
        
        C:\Windows\SysWOW64\Aglmnj32.exe
        
        C:\Windows\system32\Aglmnj32.exe
        435⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1008
        
        C:\Windows\SysWOW64\Ajjjje32.exe
        
        C:\Windows\system32\Ajjjje32.exe
        436⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Anefkd32.exe
        
        C:\Windows\system32\Anefkd32.exe
        437⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\Abaalcom.exe
        
        C:\Windows\system32\Abaalcom.exe
        438⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\Aqdbgp32.exe
        
        C:\Windows\system32\Aqdbgp32.exe
        439⤵
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Acbnck32.exe
        
        C:\Windows\system32\Acbnck32.exe
        440⤵
        
        PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Glnnfp32.exe

Filesize
50KB

MD5
2b1057ac33924e709a7ab64dcc4c7aba

SHA1
be3898a48be5836e8df0828e0e5354378a67c308

SHA256
7385ba5d8ac550fa77e31796ee7d7e6ee5308db7aac4bcd57dec0d8958ea826e

SHA512
3aafbbf0f3b83b5ff17edf4caf2a0f4fec2690b54a72e80df5dd9f93c432d4caf853d414d0f54bb5a165ce914c9d23e08de3b540090d8d3faf9abe6bb6e30c5c

Download Submit
C:\Windows\SysWOW64\Glnnfp32.exe

Filesize
50KB

MD5
2b1057ac33924e709a7ab64dcc4c7aba

SHA1
be3898a48be5836e8df0828e0e5354378a67c308

SHA256
7385ba5d8ac550fa77e31796ee7d7e6ee5308db7aac4bcd57dec0d8958ea826e

SHA512
3aafbbf0f3b83b5ff17edf4caf2a0f4fec2690b54a72e80df5dd9f93c432d4caf853d414d0f54bb5a165ce914c9d23e08de3b540090d8d3faf9abe6bb6e30c5c

Download Submit
C:\Windows\SysWOW64\Hchbbm32.exe

Filesize
50KB

MD5
cc4d467abd7b903768ff871057c7167f

SHA1
f0a67102f09176b2cb449dd6cdd730312a0c6701

SHA256
abb67b5d7a955ec76023ff8501f078fd6f9a68e55369766a92973e97a1171e7c

SHA512
f9a207ee9361f3c478087372689fcf12c6143c86e81b48bf43f105aca6b3e02e38c32e62d232d17c8557fa8c584db93289311456a97d5677b52e5663b9e3d559

Download Submit
C:\Windows\SysWOW64\Hchbbm32.exe

Filesize
50KB

MD5
cc4d467abd7b903768ff871057c7167f

SHA1
f0a67102f09176b2cb449dd6cdd730312a0c6701

SHA256
abb67b5d7a955ec76023ff8501f078fd6f9a68e55369766a92973e97a1171e7c

SHA512
f9a207ee9361f3c478087372689fcf12c6143c86e81b48bf43f105aca6b3e02e38c32e62d232d17c8557fa8c584db93289311456a97d5677b52e5663b9e3d559

Download Submit
C:\Windows\SysWOW64\Hjdgdgha.exe

Filesize
50KB

MD5
d2fe48b58699d601ecde92198e852104

SHA1
1bddaae806d0eb142bfc608141ea477495211656

SHA256
76d533e241148b708f5a12647ade7dc1eb4b4f6841fc3e2ed5b16dd5a4ee659e

SHA512
c5e02c62c9d57b4f5993f44c9013c11a8be82c51d4eb9ec0b763354647a5727a50319f1c212a54b3b1a3f5e61c694f5a2e18e88b015f7b82547f30c74e27eef1

Download Submit
C:\Windows\SysWOW64\Hjdgdgha.exe

Filesize
50KB

MD5
d2fe48b58699d601ecde92198e852104

SHA1
1bddaae806d0eb142bfc608141ea477495211656

SHA256
76d533e241148b708f5a12647ade7dc1eb4b4f6841fc3e2ed5b16dd5a4ee659e

SHA512
c5e02c62c9d57b4f5993f44c9013c11a8be82c51d4eb9ec0b763354647a5727a50319f1c212a54b3b1a3f5e61c694f5a2e18e88b015f7b82547f30c74e27eef1

Download Submit
C:\Windows\SysWOW64\Idlhlpam.exe

Filesize
50KB

MD5
70d4f8564c09ad52f0afa103dc5e2336

SHA1
9355e6a384aff4194a629e4fc106c7a5d3a4d159

SHA256
5cdf23f2b8758648fc11038f5f0e740109313592fd8d740e40308f27c5c2210b

SHA512
4239c0ec7fa7b33fe97b01a8f1c31b6cdfda544f710304551bdbdeef8c1985de6d16ab6a0f3cdc2d068f559a65e150308068841d5d457b3744da91955f5dd719

Download Submit
C:\Windows\SysWOW64\Idlhlpam.exe

Filesize
50KB

MD5
70d4f8564c09ad52f0afa103dc5e2336

SHA1
9355e6a384aff4194a629e4fc106c7a5d3a4d159

SHA256
5cdf23f2b8758648fc11038f5f0e740109313592fd8d740e40308f27c5c2210b

SHA512
4239c0ec7fa7b33fe97b01a8f1c31b6cdfda544f710304551bdbdeef8c1985de6d16ab6a0f3cdc2d068f559a65e150308068841d5d457b3744da91955f5dd719

Download Submit
C:\Windows\SysWOW64\Inmbni32.exe

Filesize
50KB

MD5
d0d798048c2525611a20d7cca7b68607

SHA1
dbaec1af5cce3e116d5d1b48425f1569ec066125

SHA256
abc32182e3e4c308558e1c022aed01737b454e99431e74e534fcd2ebf23eb6f5

SHA512
a81af086f3254a3251a598b300d44ff16ad7c1e02c2d04da52cac3ca8f8dc1e6bf761cdf3be6ca2c6e59c9057dfa581eb268ef4594c671aae0ed3d4e11c5b6a3

Download Submit
C:\Windows\SysWOW64\Inmbni32.exe

Filesize
50KB

MD5
d0d798048c2525611a20d7cca7b68607

SHA1
dbaec1af5cce3e116d5d1b48425f1569ec066125

SHA256
abc32182e3e4c308558e1c022aed01737b454e99431e74e534fcd2ebf23eb6f5

SHA512
a81af086f3254a3251a598b300d44ff16ad7c1e02c2d04da52cac3ca8f8dc1e6bf761cdf3be6ca2c6e59c9057dfa581eb268ef4594c671aae0ed3d4e11c5b6a3

Download Submit
C:\Windows\SysWOW64\Ipfihm32.exe

Filesize
50KB

MD5
adcff258301e3dc071117a853507c529

SHA1
4954dbe7dfd4607910d4b7ba04890b5eb0d6e5d9

SHA256
744a0322377fafec6dcc9c9612c7c4673246ab65b3861946a68480ebf8973576

SHA512
4a1eabdd4c21d9d78441d971a2214e2f85623886bb9e86045658122a2127c2743f474ae58f60b9ed93a9d72cd049b7d0f63252d7aeed4d5b329ed9de03f65fd8

Download Submit
C:\Windows\SysWOW64\Ipfihm32.exe

Filesize
50KB

MD5
adcff258301e3dc071117a853507c529

SHA1
4954dbe7dfd4607910d4b7ba04890b5eb0d6e5d9

SHA256
744a0322377fafec6dcc9c9612c7c4673246ab65b3861946a68480ebf8973576

SHA512
4a1eabdd4c21d9d78441d971a2214e2f85623886bb9e86045658122a2127c2743f474ae58f60b9ed93a9d72cd049b7d0f63252d7aeed4d5b329ed9de03f65fd8

Download Submit
C:\Windows\SysWOW64\Jjfpij32.exe

Filesize
50KB

MD5
31c61961cc52ec2468006aebb5c736c5

SHA1
010b612d46c4f357d96852f14e7ee15d94b7e58d

SHA256
df16c18ab75ff191ae245fdc7feb71347e08147663ef8d006b1b1b68a1aca5d6

SHA512
60aed1b024625f0a2fa245d3b343b2231f9887cb9f92dee6a049a1ef6e4844822915a148688b85322caf1abaeda918f5a7c9d535d5df7550dcf328b076bd0d62

Download Submit
C:\Windows\SysWOW64\Jjfpij32.exe

Filesize
50KB

MD5
31c61961cc52ec2468006aebb5c736c5

SHA1
010b612d46c4f357d96852f14e7ee15d94b7e58d

SHA256
df16c18ab75ff191ae245fdc7feb71347e08147663ef8d006b1b1b68a1aca5d6

SHA512
60aed1b024625f0a2fa245d3b343b2231f9887cb9f92dee6a049a1ef6e4844822915a148688b85322caf1abaeda918f5a7c9d535d5df7550dcf328b076bd0d62

Download Submit
C:\Windows\SysWOW64\Kaenpfnm.exe

Filesize
50KB

MD5
e4dbcb6bc1f2de9cbab2b73817471462

SHA1
fc8fcf477a3c7ad5b56e67d825954bf00d1bc37b

SHA256
a4f773506bedbf5776d99fa6b5279aa5d3ce27a3a81c73531ac8d8e8217a87de

SHA512
ded7149a9a4c19f7986d85104f28ba6488c0f4abfc65ad677e612dcada819df0b1d7a9e08ca2552dd6a4a297d0b3224e781520987a90d7375d29c016941c9cb1

Download Submit
C:\Windows\SysWOW64\Kaenpfnm.exe

Filesize
50KB

MD5
e4dbcb6bc1f2de9cbab2b73817471462

SHA1
fc8fcf477a3c7ad5b56e67d825954bf00d1bc37b

SHA256
a4f773506bedbf5776d99fa6b5279aa5d3ce27a3a81c73531ac8d8e8217a87de

SHA512
ded7149a9a4c19f7986d85104f28ba6488c0f4abfc65ad677e612dcada819df0b1d7a9e08ca2552dd6a4a297d0b3224e781520987a90d7375d29c016941c9cb1

Download Submit
C:\Windows\SysWOW64\Kdcjlbmp.exe

Filesize
50KB

MD5
1604ba1467ef90838441bb8413cac11c

SHA1
8f324a00d8790c30f52f60992046cedeb1d7886a

SHA256
9f5beb28487d1f8210fef419acf0dd6f5ceae56cb4200f7f42991bcd7af4f68b

SHA512
1b28cae0cbaa2d42e3233685173d645d31ef4c1428914f06199e58f2eae331030af38c677a58a3d192b9492f4ec612bd39bf8afc6925e057af7a3b4787bb9372

Download Submit
C:\Windows\SysWOW64\Kdcjlbmp.exe

Filesize
50KB

MD5
1604ba1467ef90838441bb8413cac11c

SHA1
8f324a00d8790c30f52f60992046cedeb1d7886a

SHA256
9f5beb28487d1f8210fef419acf0dd6f5ceae56cb4200f7f42991bcd7af4f68b

SHA512
1b28cae0cbaa2d42e3233685173d645d31ef4c1428914f06199e58f2eae331030af38c677a58a3d192b9492f4ec612bd39bf8afc6925e057af7a3b4787bb9372

Download Submit
C:\Windows\SysWOW64\Kdldkc32.exe

Filesize
50KB

MD5
3eb8bff3338445e93e5c9ab630cca0fe

SHA1
445f861e1f0b72e84cb346cc962038f89a423a04

SHA256
8903a16b1cdf76fa25c95fc6c5fa957eb3ce778fe8ea096f0daf39925773e2ec

SHA512
b252179c7fd9bf80d63a662aaafa183fe9c2b92dd342c152e06ca58c10f233b64ca72417ceef8fc0d7a35ac6df9e20f067664685dc554f56b65d3dcb7ff78391

Download Submit
C:\Windows\SysWOW64\Kdldkc32.exe

Filesize
50KB

MD5
3eb8bff3338445e93e5c9ab630cca0fe

SHA1
445f861e1f0b72e84cb346cc962038f89a423a04

SHA256
8903a16b1cdf76fa25c95fc6c5fa957eb3ce778fe8ea096f0daf39925773e2ec

SHA512
b252179c7fd9bf80d63a662aaafa183fe9c2b92dd342c152e06ca58c10f233b64ca72417ceef8fc0d7a35ac6df9e20f067664685dc554f56b65d3dcb7ff78391

Download Submit
C:\Windows\SysWOW64\Kdoqqb32.exe

Filesize
50KB

MD5
1a4bd5129a330ff0f03dade990cb340f

SHA1
bd13785a97f6467caac280ff876a12250e01da2e

SHA256
72ebb54e72da7f8e6f51d365fe340cd3506bfd774bb618ee4e202041c39676f0

SHA512
ea9a6a9b218f997c05aba5efcb8cd9cdaf1a2ee06a82bb9aa7ee26c3b5c8b5de0e9baadab1598dc8334141f593d1c9e824a9e08306eecf6b0b209defd5575f3b

Download Submit
C:\Windows\SysWOW64\Kdoqqb32.exe

Filesize
50KB

MD5
1a4bd5129a330ff0f03dade990cb340f

SHA1
bd13785a97f6467caac280ff876a12250e01da2e

SHA256
72ebb54e72da7f8e6f51d365fe340cd3506bfd774bb618ee4e202041c39676f0

SHA512
ea9a6a9b218f997c05aba5efcb8cd9cdaf1a2ee06a82bb9aa7ee26c3b5c8b5de0e9baadab1598dc8334141f593d1c9e824a9e08306eecf6b0b209defd5575f3b

Download Submit
C:\Windows\SysWOW64\Kgojbnnf.exe

Filesize
50KB

MD5
1aca6bffcb3a8f4a08a426e1234bbf72

SHA1
d1152c51746385c28d3381332a09ee90adc7429f

SHA256
dcf359168253caff2b686edb4e968db6c7b4dcfd44ef44661c867f64551cce58

SHA512
3ffc211d4bc68a23be013d09ea3c146a83ca4991645033564be45c6b3bd1f653a7b18df6fa2a30200315d39921207e89823d68f2e34f5e6e7c35131fdf692a75

Download Submit
C:\Windows\SysWOW64\Kgojbnnf.exe

Filesize
50KB

MD5
1aca6bffcb3a8f4a08a426e1234bbf72

SHA1
d1152c51746385c28d3381332a09ee90adc7429f

SHA256
dcf359168253caff2b686edb4e968db6c7b4dcfd44ef44661c867f64551cce58

SHA512
3ffc211d4bc68a23be013d09ea3c146a83ca4991645033564be45c6b3bd1f653a7b18df6fa2a30200315d39921207e89823d68f2e34f5e6e7c35131fdf692a75

Download Submit
C:\Windows\SysWOW64\Kipbdikh.exe

Filesize
50KB

MD5
4327f0c4c8bbe7792e7fdf136f8b87a3

SHA1
50a352f6a66d5516f9807cdab7d854aa822f4e84

SHA256
bde751a992723e48e321c29626856c2b4fd3a489ac15b4675a0b3ee37fdcc9f7

SHA512
105cb4c076829f4daa314647f59b2459a16825e988ef752908f132cd5d4da11dd9901987bee98aae1eb7c490532da5dd43784bd2c6bb9903c028a00ee8fe90c2

Download Submit
C:\Windows\SysWOW64\Kipbdikh.exe

Filesize
50KB

MD5
4327f0c4c8bbe7792e7fdf136f8b87a3

SHA1
50a352f6a66d5516f9807cdab7d854aa822f4e84

SHA256
bde751a992723e48e321c29626856c2b4fd3a489ac15b4675a0b3ee37fdcc9f7

SHA512
105cb4c076829f4daa314647f59b2459a16825e988ef752908f132cd5d4da11dd9901987bee98aae1eb7c490532da5dd43784bd2c6bb9903c028a00ee8fe90c2

Download Submit
C:\Windows\SysWOW64\Kkhimmib.exe

Filesize
50KB

MD5
468d90e9203ff79f4198b0e2c89ec2f3

SHA1
38b63cb99513cf4e74218a56c2a51250d22d6db5

SHA256
2739cbdc9db8252de82627ec6d2b206db4bdee68797c865141323deb18b091af

SHA512
ef3c8b844add7d8f23e2b5186725991b89c585876a2c20ff4ccf2fa3b6ba3aa27ceafdefc150f0fcb2e33ac892d8d530e9b41b3ed48c9e58660f50f33cce24ba

Download Submit
C:\Windows\SysWOW64\Kkhimmib.exe

Filesize
50KB

MD5
468d90e9203ff79f4198b0e2c89ec2f3

SHA1
38b63cb99513cf4e74218a56c2a51250d22d6db5

SHA256
2739cbdc9db8252de82627ec6d2b206db4bdee68797c865141323deb18b091af

SHA512
ef3c8b844add7d8f23e2b5186725991b89c585876a2c20ff4ccf2fa3b6ba3aa27ceafdefc150f0fcb2e33ac892d8d530e9b41b3ed48c9e58660f50f33cce24ba

Download Submit
C:\Windows\SysWOW64\Kmdhdhji.exe

Filesize
50KB

MD5
c4e74ef3652d260ef19f7d77bd6b8f28

SHA1
203a781a46dab92f4a38cbbc27a1a4e912219aa6

SHA256
bdcfe6700985f3fa50200151562fc62884402a9351f78b25c1882db40756ddd4

SHA512
e3d4cf58ea3c38a11eacb638a9f24444f8d0fc0938c7ab8a10c37d6420aa60075120ebb1e12df6a4999ff53e4d66bf671d2fd725588183d0e7190355643f5a9b

Download Submit
C:\Windows\SysWOW64\Kmdhdhji.exe

Filesize
50KB

MD5
c4e74ef3652d260ef19f7d77bd6b8f28

SHA1
203a781a46dab92f4a38cbbc27a1a4e912219aa6

SHA256
bdcfe6700985f3fa50200151562fc62884402a9351f78b25c1882db40756ddd4

SHA512
e3d4cf58ea3c38a11eacb638a9f24444f8d0fc0938c7ab8a10c37d6420aa60075120ebb1e12df6a4999ff53e4d66bf671d2fd725588183d0e7190355643f5a9b

Download Submit
C:\Windows\SysWOW64\Kpeaecgj.exe

Filesize
50KB

MD5
11092bd96abe31f763dd6b553ade1d98

SHA1
059c11db7a43eddc2cba87fb2bfd7c27ed736bb7

SHA256
da300c8e5a3f4f70c96cad1045bbf8b0ed0c306872f1c3df5fb5c45c879deafe

SHA512
04f992e3ad231001fca13352b000bfc579f2663fc425cbda38209dcfc1a6d2ef09d44d248d98f703ea6983de17c1300a2479d90d362ce50ee96e97a96d154637

Download Submit
C:\Windows\SysWOW64\Kpeaecgj.exe

Filesize
50KB

MD5
11092bd96abe31f763dd6b553ade1d98

SHA1
059c11db7a43eddc2cba87fb2bfd7c27ed736bb7

SHA256
da300c8e5a3f4f70c96cad1045bbf8b0ed0c306872f1c3df5fb5c45c879deafe

SHA512
04f992e3ad231001fca13352b000bfc579f2663fc425cbda38209dcfc1a6d2ef09d44d248d98f703ea6983de17c1300a2479d90d362ce50ee96e97a96d154637

Download Submit
\Windows\SysWOW64\Glnnfp32.exe

Filesize
50KB

MD5
2b1057ac33924e709a7ab64dcc4c7aba

SHA1
be3898a48be5836e8df0828e0e5354378a67c308

SHA256
7385ba5d8ac550fa77e31796ee7d7e6ee5308db7aac4bcd57dec0d8958ea826e

SHA512
3aafbbf0f3b83b5ff17edf4caf2a0f4fec2690b54a72e80df5dd9f93c432d4caf853d414d0f54bb5a165ce914c9d23e08de3b540090d8d3faf9abe6bb6e30c5c

Download Submit
\Windows\SysWOW64\Glnnfp32.exe

Filesize
50KB

MD5
2b1057ac33924e709a7ab64dcc4c7aba

SHA1
be3898a48be5836e8df0828e0e5354378a67c308

SHA256
7385ba5d8ac550fa77e31796ee7d7e6ee5308db7aac4bcd57dec0d8958ea826e

SHA512
3aafbbf0f3b83b5ff17edf4caf2a0f4fec2690b54a72e80df5dd9f93c432d4caf853d414d0f54bb5a165ce914c9d23e08de3b540090d8d3faf9abe6bb6e30c5c

Download Submit
\Windows\SysWOW64\Hchbbm32.exe

Filesize
50KB

MD5
cc4d467abd7b903768ff871057c7167f

SHA1
f0a67102f09176b2cb449dd6cdd730312a0c6701

SHA256
abb67b5d7a955ec76023ff8501f078fd6f9a68e55369766a92973e97a1171e7c

SHA512
f9a207ee9361f3c478087372689fcf12c6143c86e81b48bf43f105aca6b3e02e38c32e62d232d17c8557fa8c584db93289311456a97d5677b52e5663b9e3d559

Download Submit
\Windows\SysWOW64\Hchbbm32.exe

Filesize
50KB

MD5
cc4d467abd7b903768ff871057c7167f

SHA1
f0a67102f09176b2cb449dd6cdd730312a0c6701

SHA256
abb67b5d7a955ec76023ff8501f078fd6f9a68e55369766a92973e97a1171e7c

SHA512
f9a207ee9361f3c478087372689fcf12c6143c86e81b48bf43f105aca6b3e02e38c32e62d232d17c8557fa8c584db93289311456a97d5677b52e5663b9e3d559

Download Submit
\Windows\SysWOW64\Hjdgdgha.exe

Filesize
50KB

MD5
d2fe48b58699d601ecde92198e852104

SHA1
1bddaae806d0eb142bfc608141ea477495211656

SHA256
76d533e241148b708f5a12647ade7dc1eb4b4f6841fc3e2ed5b16dd5a4ee659e

SHA512
c5e02c62c9d57b4f5993f44c9013c11a8be82c51d4eb9ec0b763354647a5727a50319f1c212a54b3b1a3f5e61c694f5a2e18e88b015f7b82547f30c74e27eef1

Download Submit
\Windows\SysWOW64\Hjdgdgha.exe

Filesize
50KB

MD5
d2fe48b58699d601ecde92198e852104

SHA1
1bddaae806d0eb142bfc608141ea477495211656

SHA256
76d533e241148b708f5a12647ade7dc1eb4b4f6841fc3e2ed5b16dd5a4ee659e

SHA512
c5e02c62c9d57b4f5993f44c9013c11a8be82c51d4eb9ec0b763354647a5727a50319f1c212a54b3b1a3f5e61c694f5a2e18e88b015f7b82547f30c74e27eef1

Download Submit
\Windows\SysWOW64\Idlhlpam.exe

Filesize
50KB

MD5
70d4f8564c09ad52f0afa103dc5e2336

SHA1
9355e6a384aff4194a629e4fc106c7a5d3a4d159

SHA256
5cdf23f2b8758648fc11038f5f0e740109313592fd8d740e40308f27c5c2210b

SHA512
4239c0ec7fa7b33fe97b01a8f1c31b6cdfda544f710304551bdbdeef8c1985de6d16ab6a0f3cdc2d068f559a65e150308068841d5d457b3744da91955f5dd719

Download Submit
\Windows\SysWOW64\Idlhlpam.exe

Filesize
50KB

MD5
70d4f8564c09ad52f0afa103dc5e2336

SHA1
9355e6a384aff4194a629e4fc106c7a5d3a4d159

SHA256
5cdf23f2b8758648fc11038f5f0e740109313592fd8d740e40308f27c5c2210b

SHA512
4239c0ec7fa7b33fe97b01a8f1c31b6cdfda544f710304551bdbdeef8c1985de6d16ab6a0f3cdc2d068f559a65e150308068841d5d457b3744da91955f5dd719

Download Submit
\Windows\SysWOW64\Inmbni32.exe

Filesize
50KB

MD5
d0d798048c2525611a20d7cca7b68607

SHA1
dbaec1af5cce3e116d5d1b48425f1569ec066125

SHA256
abc32182e3e4c308558e1c022aed01737b454e99431e74e534fcd2ebf23eb6f5

SHA512
a81af086f3254a3251a598b300d44ff16ad7c1e02c2d04da52cac3ca8f8dc1e6bf761cdf3be6ca2c6e59c9057dfa581eb268ef4594c671aae0ed3d4e11c5b6a3

Download Submit
\Windows\SysWOW64\Inmbni32.exe

Filesize
50KB

MD5
d0d798048c2525611a20d7cca7b68607

SHA1
dbaec1af5cce3e116d5d1b48425f1569ec066125

SHA256
abc32182e3e4c308558e1c022aed01737b454e99431e74e534fcd2ebf23eb6f5

SHA512
a81af086f3254a3251a598b300d44ff16ad7c1e02c2d04da52cac3ca8f8dc1e6bf761cdf3be6ca2c6e59c9057dfa581eb268ef4594c671aae0ed3d4e11c5b6a3

Download Submit
\Windows\SysWOW64\Ipfihm32.exe

Filesize
50KB

MD5
adcff258301e3dc071117a853507c529

SHA1
4954dbe7dfd4607910d4b7ba04890b5eb0d6e5d9

SHA256
744a0322377fafec6dcc9c9612c7c4673246ab65b3861946a68480ebf8973576

SHA512
4a1eabdd4c21d9d78441d971a2214e2f85623886bb9e86045658122a2127c2743f474ae58f60b9ed93a9d72cd049b7d0f63252d7aeed4d5b329ed9de03f65fd8

Download Submit
\Windows\SysWOW64\Ipfihm32.exe

Filesize
50KB

MD5
adcff258301e3dc071117a853507c529

SHA1
4954dbe7dfd4607910d4b7ba04890b5eb0d6e5d9

SHA256
744a0322377fafec6dcc9c9612c7c4673246ab65b3861946a68480ebf8973576

SHA512
4a1eabdd4c21d9d78441d971a2214e2f85623886bb9e86045658122a2127c2743f474ae58f60b9ed93a9d72cd049b7d0f63252d7aeed4d5b329ed9de03f65fd8

Download Submit
\Windows\SysWOW64\Jjfpij32.exe

Filesize
50KB

MD5
31c61961cc52ec2468006aebb5c736c5

SHA1
010b612d46c4f357d96852f14e7ee15d94b7e58d

SHA256
df16c18ab75ff191ae245fdc7feb71347e08147663ef8d006b1b1b68a1aca5d6

SHA512
60aed1b024625f0a2fa245d3b343b2231f9887cb9f92dee6a049a1ef6e4844822915a148688b85322caf1abaeda918f5a7c9d535d5df7550dcf328b076bd0d62

Download Submit
\Windows\SysWOW64\Jjfpij32.exe

Filesize
50KB

MD5
31c61961cc52ec2468006aebb5c736c5

SHA1
010b612d46c4f357d96852f14e7ee15d94b7e58d

SHA256
df16c18ab75ff191ae245fdc7feb71347e08147663ef8d006b1b1b68a1aca5d6

SHA512
60aed1b024625f0a2fa245d3b343b2231f9887cb9f92dee6a049a1ef6e4844822915a148688b85322caf1abaeda918f5a7c9d535d5df7550dcf328b076bd0d62

Download Submit
\Windows\SysWOW64\Kaenpfnm.exe

Filesize
50KB

MD5
e4dbcb6bc1f2de9cbab2b73817471462

SHA1
fc8fcf477a3c7ad5b56e67d825954bf00d1bc37b

SHA256
a4f773506bedbf5776d99fa6b5279aa5d3ce27a3a81c73531ac8d8e8217a87de

SHA512
ded7149a9a4c19f7986d85104f28ba6488c0f4abfc65ad677e612dcada819df0b1d7a9e08ca2552dd6a4a297d0b3224e781520987a90d7375d29c016941c9cb1

Download Submit
\Windows\SysWOW64\Kaenpfnm.exe

Filesize
50KB

MD5
e4dbcb6bc1f2de9cbab2b73817471462

SHA1
fc8fcf477a3c7ad5b56e67d825954bf00d1bc37b

SHA256
a4f773506bedbf5776d99fa6b5279aa5d3ce27a3a81c73531ac8d8e8217a87de

SHA512
ded7149a9a4c19f7986d85104f28ba6488c0f4abfc65ad677e612dcada819df0b1d7a9e08ca2552dd6a4a297d0b3224e781520987a90d7375d29c016941c9cb1

Download Submit
\Windows\SysWOW64\Kdcjlbmp.exe

Filesize
50KB

MD5
1604ba1467ef90838441bb8413cac11c

SHA1
8f324a00d8790c30f52f60992046cedeb1d7886a

SHA256
9f5beb28487d1f8210fef419acf0dd6f5ceae56cb4200f7f42991bcd7af4f68b

SHA512
1b28cae0cbaa2d42e3233685173d645d31ef4c1428914f06199e58f2eae331030af38c677a58a3d192b9492f4ec612bd39bf8afc6925e057af7a3b4787bb9372

Download Submit
\Windows\SysWOW64\Kdcjlbmp.exe

Filesize
50KB

MD5
1604ba1467ef90838441bb8413cac11c

SHA1
8f324a00d8790c30f52f60992046cedeb1d7886a

SHA256
9f5beb28487d1f8210fef419acf0dd6f5ceae56cb4200f7f42991bcd7af4f68b

SHA512
1b28cae0cbaa2d42e3233685173d645d31ef4c1428914f06199e58f2eae331030af38c677a58a3d192b9492f4ec612bd39bf8afc6925e057af7a3b4787bb9372

Download Submit
\Windows\SysWOW64\Kdldkc32.exe

Filesize
50KB

MD5
3eb8bff3338445e93e5c9ab630cca0fe

SHA1
445f861e1f0b72e84cb346cc962038f89a423a04

SHA256
8903a16b1cdf76fa25c95fc6c5fa957eb3ce778fe8ea096f0daf39925773e2ec

SHA512
b252179c7fd9bf80d63a662aaafa183fe9c2b92dd342c152e06ca58c10f233b64ca72417ceef8fc0d7a35ac6df9e20f067664685dc554f56b65d3dcb7ff78391

Download Submit
\Windows\SysWOW64\Kdldkc32.exe

Filesize
50KB

MD5
3eb8bff3338445e93e5c9ab630cca0fe

SHA1
445f861e1f0b72e84cb346cc962038f89a423a04

SHA256
8903a16b1cdf76fa25c95fc6c5fa957eb3ce778fe8ea096f0daf39925773e2ec

SHA512
b252179c7fd9bf80d63a662aaafa183fe9c2b92dd342c152e06ca58c10f233b64ca72417ceef8fc0d7a35ac6df9e20f067664685dc554f56b65d3dcb7ff78391

Download Submit
\Windows\SysWOW64\Kdoqqb32.exe

Filesize
50KB

MD5
1a4bd5129a330ff0f03dade990cb340f

SHA1
bd13785a97f6467caac280ff876a12250e01da2e

SHA256
72ebb54e72da7f8e6f51d365fe340cd3506bfd774bb618ee4e202041c39676f0

SHA512
ea9a6a9b218f997c05aba5efcb8cd9cdaf1a2ee06a82bb9aa7ee26c3b5c8b5de0e9baadab1598dc8334141f593d1c9e824a9e08306eecf6b0b209defd5575f3b

Download Submit
\Windows\SysWOW64\Kdoqqb32.exe

Filesize
50KB

MD5
1a4bd5129a330ff0f03dade990cb340f

SHA1
bd13785a97f6467caac280ff876a12250e01da2e

SHA256
72ebb54e72da7f8e6f51d365fe340cd3506bfd774bb618ee4e202041c39676f0

SHA512
ea9a6a9b218f997c05aba5efcb8cd9cdaf1a2ee06a82bb9aa7ee26c3b5c8b5de0e9baadab1598dc8334141f593d1c9e824a9e08306eecf6b0b209defd5575f3b

Download Submit
\Windows\SysWOW64\Kgojbnnf.exe

Filesize
50KB

MD5
1aca6bffcb3a8f4a08a426e1234bbf72

SHA1
d1152c51746385c28d3381332a09ee90adc7429f

SHA256
dcf359168253caff2b686edb4e968db6c7b4dcfd44ef44661c867f64551cce58

SHA512
3ffc211d4bc68a23be013d09ea3c146a83ca4991645033564be45c6b3bd1f653a7b18df6fa2a30200315d39921207e89823d68f2e34f5e6e7c35131fdf692a75

Download Submit
\Windows\SysWOW64\Kgojbnnf.exe

Filesize
50KB

MD5
1aca6bffcb3a8f4a08a426e1234bbf72

SHA1
d1152c51746385c28d3381332a09ee90adc7429f

SHA256
dcf359168253caff2b686edb4e968db6c7b4dcfd44ef44661c867f64551cce58

SHA512
3ffc211d4bc68a23be013d09ea3c146a83ca4991645033564be45c6b3bd1f653a7b18df6fa2a30200315d39921207e89823d68f2e34f5e6e7c35131fdf692a75

Download Submit
\Windows\SysWOW64\Kipbdikh.exe

Filesize
50KB

MD5
4327f0c4c8bbe7792e7fdf136f8b87a3

SHA1
50a352f6a66d5516f9807cdab7d854aa822f4e84

SHA256
bde751a992723e48e321c29626856c2b4fd3a489ac15b4675a0b3ee37fdcc9f7

SHA512
105cb4c076829f4daa314647f59b2459a16825e988ef752908f132cd5d4da11dd9901987bee98aae1eb7c490532da5dd43784bd2c6bb9903c028a00ee8fe90c2

Download Submit
\Windows\SysWOW64\Kipbdikh.exe

Filesize
50KB

MD5
4327f0c4c8bbe7792e7fdf136f8b87a3

SHA1
50a352f6a66d5516f9807cdab7d854aa822f4e84

SHA256
bde751a992723e48e321c29626856c2b4fd3a489ac15b4675a0b3ee37fdcc9f7

SHA512
105cb4c076829f4daa314647f59b2459a16825e988ef752908f132cd5d4da11dd9901987bee98aae1eb7c490532da5dd43784bd2c6bb9903c028a00ee8fe90c2

Download Submit
\Windows\SysWOW64\Kkhimmib.exe

Filesize
50KB

MD5
468d90e9203ff79f4198b0e2c89ec2f3

SHA1
38b63cb99513cf4e74218a56c2a51250d22d6db5

SHA256
2739cbdc9db8252de82627ec6d2b206db4bdee68797c865141323deb18b091af

SHA512
ef3c8b844add7d8f23e2b5186725991b89c585876a2c20ff4ccf2fa3b6ba3aa27ceafdefc150f0fcb2e33ac892d8d530e9b41b3ed48c9e58660f50f33cce24ba

Download Submit
\Windows\SysWOW64\Kkhimmib.exe

Filesize
50KB

MD5
468d90e9203ff79f4198b0e2c89ec2f3

SHA1
38b63cb99513cf4e74218a56c2a51250d22d6db5

SHA256
2739cbdc9db8252de82627ec6d2b206db4bdee68797c865141323deb18b091af

SHA512
ef3c8b844add7d8f23e2b5186725991b89c585876a2c20ff4ccf2fa3b6ba3aa27ceafdefc150f0fcb2e33ac892d8d530e9b41b3ed48c9e58660f50f33cce24ba

Download Submit
\Windows\SysWOW64\Kmdhdhji.exe

Filesize
50KB

MD5
c4e74ef3652d260ef19f7d77bd6b8f28

SHA1
203a781a46dab92f4a38cbbc27a1a4e912219aa6

SHA256
bdcfe6700985f3fa50200151562fc62884402a9351f78b25c1882db40756ddd4

SHA512
e3d4cf58ea3c38a11eacb638a9f24444f8d0fc0938c7ab8a10c37d6420aa60075120ebb1e12df6a4999ff53e4d66bf671d2fd725588183d0e7190355643f5a9b

Download Submit
\Windows\SysWOW64\Kmdhdhji.exe

Filesize
50KB

MD5
c4e74ef3652d260ef19f7d77bd6b8f28

SHA1
203a781a46dab92f4a38cbbc27a1a4e912219aa6

SHA256
bdcfe6700985f3fa50200151562fc62884402a9351f78b25c1882db40756ddd4

SHA512
e3d4cf58ea3c38a11eacb638a9f24444f8d0fc0938c7ab8a10c37d6420aa60075120ebb1e12df6a4999ff53e4d66bf671d2fd725588183d0e7190355643f5a9b

Download Submit
\Windows\SysWOW64\Kpeaecgj.exe

Filesize
50KB

MD5
11092bd96abe31f763dd6b553ade1d98

SHA1
059c11db7a43eddc2cba87fb2bfd7c27ed736bb7

SHA256
da300c8e5a3f4f70c96cad1045bbf8b0ed0c306872f1c3df5fb5c45c879deafe

SHA512
04f992e3ad231001fca13352b000bfc579f2663fc425cbda38209dcfc1a6d2ef09d44d248d98f703ea6983de17c1300a2479d90d362ce50ee96e97a96d154637

Download Submit
\Windows\SysWOW64\Kpeaecgj.exe

Filesize
50KB

MD5
11092bd96abe31f763dd6b553ade1d98

SHA1
059c11db7a43eddc2cba87fb2bfd7c27ed736bb7

SHA256
da300c8e5a3f4f70c96cad1045bbf8b0ed0c306872f1c3df5fb5c45c879deafe

SHA512
04f992e3ad231001fca13352b000bfc579f2663fc425cbda38209dcfc1a6d2ef09d44d248d98f703ea6983de17c1300a2479d90d362ce50ee96e97a96d154637

Download Submit
memory/108-140-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/288-222-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/468-137-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/520-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/520-191-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/520-192-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/548-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/552-215-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/612-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/612-133-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/620-196-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/620-214-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/620-213-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/660-193-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/672-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/820-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/832-134-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/852-159-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/896-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1052-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1072-143-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1072-142-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1128-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1136-229-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1148-223-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1212-188-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/1212-186-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1252-175-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1296-231-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1336-194-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1336-195-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1368-217-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1380-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1452-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1472-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1496-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1560-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1572-182-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1576-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1580-221-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1592-234-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1600-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-225-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1620-219-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1648-177-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1668-224-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1680-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1700-232-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-181-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1712-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1736-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1748-227-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1756-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1756-65-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1760-147-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1760-153-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1928-158-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1936-226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1952-154-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1960-184-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1972-230-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2000-220-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2024-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download