50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430.exe
Size

50KB
MD5

fce9148493315ca2d1650cb6f22882d0
SHA1

661929a6602af34c11a55a155d8a52c531c29988
SHA256

50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430
SHA512

d7afab27eb2adca34b621c76c239cd864ef92187f3f8943939142014aa2da7bf652bd24acec0b29b892274e156f2c0a5aad35d507f1880209bf5ec2614b0ba24
SSDEEP

768:++jx/Qc5QtHKaNlKanbuVv1rbERwif21kIZe2YtuFkkvj5V99999999aieCHRe/T:1jx/Qcut/qanIFbDif2LZe2YkaeEFN

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Gaibod32.exeHpeeppdp.exeNklfoi32.exeFcneeo32.exeHnmeodjc.exeBkcjqbab.exeDbgnjicb.exeGpjfdbom.exeFacjlhil.exeGejoei32.exePclneicb.exeEbnddn32.exeGqkhda32.exeFiaogfai.exeBpfkdl32.exeJjmhppqd.exeDohfbj32.exeEadopc32.exeIkjcmi32.exeGjiepdkm.exePpkpgmba.exeFpcpdcee.exeOilmnbpg.exeFhgjblfq.exeHkohchko.exeIelfgmnj.exeDmkcpdao.exeDidqkeeq.exeImgbkb32.exeEhekqe32.exeJdhine32.exeOdbgim32.exeImeeeb32.exeAifiko32.exeMpolqa32.exeDpemacql.exeOcgdji32.exeOmjpeo32.exeGedohfmp.exeMibbbg32.exeAddhiink.exeBegcad32.exeHebkid32.exeCoojfa32.exeFmficqpc.exeLkeekk32.exeBehiln32.exeFdgdgnbm.exeDhcfleff.exe50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430.exeBnkicmik.exeLnfgcn32.exeGndbie32.exeKdmlkfjb.exeKkqefcdk.exeNicjhchb.exeNghgipmj.exeJlanpfkj.exeJhejgl32.exeEpopgbia.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaibod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpeeppdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnmeodjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkcjqbab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbgnjicb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpjfdbom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Facjlhil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejoei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclneicb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnddn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiaogfai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfkdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dohfbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eadopc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikjcmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjiepdkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppkpgmba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpcpdcee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oilmnbpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhgjblfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkohchko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Didqkeeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgbkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odbgim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikjcmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imeeeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aifiko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgdji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omjpeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gedohfmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibbbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Addhiink.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Begcad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hebkid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coojfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkeekk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behiln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdgdgnbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhcfleff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkicmik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnfgcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gndbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkqefcdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nghgipmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhejgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe

Executes dropped EXE 64 IoCs

Processes:

Dbhdeofn.exeDbjajo32.exeDlbfcdkk.exeDiffmi32.exeDlebid32.exeEpbkoboo.exeEohhpodg.exeElliiccq.exeEfamflbg.exeElneoc32.exeEefjhhgo.exeEplneagd.exeEeifmhel.exeFlcojb32.exeFbmggl32.exeFigocflb.exeFochlmjj.exeFcaqblpp.exeFpeakpoj.exeFojnll32.exeGchfbk32.exeGheoka32.exeGckchj32.exeGieled32.exeGgilni32.exeGodqbk32.exeGjiepdkm.exeGcbiii32.exeHhobap32.exeHcdfni32.exeHpmpbm32.exeHcnidh32.exeIqainlfj.exeImkghm32.exeIfckab32.exeIqhpok32.exeIgbhkeho.exeIqkldk32.exeJgedqe32.exeJifahmlj.exeJfjabakd.exeJqpfojjj.exeJjhjhpaj.exeJcpoae32.exeJjmcco32.exeKggjmbeg.exeKcnkbckk.exeKikcjjib.exeLpelgd32.exeLimppjgp.exeLgopnapo.exeLmkifhnf.exeLfdmon32.exeLibiki32.exeLhcjiq32.exeLcjjnaan.exeLigcfhoe.exeMibbbg32.exeNdhgop32.exeNdjceo32.exeNiglmfab.exeNhhlkn32.exeNmedcd32.exeNmgaidef.exe

pid	process
3468	Dbhdeofn.exe
4580	Dbjajo32.exe
3064	Dlbfcdkk.exe
2412	Diffmi32.exe
4536	Dlebid32.exe
2368	Epbkoboo.exe
4908	Eohhpodg.exe
4900	Elliiccq.exe
4816	Efamflbg.exe
1388	Elneoc32.exe
4360	Eefjhhgo.exe
3904	Eplneagd.exe
5092	Eeifmhel.exe
4136	Flcojb32.exe
3212	Fbmggl32.exe
3848	Figocflb.exe
4228	Fochlmjj.exe
4188	Fcaqblpp.exe
208	Fpeakpoj.exe
2484	Fojnll32.exe
2788	Gchfbk32.exe
1256	Gheoka32.exe
5060	Gckchj32.exe
3984	Gieled32.exe
3432	Ggilni32.exe
4548	Godqbk32.exe
4304	Gjiepdkm.exe
3136	Gcbiii32.exe
4024	Hhobap32.exe
1504	Hcdfni32.exe
4616	Hpmpbm32.exe
2380	Hcnidh32.exe
1636	Iqainlfj.exe
2044	Imkghm32.exe
3700	Ifckab32.exe
860	Iqhpok32.exe
4512	Igbhkeho.exe
332	Iqkldk32.exe
1480	Jgedqe32.exe
3024	Jifahmlj.exe
1476	Jfjabakd.exe
1304	Jqpfojjj.exe
540	Jjhjhpaj.exe
1384	Jcpoae32.exe
440	Jjmcco32.exe
1776	Kggjmbeg.exe
1952	Kcnkbckk.exe
4656	Kikcjjib.exe
3808	Lpelgd32.exe
4716	Limppjgp.exe
60	Lgopnapo.exe
2460	Lmkifhnf.exe
4724	Lfdmon32.exe
536	Libiki32.exe
3488	Lhcjiq32.exe
4988	Lcjjnaan.exe
3440	Ligcfhoe.exe
3472	Mibbbg32.exe
2916	Ndhgop32.exe
1000	Ndjceo32.exe
4720	Niglmfab.exe
888	Nhhlkn32.exe
3556	Nmedcd32.exe
3596	Nmgaidef.exe

Drops file in System32 directory 64 IoCs

Processes:

Dbdano32.exePafcfpnj.exeHndiih32.exeAliobieh.exeDllmfd32.exeDchbhn32.exeMpaifalo.exePhaahggp.exeDqhpai32.exeGjojbkoc.exeBlpechop.exeEelpqi32.exeJfbdpabn.exeFcaqblpp.exeBigimb32.exeCfbcke32.exeDhclmp32.exeBqnemp32.exeEefjhhgo.exeOdmiam32.exeFhfedgmh.exeLddikg32.exeHannao32.exeGkeakl32.exeIfphkbep.exeGchfbk32.exeLfdmon32.exeDjgljk32.exeHlnqln32.exeCggibe32.exeMqbpqgpj.exePagdol32.exeFhgjblfq.exePhigif32.exeBlnoga32.exeJqpfojjj.exePajlao32.exeAoeniefo.exeElccfc32.exeHjfihc32.exeIpqnahgf.exePdkoch32.exeJhoeef32.exeMhiabbdi.exeGlinjqhb.exeCeeapg32.exeAepmpe32.exeDlojkddn.exeFneoma32.exeDfclcqbo.exeJgdpog32.exeDokjbp32.exeLekmnajj.exeGclimi32.exeEfoloo32.exeQnkdhpjn.exeAhdged32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Dagajlal.exe	Dbdano32.exe
File opened for modification	C:\Windows\SysWOW64\Pgbkng32.exe	Pafcfpnj.exe
File created	C:\Windows\SysWOW64\Hpeeppdp.exe	Hndiih32.exe
File opened for modification	C:\Windows\SysWOW64\Apekch32.exe	Aliobieh.exe
File opened for modification	C:\Windows\SysWOW64\Dokjbp32.exe	Dllmfd32.exe
File opened for modification	C:\Windows\SysWOW64\Dakbckbe.exe	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Fklenm32.dll	Phaahggp.exe
File opened for modification	C:\Windows\SysWOW64\Egionb32.exe	Dqhpai32.exe
File created	C:\Windows\SysWOW64\Gaibod32.exe	Gjojbkoc.exe
File created	C:\Windows\SysWOW64\Booaodnd.exe	Blpechop.exe
File created	C:\Windows\SysWOW64\Bhcbdkfh.dll	Eelpqi32.exe
File created	C:\Windows\SysWOW64\Cdfbfb32.dll	Jfbdpabn.exe
File created	C:\Windows\SysWOW64\Kjipmoai.exe
File created	C:\Windows\SysWOW64\Adabbe32.dll
File opened for modification	C:\Windows\SysWOW64\Fpeakpoj.exe	Fcaqblpp.exe
File created	C:\Windows\SysWOW64\Bpaaimgp.exe	Bigimb32.exe
File opened for modification	C:\Windows\SysWOW64\Dokgdkeh.exe	Cfbcke32.exe
File created	C:\Windows\SysWOW64\Dkahilkl.exe	Dhclmp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfjee32.exe	Bqnemp32.exe
File opened for modification	C:\Windows\SysWOW64\Eplneagd.exe	Eefjhhgo.exe
File created	C:\Windows\SysWOW64\Pijaic32.exe	Odmiam32.exe
File created	C:\Windows\SysWOW64\Fnpmaa32.exe	Fhfedgmh.exe
File created	C:\Windows\SysWOW64\Ejcnod32.dll	Lddikg32.exe
File created	C:\Windows\SysWOW64\Hcljmj32.exe	Hannao32.exe
File opened for modification	C:\Windows\SysWOW64\Gclimi32.exe	Gkeakl32.exe
File created	C:\Windows\SysWOW64\Iljpgl32.exe	Ifphkbep.exe
File opened for modification	C:\Windows\SysWOW64\Gheoka32.exe	Gchfbk32.exe
File created	C:\Windows\SysWOW64\Libiki32.exe	Lfdmon32.exe
File created	C:\Windows\SysWOW64\Jpgcaa32.dll	Djgljk32.exe
File opened for modification	C:\Windows\SysWOW64\Hakidd32.exe	Hlnqln32.exe
File created	C:\Windows\SysWOW64\Qciebg32.exe
File created	C:\Windows\SysWOW64\Lfbpae32.dll
File opened for modification	C:\Windows\SysWOW64\Apfhajjf.exe
File created	C:\Windows\SysWOW64\Mfhjna32.dll	Cggibe32.exe
File created	C:\Windows\SysWOW64\Mklcagpj.dll	Mqbpqgpj.exe
File opened for modification	C:\Windows\SysWOW64\Qcepkg32.exe	Pagdol32.exe
File created	C:\Windows\SysWOW64\Bojlop32.dll	Fhgjblfq.exe
File created	C:\Windows\SysWOW64\Pocpfphe.exe	Phigif32.exe
File created	C:\Windows\SysWOW64\Bjjhhfnd.dll	Blnoga32.exe
File created	C:\Windows\SysWOW64\Jjhjhpaj.exe	Jqpfojjj.exe
File created	C:\Windows\SysWOW64\Phddniaa.exe	Pajlao32.exe
File created	C:\Windows\SysWOW64\Molpnchg.dll	Aoeniefo.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Elccfc32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Phfjcf32.exe	Pdkoch32.exe
File opened for modification	C:\Windows\SysWOW64\Kbeibo32.exe	Jhoeef32.exe
File opened for modification	C:\Windows\SysWOW64\Maaekg32.exe	Mhiabbdi.exe
File created	C:\Windows\SysWOW64\Bcdqnmmm.dll	Glinjqhb.exe
File created	C:\Windows\SysWOW64\Fqogjk32.dll	Ceeapg32.exe
File created	C:\Windows\SysWOW64\Apeannam.exe	Aepmpe32.exe
File opened for modification	C:\Windows\SysWOW64\Dchbhn32.exe	Dlojkddn.exe
File created	C:\Windows\SysWOW64\Ibkonk32.dll	Fneoma32.exe
File created	C:\Windows\SysWOW64\Kcfnqccd.exe
File created	C:\Windows\SysWOW64\Acbhhf32.exe
File opened for modification	C:\Windows\SysWOW64\Dqhpai32.exe	Dfclcqbo.exe
File created	C:\Windows\SysWOW64\Jkplpfbn.exe	Jgdpog32.exe
File created	C:\Windows\SysWOW64\Kpmkpqcp.dll	Dokjbp32.exe
File opened for modification	C:\Windows\SysWOW64\Lkeekk32.exe	Lekmnajj.exe
File created	C:\Windows\SysWOW64\Gekeie32.exe	Gclimi32.exe
File created	C:\Windows\SysWOW64\Lonaca32.dll	Efoloo32.exe
File created	C:\Windows\SysWOW64\Qeemej32.exe	Qnkdhpjn.exe
File opened for modification	C:\Windows\SysWOW64\Aehgnied.exe	Ahdged32.exe

Modifies registry class 64 IoCs

Processes:

Jomeoggk.exeBilcef32.exeFpcpdcee.exeDpefaq32.exeGekeie32.exeCgaqphgl.exeHlgjko32.exeJkplpfbn.exeHimcoo32.exeKkihknfg.exeMcklgm32.exePknqoc32.exeKmegbjgn.exeCpacqg32.exeFfnglc32.exeCbknhqbl.exeHpmpbm32.exeDoggag32.exeAcjjfggb.exeAjneip32.exeJbbmmo32.exeEmikfocj.exeMdpalp32.exeCgejkh32.exePdkoch32.exeIljpgl32.exeHcdfni32.exeHffcni32.exeQiappono.exeLgbnmm32.exeClkndpag.exeMqnfeh32.exeOpkoflco.exeGcjdam32.exeIameid32.exeBbalaoda.exeCmgjee32.exePpdjfnhj.exeBkcjqbab.exeDfclcqbo.exeFmpjmh32.exeGkalbj32.exeIqhpok32.exeDohfbj32.exeKhkdad32.exeAbcppq32.exeCbdhgaid.exeOkmfpm32.exeDlojkddn.exeKdkoef32.exeDaeddlco.exeFalcli32.exeGkhbbi32.exeIlfodgeg.exeLehhqg32.exeAimhmkgn.exeEblgon32.exeKblpcndd.exeDeejpjgc.exeGmecikkj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jomeoggk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilcef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpcpdcee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpcpdcee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gekeie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaqphgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiah32.dll"	Hlgjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfqmlko.dll"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkplpfbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbjmd32.dll"	Pknqoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffnglc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbknhqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbplf32.dll"	Hpmpbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doggag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjjfggb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcibe32.dll"	Ajneip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emikfocj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbcfe32.dll"	Cgejkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopnfa32.dll"	Pdkoch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iljpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcdfni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hffcni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qiappono.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnigkegh.dll"	Clkndpag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqnfeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opkoflco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apocmn32.dll"	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iameid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppdjfnhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkcjqbab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdejgmgi.dll"	Dfclcqbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqoakock.dll"	Fmpjmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmgd32.dll"	Gkalbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iqhpok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dohfbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdhgaid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqdhibia.dll"	Okmfpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdqfa32.dll"	Daeddlco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Falcli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkhbbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinffi32.dll"	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjepamq.dll"	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifmdfkg.dll"	Eblgon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacbag32.dll"	Deejpjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhbe32.dll"	Gmecikkj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430.exeDbhdeofn.exeDbjajo32.exeDlbfcdkk.exeDiffmi32.exeDlebid32.exeEpbkoboo.exeEohhpodg.exeElliiccq.exeEfamflbg.exeElneoc32.exeEefjhhgo.exeEplneagd.exeEeifmhel.exeFlcojb32.exeFbmggl32.exeFigocflb.exeFochlmjj.exeFcaqblpp.exeFpeakpoj.exeFojnll32.exeGchfbk32.exe

description	pid	process	target process
PID 680 wrote to memory of 3468	680	50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430.exe	Dbhdeofn.exe
PID 680 wrote to memory of 3468	680	50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430.exe	Dbhdeofn.exe
PID 680 wrote to memory of 3468	680	50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430.exe	Dbhdeofn.exe
PID 3468 wrote to memory of 4580	3468	Dbhdeofn.exe	Dbjajo32.exe
PID 3468 wrote to memory of 4580	3468	Dbhdeofn.exe	Dbjajo32.exe
PID 3468 wrote to memory of 4580	3468	Dbhdeofn.exe	Dbjajo32.exe
PID 4580 wrote to memory of 3064	4580	Dbjajo32.exe	Dlbfcdkk.exe
PID 4580 wrote to memory of 3064	4580	Dbjajo32.exe	Dlbfcdkk.exe
PID 4580 wrote to memory of 3064	4580	Dbjajo32.exe	Dlbfcdkk.exe
PID 3064 wrote to memory of 2412	3064	Dlbfcdkk.exe	Diffmi32.exe
PID 3064 wrote to memory of 2412	3064	Dlbfcdkk.exe	Diffmi32.exe
PID 3064 wrote to memory of 2412	3064	Dlbfcdkk.exe	Diffmi32.exe
PID 2412 wrote to memory of 4536	2412	Diffmi32.exe	Dlebid32.exe
PID 2412 wrote to memory of 4536	2412	Diffmi32.exe	Dlebid32.exe
PID 2412 wrote to memory of 4536	2412	Diffmi32.exe	Dlebid32.exe
PID 4536 wrote to memory of 2368	4536	Dlebid32.exe	Epbkoboo.exe
PID 4536 wrote to memory of 2368	4536	Dlebid32.exe	Epbkoboo.exe
PID 4536 wrote to memory of 2368	4536	Dlebid32.exe	Epbkoboo.exe
PID 2368 wrote to memory of 4908	2368	Epbkoboo.exe	Eohhpodg.exe
PID 2368 wrote to memory of 4908	2368	Epbkoboo.exe	Eohhpodg.exe
PID 2368 wrote to memory of 4908	2368	Epbkoboo.exe	Eohhpodg.exe
PID 4908 wrote to memory of 4900	4908	Eohhpodg.exe	Elliiccq.exe
PID 4908 wrote to memory of 4900	4908	Eohhpodg.exe	Elliiccq.exe
PID 4908 wrote to memory of 4900	4908	Eohhpodg.exe	Elliiccq.exe
PID 4900 wrote to memory of 4816	4900	Elliiccq.exe	Efamflbg.exe
PID 4900 wrote to memory of 4816	4900	Elliiccq.exe	Efamflbg.exe
PID 4900 wrote to memory of 4816	4900	Elliiccq.exe	Efamflbg.exe
PID 4816 wrote to memory of 1388	4816	Efamflbg.exe	Elneoc32.exe
PID 4816 wrote to memory of 1388	4816	Efamflbg.exe	Elneoc32.exe
PID 4816 wrote to memory of 1388	4816	Efamflbg.exe	Elneoc32.exe
PID 1388 wrote to memory of 4360	1388	Elneoc32.exe	Eefjhhgo.exe
PID 1388 wrote to memory of 4360	1388	Elneoc32.exe	Eefjhhgo.exe
PID 1388 wrote to memory of 4360	1388	Elneoc32.exe	Eefjhhgo.exe
PID 4360 wrote to memory of 3904	4360	Eefjhhgo.exe	Eplneagd.exe
PID 4360 wrote to memory of 3904	4360	Eefjhhgo.exe	Eplneagd.exe
PID 4360 wrote to memory of 3904	4360	Eefjhhgo.exe	Eplneagd.exe
PID 3904 wrote to memory of 5092	3904	Eplneagd.exe	Eeifmhel.exe
PID 3904 wrote to memory of 5092	3904	Eplneagd.exe	Eeifmhel.exe
PID 3904 wrote to memory of 5092	3904	Eplneagd.exe	Eeifmhel.exe
PID 5092 wrote to memory of 4136	5092	Eeifmhel.exe	Flcojb32.exe
PID 5092 wrote to memory of 4136	5092	Eeifmhel.exe	Flcojb32.exe
PID 5092 wrote to memory of 4136	5092	Eeifmhel.exe	Flcojb32.exe
PID 4136 wrote to memory of 3212	4136	Flcojb32.exe	Fbmggl32.exe
PID 4136 wrote to memory of 3212	4136	Flcojb32.exe	Fbmggl32.exe
PID 4136 wrote to memory of 3212	4136	Flcojb32.exe	Fbmggl32.exe
PID 3212 wrote to memory of 3848	3212	Fbmggl32.exe	Figocflb.exe
PID 3212 wrote to memory of 3848	3212	Fbmggl32.exe	Figocflb.exe
PID 3212 wrote to memory of 3848	3212	Fbmggl32.exe	Figocflb.exe
PID 3848 wrote to memory of 4228	3848	Figocflb.exe	Fochlmjj.exe
PID 3848 wrote to memory of 4228	3848	Figocflb.exe	Fochlmjj.exe
PID 3848 wrote to memory of 4228	3848	Figocflb.exe	Fochlmjj.exe
PID 4228 wrote to memory of 4188	4228	Fochlmjj.exe	Fcaqblpp.exe
PID 4228 wrote to memory of 4188	4228	Fochlmjj.exe	Fcaqblpp.exe
PID 4228 wrote to memory of 4188	4228	Fochlmjj.exe	Fcaqblpp.exe
PID 4188 wrote to memory of 208	4188	Fcaqblpp.exe	Fpeakpoj.exe
PID 4188 wrote to memory of 208	4188	Fcaqblpp.exe	Fpeakpoj.exe
PID 4188 wrote to memory of 208	4188	Fcaqblpp.exe	Fpeakpoj.exe
PID 208 wrote to memory of 2484	208	Fpeakpoj.exe	Fojnll32.exe
PID 208 wrote to memory of 2484	208	Fpeakpoj.exe	Fojnll32.exe
PID 208 wrote to memory of 2484	208	Fpeakpoj.exe	Fojnll32.exe
PID 2484 wrote to memory of 2788	2484	Fojnll32.exe	Gchfbk32.exe
PID 2484 wrote to memory of 2788	2484	Fojnll32.exe	Gchfbk32.exe
PID 2484 wrote to memory of 2788	2484	Fojnll32.exe	Gchfbk32.exe
PID 2788 wrote to memory of 1256	2788	Gchfbk32.exe	Gheoka32.exe

C:\Users\Admin\AppData\Local\Temp\50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430.exe
"C:\Users\Admin\AppData\Local\Temp\50eb2939eb9dca0708c905e659c40cc4722eb2d178a69d23eb28023f5f330430.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\SysWOW64\Dbhdeofn.exe
  C:\Windows\system32\Dbhdeofn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\Dbjajo32.exe
    C:\Windows\system32\Dbjajo32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\Dlbfcdkk.exe
      C:\Windows\system32\Dlbfcdkk.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\SysWOW64\Diffmi32.exe
        
        C:\Windows\system32\Diffmi32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\SysWOW64\Dlebid32.exe
        
        C:\Windows\system32\Dlebid32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Epbkoboo.exe
        
        C:\Windows\system32\Epbkoboo.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Eohhpodg.exe
        
        C:\Windows\system32\Eohhpodg.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Elliiccq.exe
        
        C:\Windows\system32\Elliiccq.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Efamflbg.exe
        
        C:\Windows\system32\Efamflbg.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Elneoc32.exe
        
        C:\Windows\system32\Elneoc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Eefjhhgo.exe
        
        C:\Windows\system32\Eefjhhgo.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Eplneagd.exe
        
        C:\Windows\system32\Eplneagd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Eeifmhel.exe
        
        C:\Windows\system32\Eeifmhel.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Flcojb32.exe
        
        C:\Windows\system32\Flcojb32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Fbmggl32.exe
        
        C:\Windows\system32\Fbmggl32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Figocflb.exe
        
        C:\Windows\system32\Figocflb.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Fochlmjj.exe
        
        C:\Windows\system32\Fochlmjj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Fcaqblpp.exe
        
        C:\Windows\system32\Fcaqblpp.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Fpeakpoj.exe
        
        C:\Windows\system32\Fpeakpoj.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Fojnll32.exe
        
        C:\Windows\system32\Fojnll32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Gchfbk32.exe
        
        C:\Windows\system32\Gchfbk32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Gheoka32.exe
        
        C:\Windows\system32\Gheoka32.exe
        23⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Gckchj32.exe
        
        C:\Windows\system32\Gckchj32.exe
        24⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Gieled32.exe
        
        C:\Windows\system32\Gieled32.exe
        25⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Ggilni32.exe
        
        C:\Windows\system32\Ggilni32.exe
        26⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Godqbk32.exe
        
        C:\Windows\system32\Godqbk32.exe
        27⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Gjiepdkm.exe
        
        C:\Windows\system32\Gjiepdkm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Gcbiii32.exe
        
        C:\Windows\system32\Gcbiii32.exe
        29⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Hhobap32.exe
        
        C:\Windows\system32\Hhobap32.exe
        30⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Hcdfni32.exe
        
        C:\Windows\system32\Hcdfni32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Hpmpbm32.exe
        
        C:\Windows\system32\Hpmpbm32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Hcnidh32.exe
        
        C:\Windows\system32\Hcnidh32.exe
        33⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Iqainlfj.exe
        
        C:\Windows\system32\Iqainlfj.exe
        34⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\Imkghm32.exe
        
        C:\Windows\system32\Imkghm32.exe
        35⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Ifckab32.exe
        
        C:\Windows\system32\Ifckab32.exe
        36⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Iqhpok32.exe
        
        C:\Windows\system32\Iqhpok32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Igbhkeho.exe
        
        C:\Windows\system32\Igbhkeho.exe
        38⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Iqkldk32.exe
        
        C:\Windows\system32\Iqkldk32.exe
        39⤵
        Executes dropped EXE
        
        PID:332
        
        C:\Windows\SysWOW64\Jgedqe32.exe
        
        C:\Windows\system32\Jgedqe32.exe
        40⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Jifahmlj.exe
        
        C:\Windows\system32\Jifahmlj.exe
        41⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Jfjabakd.exe
        
        C:\Windows\system32\Jfjabakd.exe
        42⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Jqpfojjj.exe
        
        C:\Windows\system32\Jqpfojjj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Jjhjhpaj.exe
        
        C:\Windows\system32\Jjhjhpaj.exe
        44⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Jcpoae32.exe
        
        C:\Windows\system32\Jcpoae32.exe
        45⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Jjmcco32.exe
        
        C:\Windows\system32\Jjmcco32.exe
        46⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Kggjmbeg.exe
        
        C:\Windows\system32\Kggjmbeg.exe
        47⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Kcnkbckk.exe
        
        C:\Windows\system32\Kcnkbckk.exe
        48⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Kikcjjib.exe
        
        C:\Windows\system32\Kikcjjib.exe
        49⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Lpelgd32.exe
        
        C:\Windows\system32\Lpelgd32.exe
        50⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\Limppjgp.exe
        
        C:\Windows\system32\Limppjgp.exe
        51⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Lgopnapo.exe
        
        C:\Windows\system32\Lgopnapo.exe
        52⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Lmkifhnf.exe
        
        C:\Windows\system32\Lmkifhnf.exe
        53⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Lfdmon32.exe
        
        C:\Windows\system32\Lfdmon32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Libiki32.exe
        
        C:\Windows\system32\Libiki32.exe
        55⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Lhcjiq32.exe
        
        C:\Windows\system32\Lhcjiq32.exe
        56⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Lcjjnaan.exe
        
        C:\Windows\system32\Lcjjnaan.exe
        57⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Ligcfhoe.exe
        
        C:\Windows\system32\Ligcfhoe.exe
        58⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Mibbbg32.exe
        
        C:\Windows\system32\Mibbbg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Ndhgop32.exe
        
        C:\Windows\system32\Ndhgop32.exe
        60⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Ndjceo32.exe
        
        C:\Windows\system32\Ndjceo32.exe
        61⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Niglmfab.exe
        
        C:\Windows\system32\Niglmfab.exe
        62⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Nhhlkn32.exe
        
        C:\Windows\system32\Nhhlkn32.exe
        63⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\Nmedcd32.exe
        
        C:\Windows\system32\Nmedcd32.exe
        64⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Nmgaidef.exe
        
        C:\Windows\system32\Nmgaidef.exe
        65⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Nhmefmel.exe
        
        C:\Windows\system32\Nhmefmel.exe
        66⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\Oaejob32.exe
        
        C:\Windows\system32\Oaejob32.exe
        67⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Ogbbgi32.exe
        
        C:\Windows\system32\Ogbbgi32.exe
        68⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\Oahgdbjj.exe
        
        C:\Windows\system32\Oahgdbjj.exe
        69⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\Okpkmh32.exe
        
        C:\Windows\system32\Okpkmh32.exe
        70⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Opmceo32.exe
        
        C:\Windows\system32\Opmceo32.exe
        71⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\Oiehndeb.exe
        
        C:\Windows\system32\Oiehndeb.exe
        72⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\Odkllm32.exe
        
        C:\Windows\system32\Odkllm32.exe
        73⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Oihedd32.exe
        
        C:\Windows\system32\Oihedd32.exe
        74⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Odmiam32.exe
        
        C:\Windows\system32\Odmiam32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Pijaic32.exe
        
        C:\Windows\system32\Pijaic32.exe
        76⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Ppdjfnhj.exe
        
        C:\Windows\system32\Ppdjfnhj.exe
        77⤵
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Pkincf32.exe
        
        C:\Windows\system32\Pkincf32.exe
        78⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Ppfflm32.exe
        
        C:\Windows\system32\Ppfflm32.exe
        79⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Pklkif32.exe
        
        C:\Windows\system32\Pklkif32.exe
        80⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Pafcfpnj.exe
        
        C:\Windows\system32\Pafcfpnj.exe
        81⤵
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Pgbkng32.exe
        
        C:\Windows\system32\Pgbkng32.exe
        82⤵
        
        PID:720
        
        C:\Windows\SysWOW64\Ppkpgmba.exe
        
        C:\Windows\system32\Ppkpgmba.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2040
        
        C:\Windows\SysWOW64\Pgehcf32.exe
        
        C:\Windows\system32\Pgehcf32.exe
        84⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Pajlao32.exe
        
        C:\Windows\system32\Pajlao32.exe
        85⤵
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Phddniaa.exe
        
        C:\Windows\system32\Phddniaa.exe
        86⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Qnamfq32.exe
        
        C:\Windows\system32\Qnamfq32.exe
        87⤵
        
        PID:752
        
        C:\Windows\SysWOW64\Qdkebjfe.exe
        
        C:\Windows\system32\Qdkebjfe.exe
        88⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Adbkci32.exe
        
        C:\Windows\system32\Adbkci32.exe
        89⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Aklcpchj.exe
        
        C:\Windows\system32\Aklcpchj.exe
        90⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Addhiink.exe
        
        C:\Windows\system32\Addhiink.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3920
        
        C:\Windows\SysWOW64\Akopec32.exe
        
        C:\Windows\system32\Akopec32.exe
        92⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\Aqkinj32.exe
        
        C:\Windows\system32\Aqkinj32.exe
        93⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Ageajdkl.exe
        
        C:\Windows\system32\Ageajdkl.exe
        94⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Abkehm32.exe
        
        C:\Windows\system32\Abkehm32.exe
        95⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\Bhendgbo.exe
        
        C:\Windows\system32\Bhendgbo.exe
        96⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Bkcjqbab.exe
        
        C:\Windows\system32\Bkcjqbab.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Bqpbiipj.exe
        
        C:\Windows\system32\Bqpbiipj.exe
        98⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\Bjhgao32.exe
        
        C:\Windows\system32\Bjhgao32.exe
        99⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Bqboni32.exe
        
        C:\Windows\system32\Bqboni32.exe
        100⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Bglgkced.exe
        
        C:\Windows\system32\Bglgkced.exe
        101⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Bjkcgodg.exe
        
        C:\Windows\system32\Bjkcgodg.exe
        102⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Bqeldi32.exe
        
        C:\Windows\system32\Bqeldi32.exe
        103⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Bilcef32.exe
        
        C:\Windows\system32\Bilcef32.exe
        104⤵
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Bjmpmnbe.exe
        
        C:\Windows\system32\Bjmpmnbe.exe
        105⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Bqghih32.exe
        
        C:\Windows\system32\Bqghih32.exe
        106⤵
        
        PID:784
        
        C:\Windows\SysWOW64\Binpkfjd.exe
        
        C:\Windows\system32\Binpkfjd.exe
        107⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Bnkicmik.exe
        
        C:\Windows\system32\Bnkicmik.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4804
        
        C:\Windows\SysWOW64\Ceeapg32.exe
        
        C:\Windows\system32\Ceeapg32.exe
        109⤵
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Ckoilage.exe
        
        C:\Windows\system32\Ckoilage.exe
        110⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\Cbiaik32.exe
        
        C:\Windows\system32\Cbiaik32.exe
        111⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Cgfjabmi.exe
        
        C:\Windows\system32\Cgfjabmi.exe
        112⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Cjdfmmlm.exe
        
        C:\Windows\system32\Cjdfmmlm.exe
        113⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Cqnojg32.exe
        
        C:\Windows\system32\Cqnojg32.exe
        114⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Caqkpg32.exe
        
        C:\Windows\system32\Caqkpg32.exe
        115⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Cgjclaid.exe
        
        C:\Windows\system32\Cgjclaid.exe
        116⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Cbphjj32.exe
        
        C:\Windows\system32\Cbphjj32.exe
        117⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Cijpfdpg.exe
        
        C:\Windows\system32\Cijpfdpg.exe
        118⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Cjklnl32.exe
        
        C:\Windows\system32\Cjklnl32.exe
        119⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Deqqke32.exe
        
        C:\Windows\system32\Deqqke32.exe
        120⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Dniedk32.exe
        
        C:\Windows\system32\Dniedk32.exe
        121⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Dbdaeied.exe
        
        C:\Windows\system32\Dbdaeied.exe
        122⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Dgajmpcl.exe
        
        C:\Windows\system32\Dgajmpcl.exe
        123⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Djpfilbp.exe
        
        C:\Windows\system32\Djpfilbp.exe
        124⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Dbgnjicb.exe
        
        C:\Windows\system32\Dbgnjicb.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Dajnff32.exe
        
        C:\Windows\system32\Dajnff32.exe
        126⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Diafgc32.exe
        
        C:\Windows\system32\Diafgc32.exe
        127⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Djbbokpm.exe
        
        C:\Windows\system32\Djbbokpm.exe
        128⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Dbijpi32.exe
        
        C:\Windows\system32\Dbijpi32.exe
        129⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Diccmchl.exe
        
        C:\Windows\system32\Diccmchl.exe
        130⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Dlaoingp.exe
        
        C:\Windows\system32\Dlaoingp.exe
        131⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Dnpkejfc.exe
        
        C:\Windows\system32\Dnpkejfc.exe
        132⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Dejcad32.exe
        
        C:\Windows\system32\Dejcad32.exe
        133⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Djgljk32.exe
        
        C:\Windows\system32\Djgljk32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Eihlhb32.exe
        
        C:\Windows\system32\Eihlhb32.exe
        135⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Ekhnog32.exe
        
        C:\Windows\system32\Ekhnog32.exe
        136⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Ejkojddf.exe
        
        C:\Windows\system32\Ejkojddf.exe
        137⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Emikfocj.exe
        
        C:\Windows\system32\Emikfocj.exe
        138⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ecccci32.exe
        
        C:\Windows\system32\Ecccci32.exe
        139⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Ekjkdg32.exe
        
        C:\Windows\system32\Ekjkdg32.exe
        140⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Fmpagnmb.exe
        
        C:\Windows\system32\Fmpagnmb.exe
        141⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Fhfedgmh.exe
        
        C:\Windows\system32\Fhfedgmh.exe
        142⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Fnpmaa32.exe
        
        C:\Windows\system32\Fnpmaa32.exe
        143⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Fcmfih32.exe
        
        C:\Windows\system32\Fcmfih32.exe
        144⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Fldnke32.exe
        
        C:\Windows\system32\Fldnke32.exe
        145⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Fnbjga32.exe
        
        C:\Windows\system32\Fnbjga32.exe
        146⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Felbck32.exe
        
        C:\Windows\system32\Felbck32.exe
        147⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Fjiklb32.exe
        
        C:\Windows\system32\Fjiklb32.exe
        148⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Facchlpc.exe
        
        C:\Windows\system32\Facchlpc.exe
        149⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Fhmkef32.exe
        
        C:\Windows\system32\Fhmkef32.exe
        150⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Flhgfeoi.exe
        
        C:\Windows\system32\Flhgfeoi.exe
        151⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Fmjcmm32.exe
        
        C:\Windows\system32\Fmjcmm32.exe
        152⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Gdcljg32.exe
        
        C:\Windows\system32\Gdcljg32.exe
        153⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Gnipgp32.exe
        
        C:\Windows\system32\Gnipgp32.exe
        154⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Gechdjdg.exe
        
        C:\Windows\system32\Gechdjdg.exe
        155⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Gejoei32.exe
        
        C:\Windows\system32\Gejoei32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Ghikadmc.exe
        
        C:\Windows\system32\Ghikadmc.exe
        157⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Gmecikkj.exe
        
        C:\Windows\system32\Gmecikkj.exe
        158⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Hdokfe32.exe
        
        C:\Windows\system32\Hdokfe32.exe
        159⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Hoepcn32.exe
        
        C:\Windows\system32\Hoepcn32.exe
        160⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Heohphjj.exe
        
        C:\Windows\system32\Heohphjj.exe
        161⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Hlipmbag.exe
        
        C:\Windows\system32\Hlipmbag.exe
        162⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Hmjmdk32.exe
        
        C:\Windows\system32\Hmjmdk32.exe
        163⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Hddeaeoa.exe
        
        C:\Windows\system32\Hddeaeoa.exe
        164⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Hojinnnh.exe
        
        C:\Windows\system32\Hojinnnh.exe
        165⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\Aepmpe32.exe
        
        C:\Windows\system32\Aepmpe32.exe
        166⤵
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Apeannam.exe
        
        C:\Windows\system32\Apeannam.exe
        167⤵
        
        PID:616
        
        C:\Windows\SysWOW64\Ainffd32.exe
        
        C:\Windows\system32\Ainffd32.exe
        168⤵
        
        PID:444
        
        C:\Windows\SysWOW64\Aedgkema.exe
        
        C:\Windows\system32\Aedgkema.exe
        169⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Alooho32.exe
        
        C:\Windows\system32\Alooho32.exe
        170⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Begcad32.exe
        
        C:\Windows\system32\Begcad32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2184
        
        C:\Windows\SysWOW64\Blalnobl.exe
        
        C:\Windows\system32\Blalnobl.exe
        172⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Bckdji32.exe
        
        C:\Windows\system32\Bckdji32.exe
        173⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Beipfd32.exe
        
        C:\Windows\system32\Beipfd32.exe
        174⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Bpoddm32.exe
        
        C:\Windows\system32\Bpoddm32.exe
        175⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Bcmqphhf.exe
        
        C:\Windows\system32\Bcmqphhf.exe
        176⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Bigimb32.exe
        
        C:\Windows\system32\Bigimb32.exe
        177⤵
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Bpaaimgp.exe
        
        C:\Windows\system32\Bpaaimgp.exe
        178⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\Bcpmehfc.exe
        
        C:\Windows\system32\Bcpmehfc.exe
        179⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Biifbb32.exe
        
        C:\Windows\system32\Biifbb32.exe
        180⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Bpcnoldm.exe
        
        C:\Windows\system32\Bpcnoldm.exe
        181⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Bepfgc32.exe
        
        C:\Windows\system32\Bepfgc32.exe
        182⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Bpfkdl32.exe
        
        C:\Windows\system32\Bpfkdl32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Cebcmc32.exe
        
        C:\Windows\system32\Cebcmc32.exe
        184⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Cokgehgb.exe
        
        C:\Windows\system32\Cokgehgb.exe
        185⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Clohom32.exe
        
        C:\Windows\system32\Clohom32.exe
        186⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Cgdlle32.exe
        
        C:\Windows\system32\Cgdlle32.exe
        187⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Cnndipmo.exe
        
        C:\Windows\system32\Cnndipmo.exe
        188⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Cggibe32.exe
        
        C:\Windows\system32\Cggibe32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Clcajlbf.exe
        
        C:\Windows\system32\Clcajlbf.exe
        190⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Cgifgebl.exe
        
        C:\Windows\system32\Cgifgebl.exe
        191⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Cncndo32.exe
        
        C:\Windows\system32\Cncndo32.exe
        192⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Dodjlgog.exe
        
        C:\Windows\system32\Dodjlgog.exe
        193⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Dgkbmdpj.exe
        
        C:\Windows\system32\Dgkbmdpj.exe
        194⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Dfnbha32.exe
        
        C:\Windows\system32\Dfnbha32.exe
        195⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Dnekjogg.exe
        
        C:\Windows\system32\Dnekjogg.exe
        196⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Doggag32.exe
        
        C:\Windows\system32\Doggag32.exe
        197⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Dfqonada.exe
        
        C:\Windows\system32\Dfqonada.exe
        198⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Dqfckjdh.exe
        
        C:\Windows\system32\Dqfckjdh.exe
        199⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Dfclcqbo.exe
        
        C:\Windows\system32\Dfclcqbo.exe
        200⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Dqhpai32.exe
        
        C:\Windows\system32\Dqhpai32.exe
        201⤵
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Egionb32.exe
        
        C:\Windows\system32\Egionb32.exe
        202⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Encgkmkg.exe
        
        C:\Windows\system32\Encgkmkg.exe
        203⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Eqbcghjj.exe
        
        C:\Windows\system32\Eqbcghjj.exe
        204⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Efoloo32.exe
        
        C:\Windows\system32\Efoloo32.exe
        205⤵
        Drops file in System32 directory
        
        PID:6628
        
        C:\Windows\SysWOW64\Emidlipo.exe
        
        C:\Windows\system32\Emidlipo.exe
        206⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Efaheo32.exe
        
        C:\Windows\system32\Efaheo32.exe
        207⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Emkqainl.exe
        
        C:\Windows\system32\Emkqainl.exe
        208⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Eceinc32.exe
        
        C:\Windows\system32\Eceinc32.exe
        209⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Efcejndl.exe
        
        C:\Windows\system32\Efcejndl.exe
        210⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Enjmlleo.exe
        
        C:\Windows\system32\Enjmlleo.exe
        211⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Fplicd32.exe
        
        C:\Windows\system32\Fplicd32.exe
        212⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Fgcada32.exe
        
        C:\Windows\system32\Fgcada32.exe
        213⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Fjanqm32.exe
        
        C:\Windows\system32\Fjanqm32.exe
        214⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Fmpjmh32.exe
        
        C:\Windows\system32\Fmpjmh32.exe
        215⤵
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Fqkfmgbp.exe
        
        C:\Windows\system32\Fqkfmgbp.exe
        216⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Ffhnen32.exe
        
        C:\Windows\system32\Ffhnen32.exe
        217⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Fmbgbhhd.exe
        
        C:\Windows\system32\Fmbgbhhd.exe
        218⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Fpqcncgg.exe
        
        C:\Windows\system32\Fpqcncgg.exe
        219⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Fnaclk32.exe
        
        C:\Windows\system32\Fnaclk32.exe
        220⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Fmdchgfa.exe
        
        C:\Windows\system32\Fmdchgfa.exe
        221⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Fpcpdcee.exe
        
        C:\Windows\system32\Fpcpdcee.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Ffmhqm32.exe
        
        C:\Windows\system32\Ffmhqm32.exe
        223⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Fpelib32.exe
        
        C:\Windows\system32\Fpelib32.exe
        224⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Gadiceje.exe
        
        C:\Windows\system32\Gadiceje.exe
        225⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Ggoapp32.exe
        
        C:\Windows\system32\Ggoapp32.exe
        226⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Gmkihfpi.exe
        
        C:\Windows\system32\Gmkihfpi.exe
        227⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Gpjfdbom.exe
        
        C:\Windows\system32\Gpjfdbom.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7136
        
        C:\Windows\SysWOW64\Gjojbkoc.exe
        
        C:\Windows\system32\Gjojbkoc.exe
        229⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Gaibod32.exe
        
        C:\Windows\system32\Gaibod32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Ggcjkoml.exe
        
        C:\Windows\system32\Ggcjkoml.exe
        231⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Gffkgl32.exe
        
        C:\Windows\system32\Gffkgl32.exe
        232⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Gmpcce32.exe
        
        C:\Windows\system32\Gmpcce32.exe
        233⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Gpoopa32.exe
        
        C:\Windows\system32\Gpoopa32.exe
        234⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Gfhglkbd.exe
        
        C:\Windows\system32\Gfhglkbd.exe
        235⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Ganljdbj.exe
        
        C:\Windows\system32\Ganljdbj.exe
        236⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Ghhdfn32.exe
        
        C:\Windows\system32\Ghhdfn32.exe
        237⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Hnblchqd.exe
        
        C:\Windows\system32\Hnblchqd.exe
        238⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Hpchkqfb.exe
        
        C:\Windows\system32\Hpchkqfb.exe
        239⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Hhjqlngd.exe
        
        C:\Windows\system32\Hhjqlngd.exe
        240⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\Hfmagk32.exe
        
        C:\Windows\system32\Hfmagk32.exe
        241⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Hndiih32.exe
        
        C:\Windows\system32\Hndiih32.exe
        242⤵
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Hpeeppdp.exe
        
        C:\Windows\system32\Hpeeppdp.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4136
        
        C:\Windows\SysWOW64\Hnibdgkl.exe
        
        C:\Windows\system32\Hnibdgkl.exe
        244⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Hagnpbjp.exe
        
        C:\Windows\system32\Hagnpbjp.exe
        245⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Hdfklnic.exe
        
        C:\Windows\system32\Hdfklnic.exe
        246⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Hfdghihg.exe
        
        C:\Windows\system32\Hfdghihg.exe
        247⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Hajkebhm.exe
        
        C:\Windows\system32\Hajkebhm.exe
        248⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Hdhgangq.exe
        
        C:\Windows\system32\Hdhgangq.exe
        249⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Hffcni32.exe
        
        C:\Windows\system32\Hffcni32.exe
        250⤵
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Ialhkb32.exe
        
        C:\Windows\system32\Ialhkb32.exe
        251⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Idjdgm32.exe
        
        C:\Windows\system32\Idjdgm32.exe
        252⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\Iophdf32.exe
        
        C:\Windows\system32\Iophdf32.exe
        253⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Idmamm32.exe
        
        C:\Windows\system32\Idmamm32.exe
        254⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Ifkmihbo.exe
        
        C:\Windows\system32\Ifkmihbo.exe
        255⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Imeeeb32.exe
        
        C:\Windows\system32\Imeeeb32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Ipcaan32.exe
        
        C:\Windows\system32\Ipcaan32.exe
        257⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Ikifog32.exe
        
        C:\Windows\system32\Ikifog32.exe
        258⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Imgbkb32.exe
        
        C:\Windows\system32\Imgbkb32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6964
        
        C:\Windows\SysWOW64\Ipfngn32.exe
        
        C:\Windows\system32\Ipfngn32.exe
        260⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Idajhlof.exe
        
        C:\Windows\system32\Idajhlof.exe
        261⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Igpfdhnj.exe
        
        C:\Windows\system32\Igpfdhnj.exe
        262⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Imjoqbef.exe
        
        C:\Windows\system32\Imjoqbef.exe
        263⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Ihocnkel.exe
        
        C:\Windows\system32\Ihocnkel.exe
        264⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Jahggp32.exe
        
        C:\Windows\system32\Jahggp32.exe
        265⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Jdfccl32.exe
        
        C:\Windows\system32\Jdfccl32.exe
        266⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Jgdpog32.exe
        
        C:\Windows\system32\Jgdpog32.exe
        267⤵
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Jkplpfbn.exe
        
        C:\Windows\system32\Jkplpfbn.exe
        268⤵
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Jolhpdjg.exe
        
        C:\Windows\system32\Jolhpdjg.exe
        269⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Jajdlpij.exe
        
        C:\Windows\system32\Jajdlpij.exe
        270⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Jpmdhm32.exe
        
        C:\Windows\system32\Jpmdhm32.exe
        271⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Jdhphkin.exe
        
        C:\Windows\system32\Jdhphkin.exe
        272⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Jggmdgha.exe
        
        C:\Windows\system32\Jggmdgha.exe
        273⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Jondfdhd.exe
        
        C:\Windows\system32\Jondfdhd.exe
        274⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Jpoaml32.exe
        
        C:\Windows\system32\Jpoaml32.exe
        275⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Jhfioj32.exe
        
        C:\Windows\system32\Jhfioj32.exe
        276⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Jkeeke32.exe
        
        C:\Windows\system32\Jkeeke32.exe
        277⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Algbmjgk.exe
        
        C:\Windows\system32\Algbmjgk.exe
        81⤵
        
        PID:720
        
        C:\Windows\SysWOW64\Aoeniefo.exe
        
        C:\Windows\system32\Aoeniefo.exe
        82⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Aeoffo32.exe
        
        C:\Windows\system32\Aeoffo32.exe
        83⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Ahncbk32.exe
        
        C:\Windows\system32\Ahncbk32.exe
        84⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Aliobieh.exe
        
        C:\Windows\system32\Aliobieh.exe
        85⤵
        Drops file in System32 directory
        
        PID:8220
        
        C:\Windows\SysWOW64\Apekch32.exe
        
        C:\Windows\system32\Apekch32.exe
        86⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\Abcgoc32.exe
        
        C:\Windows\system32\Abcgoc32.exe
        87⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Aafgkpcp.exe
        
        C:\Windows\system32\Aafgkpcp.exe
        88⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Aeacko32.exe
        
        C:\Windows\system32\Aeacko32.exe
        89⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Apggihko.exe
        
        C:\Windows\system32\Apggihko.exe
        90⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Aiolam32.exe
        
        C:\Windows\system32\Aiolam32.exe
        91⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Bpidngil.exe
        
        C:\Windows\system32\Bpidngil.exe
        92⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Bibigmpl.exe
        
        C:\Windows\system32\Bibigmpl.exe
        93⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\Blpechop.exe
        
        C:\Windows\system32\Blpechop.exe
        94⤵
        Drops file in System32 directory
        
        PID:8484
        
        C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        95⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Behiln32.exe
        
        C:\Windows\system32\Behiln32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8540

C:\Windows\SysWOW64\Jmcagqml.exe
C:\Windows\system32\Jmcagqml.exe
1⤵
PID:7212
- C:\Windows\SysWOW64\Jpancllp.exe
  C:\Windows\system32\Jpancllp.exe
  2⤵
  PID:7236
- - C:\Windows\SysWOW64\Jdmjck32.exe
    C:\Windows\system32\Jdmjck32.exe
    3⤵
    PID:7268
  - - C:\Windows\SysWOW64\Jnenlpki.exe
      C:\Windows\system32\Jnenlpki.exe
      4⤵
      PID:7284
    - - C:\Windows\SysWOW64\Koekfc32.exe
        
        C:\Windows\system32\Koekfc32.exe
        5⤵
        
        PID:7304
      - C:\Windows\SysWOW64\Kpfgnk32.exe
        
        C:\Windows\system32\Kpfgnk32.exe
        6⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Khmooi32.exe
        
        C:\Windows\system32\Khmooi32.exe
        7⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Kogglcpi.exe
        
        C:\Windows\system32\Kogglcpi.exe
        8⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Kojdabng.exe
        
        C:\Windows\system32\Kojdabng.exe
        9⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Knmdmo32.exe
        
        C:\Windows\system32\Knmdmo32.exe
        10⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Kdfmji32.exe
        
        C:\Windows\system32\Kdfmji32.exe
        11⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Kkqefcdk.exe
        
        C:\Windows\system32\Kkqefcdk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7428
        
        C:\Windows\SysWOW64\Knoaboco.exe
        
        C:\Windows\system32\Knoaboco.exe
        13⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Kdiioi32.exe
        
        C:\Windows\system32\Kdiioi32.exe
        14⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Kggekd32.exe
        
        C:\Windows\system32\Kggekd32.exe
        15⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Knanhoal.exe
        
        C:\Windows\system32\Knanhoal.exe
        16⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Lhgbeg32.exe
        
        C:\Windows\system32\Lhgbeg32.exe
        17⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Loqjbaho.exe
        
        C:\Windows\system32\Loqjbaho.exe
        18⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Lpbgjj32.exe
        
        C:\Windows\system32\Lpbgjj32.exe
        19⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Lglofdej.exe
        
        C:\Windows\system32\Lglofdej.exe
        20⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Lnfgcn32.exe
        
        C:\Windows\system32\Lnfgcn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7584
        
        C:\Windows\SysWOW64\Lhkkqgml.exe
        
        C:\Windows\system32\Lhkkqgml.exe
        22⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Lkjhmblp.exe
        
        C:\Windows\system32\Lkjhmblp.exe
        23⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Ladpil32.exe
        
        C:\Windows\system32\Ladpil32.exe
        24⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Lhnhffkj.exe
        
        C:\Windows\system32\Lhnhffkj.exe
        25⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Lkldbbjn.exe
        
        C:\Windows\system32\Lkldbbjn.exe
        26⤵
        
        PID:7720

C:\Windows\SysWOW64\Lnkqnmia.exe
C:\Windows\system32\Lnkqnmia.exe
1⤵
PID:7744
- C:\Windows\SysWOW64\Lddikg32.exe
  C:\Windows\system32\Lddikg32.exe
  2⤵
  - Drops file in System32 directory
  PID:7780
- - C:\Windows\SysWOW64\Lhpelfhg.exe
    C:\Windows\system32\Lhpelfhg.exe
    3⤵
    PID:7804
  - - C:\Windows\SysWOW64\Lojmhppd.exe
      C:\Windows\system32\Lojmhppd.exe
      4⤵
      PID:7832
    - - C:\Windows\SysWOW64\Mqkiph32.exe
        
        C:\Windows\system32\Mqkiph32.exe
        5⤵
        
        PID:7856
      - C:\Windows\SysWOW64\Mdgeqgnk.exe
        
        C:\Windows\system32\Mdgeqgnk.exe
        6⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Mnojim32.exe
        
        C:\Windows\system32\Mnojim32.exe
        7⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Mqnfeh32.exe
        
        C:\Windows\system32\Mqnfeh32.exe
        8⤵
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Mghobbkl.exe
        
        C:\Windows\system32\Mghobbkl.exe
        9⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Mkcjca32.exe
        
        C:\Windows\system32\Mkcjca32.exe
        10⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Mbmbpk32.exe
        
        C:\Windows\system32\Mbmbpk32.exe
        11⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Moacio32.exe
        
        C:\Windows\system32\Moacio32.exe
        12⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Mqbpqgpj.exe
        
        C:\Windows\system32\Mqbpqgpj.exe
        13⤵
        Drops file in System32 directory
        
        PID:8052
        
        C:\Windows\SysWOW64\Mkhdnppp.exe
        
        C:\Windows\system32\Mkhdnppp.exe
        14⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Mnfpjl32.exe
        
        C:\Windows\system32\Mnfpjl32.exe
        15⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Mqelfg32.exe
        
        C:\Windows\system32\Mqelfg32.exe
        16⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Mkjqcp32.exe
        
        C:\Windows\system32\Mkjqcp32.exe
        17⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Mnimpk32.exe
        
        C:\Windows\system32\Mnimpk32.exe
        18⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Ndbeledn.exe
        
        C:\Windows\system32\Ndbeledn.exe
        19⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Nohijndd.exe
        
        C:\Windows\system32\Nohijndd.exe
        20⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Nbfefj32.exe
        
        C:\Windows\system32\Nbfefj32.exe
        21⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\Ndebbe32.exe
        
        C:\Windows\system32\Ndebbe32.exe
        22⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Nkojooih.exe
        
        C:\Windows\system32\Nkojooih.exe
        23⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Nnmfkkhl.exe
        
        C:\Windows\system32\Nnmfkkhl.exe
        24⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Ndgoge32.exe
        
        C:\Windows\system32\Ndgoge32.exe
        25⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Nicjhchb.exe
        
        C:\Windows\system32\Nicjhchb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1852
        
        C:\Windows\SysWOW64\Nomcen32.exe
        
        C:\Windows\system32\Nomcen32.exe
        27⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Nqnomfem.exe
        
        C:\Windows\system32\Nqnomfem.exe
        28⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Nghgipmj.exe
        
        C:\Windows\system32\Nghgipmj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1496
        
        C:\Windows\SysWOW64\Noopjmnl.exe
        
        C:\Windows\system32\Noopjmnl.exe
        30⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\Nbnlfimp.exe
        
        C:\Windows\system32\Nbnlfimp.exe
        31⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Nigdcc32.exe
        
        C:\Windows\system32\Nigdcc32.exe
        32⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Nndlkj32.exe
        
        C:\Windows\system32\Nndlkj32.exe
        33⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Oendhdjq.exe
        
        C:\Windows\system32\Oendhdjq.exe
        34⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Oodiem32.exe
        
        C:\Windows\system32\Oodiem32.exe
        35⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Obbeah32.exe
        
        C:\Windows\system32\Obbeah32.exe
        36⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Oilmnbpg.exe
        
        C:\Windows\system32\Oilmnbpg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1372
        
        C:\Windows\SysWOW64\Okkjjnok.exe
        
        C:\Windows\system32\Okkjjnok.exe
        38⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Oniffino.exe
        
        C:\Windows\system32\Oniffino.exe
        39⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Obdbgh32.exe
        
        C:\Windows\system32\Obdbgh32.exe
        40⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Oagbbdnb.exe
        
        C:\Windows\system32\Oagbbdnb.exe
        41⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Oiojdb32.exe
        
        C:\Windows\system32\Oiojdb32.exe
        42⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Okmfpm32.exe
        
        C:\Windows\system32\Okmfpm32.exe
        43⤵
        Modifies registry class
        
        PID:7980
        
        C:\Windows\SysWOW64\Onkbli32.exe
        
        C:\Windows\system32\Onkbli32.exe
        44⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Oeekicdi.exe
        
        C:\Windows\system32\Oeekicdi.exe
        45⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Ogdgencl.exe
        
        C:\Windows\system32\Ogdgencl.exe
        46⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Opkoflco.exe
        
        C:\Windows\system32\Opkoflco.exe
        47⤵
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Onnoah32.exe
        
        C:\Windows\system32\Onnoah32.exe
        48⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Obikbgbb.exe
        
        C:\Windows\system32\Obikbgbb.exe
        49⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Oehgnbbf.exe
        
        C:\Windows\system32\Oehgnbbf.exe
        50⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Ogfcjnaj.exe
        
        C:\Windows\system32\Ogfcjnaj.exe
        51⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Olapkmic.exe
        
        C:\Windows\system32\Olapkmic.exe
        52⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Pnplghhf.exe
        
        C:\Windows\system32\Pnplghhf.exe
        53⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Pblhhg32.exe
        
        C:\Windows\system32\Pblhhg32.exe
        54⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Pejddb32.exe
        
        C:\Windows\system32\Pejddb32.exe
        55⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Piepdahl.exe
        
        C:\Windows\system32\Piepdahl.exe
        56⤵
        
        PID:888
        
        C:\Windows\SysWOW64\Pbndmf32.exe
        
        C:\Windows\system32\Pbndmf32.exe
        57⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Pihmjqfj.exe
        
        C:\Windows\system32\Pihmjqfj.exe
        58⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\Ppbegkmg.exe
        
        C:\Windows\system32\Ppbegkmg.exe
        59⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Pijjpp32.exe
        
        C:\Windows\system32\Pijjpp32.exe
        60⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\Pbbnhfjh.exe
        
        C:\Windows\system32\Pbbnhfjh.exe
        61⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\Peajdajk.exe
        
        C:\Windows\system32\Peajdajk.exe
        62⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Phpfqmio.exe
        
        C:\Windows\system32\Phpfqmio.exe
        63⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Pahkjbop.exe
        
        C:\Windows\system32\Pahkjbop.exe
        64⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Pecgja32.exe
        
        C:\Windows\system32\Pecgja32.exe
        65⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Plmogkoe.exe
        
        C:\Windows\system32\Plmogkoe.exe
        66⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Qbggce32.exe
        
        C:\Windows\system32\Qbggce32.exe
        67⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Qiappono.exe
        
        C:\Windows\system32\Qiappono.exe
        68⤵
        Modifies registry class
        
        PID:7932
        
        C:\Windows\SysWOW64\Qpkhmi32.exe
        
        C:\Windows\system32\Qpkhmi32.exe
        69⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Qehqepcc.exe
        
        C:\Windows\system32\Qehqepcc.exe
        70⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Albibj32.exe
        
        C:\Windows\system32\Albibj32.exe
        71⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Ablaodbm.exe
        
        C:\Windows\system32\Ablaodbm.exe
        72⤵
        
        PID:884
        
        C:\Windows\SysWOW64\Aifiko32.exe
        
        C:\Windows\system32\Aifiko32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1420
        
        C:\Windows\SysWOW64\Aldegj32.exe
        
        C:\Windows\system32\Aldegj32.exe
        74⤵
        
        PID:260
        
        C:\Windows\SysWOW64\Aocace32.exe
        
        C:\Windows\system32\Aocace32.exe
        75⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Aaanpa32.exe
        
        C:\Windows\system32\Aaanpa32.exe
        76⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Ahkflk32.exe
        
        C:\Windows\system32\Ahkflk32.exe
        77⤵
        
        PID:1868

C:\Windows\SysWOW64\Bidemmnj.exe
C:\Windows\system32\Bidemmnj.exe
1⤵
PID:8560
- C:\Windows\SysWOW64\Bhgehi32.exe
  C:\Windows\system32\Bhgehi32.exe
  2⤵
  PID:8588
- - C:\Windows\SysWOW64\Bpnnig32.exe
    C:\Windows\system32\Bpnnig32.exe
    3⤵
    PID:8604

C:\Windows\SysWOW64\Bbljeb32.exe
C:\Windows\system32\Bbljeb32.exe
1⤵
PID:8628
- C:\Windows\SysWOW64\Bekfan32.exe
  C:\Windows\system32\Bekfan32.exe
  2⤵
  PID:8676
- - C:\Windows\SysWOW64\Bhibni32.exe
    C:\Windows\system32\Bhibni32.exe
    3⤵
    PID:8700
  - - C:\Windows\SysWOW64\Bockjc32.exe
      C:\Windows\system32\Bockjc32.exe
      4⤵
      PID:8748
    - - C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        5⤵
        
        PID:8764
      - C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        6⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8796
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        8⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        9⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        10⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        11⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        12⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        13⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        14⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        15⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        16⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        17⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        18⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        19⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        20⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9028
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        22⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        23⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        24⤵
        Drops file in System32 directory
        
        PID:9092
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        25⤵
        Drops file in System32 directory
        
        PID:9128
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        26⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        27⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        28⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9188
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        29⤵
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        30⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        31⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4756
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        33⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        34⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        35⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        36⤵
        Drops file in System32 directory
        
        PID:8516
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:656
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        38⤵
        
        PID:8612

C:\Windows\SysWOW64\Eflhoigi.exe
C:\Windows\system32\Eflhoigi.exe
1⤵
PID:8644
- C:\Windows\SysWOW64\Ehjdldfl.exe
  C:\Windows\system32\Ehjdldfl.exe
  2⤵
  PID:8664
- - C:\Windows\SysWOW64\Eqalmafo.exe
    C:\Windows\system32\Eqalmafo.exe
    3⤵
    PID:8684
  - - C:\Windows\SysWOW64\Ecphimfb.exe
      C:\Windows\system32\Ecphimfb.exe
      4⤵
      PID:2392
    - - C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        5⤵
        
        PID:8712
      - C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        6⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        7⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        8⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        9⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        10⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        11⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        12⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        13⤵
        
        PID:736
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        14⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        15⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        16⤵
        
        PID:976
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        17⤵
        
        PID:740
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        18⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        19⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        21⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        22⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        23⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        24⤵
        
        PID:520
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        25⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        26⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        27⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        28⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        29⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        30⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        31⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        32⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        33⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        34⤵
        
        PID:752
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        35⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        36⤵
        Drops file in System32 directory
        
        PID:8572
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        37⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        38⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        39⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        40⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        41⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        42⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        43⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        44⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        45⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        46⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        47⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        48⤵
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        49⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        50⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        51⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        52⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        53⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        54⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        55⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        56⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        57⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9376
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        59⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        60⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        61⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        62⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        63⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9524
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        65⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        66⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        67⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        68⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        69⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        70⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        71⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        72⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        73⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        74⤵
        Modifies registry class
        
        PID:9764
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        75⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        76⤵
        Modifies registry class
        
        PID:9804
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        77⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        78⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        79⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        80⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        81⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        82⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        83⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        84⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        85⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        86⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        87⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        88⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        89⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        90⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        91⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        92⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        93⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        94⤵
        Modifies registry class
        
        PID:10156
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        95⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        96⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        97⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        98⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        99⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        100⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        101⤵
        Modifies registry class
        
        PID:9328
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        102⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        103⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9488
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        105⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        106⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        107⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        108⤵
        Drops file in System32 directory
        
        PID:9736
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        109⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        110⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        111⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        112⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10140
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        114⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        115⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        116⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        117⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        118⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        119⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        120⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        121⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\Njfmke32.exe
        
        C:\Windows\system32\Njfmke32.exe
        122⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\Nbmelbid.exe
        
        C:\Windows\system32\Nbmelbid.exe
        123⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\Ncnadk32.exe
        
        C:\Windows\system32\Ncnadk32.exe
        124⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\Okeieh32.exe
        
        C:\Windows\system32\Okeieh32.exe
        125⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\Oqbamo32.exe
        
        C:\Windows\system32\Oqbamo32.exe
        126⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Odnnnnfe.exe
        
        C:\Windows\system32\Odnnnnfe.exe
        127⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\Ogljjiei.exe
        
        C:\Windows\system32\Ogljjiei.exe
        128⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\Onfbfc32.exe
        
        C:\Windows\system32\Onfbfc32.exe
        129⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\Oqdoboli.exe
        
        C:\Windows\system32\Oqdoboli.exe
        130⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\Ogogoi32.exe
        
        C:\Windows\system32\Ogogoi32.exe
        131⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\Okjbpglo.exe
        
        C:\Windows\system32\Okjbpglo.exe
        132⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\Obdkma32.exe
        
        C:\Windows\system32\Obdkma32.exe
        133⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\Odbgim32.exe
        
        C:\Windows\system32\Odbgim32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10528
        
        C:\Windows\SysWOW64\Ogaceh32.exe
        
        C:\Windows\system32\Ogaceh32.exe
        135⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\Onklabip.exe
        
        C:\Windows\system32\Onklabip.exe
        136⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\Ocgdji32.exe
        
        C:\Windows\system32\Ocgdji32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10600
        
        C:\Windows\SysWOW64\Okolkg32.exe
        
        C:\Windows\system32\Okolkg32.exe
        138⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\Onmhgb32.exe
        
        C:\Windows\system32\Onmhgb32.exe
        139⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\Oqkdcn32.exe
        
        C:\Windows\system32\Oqkdcn32.exe
        140⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\Pkaiqf32.exe
        
        C:\Windows\system32\Pkaiqf32.exe
        141⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\Pnpemb32.exe
        
        C:\Windows\system32\Pnpemb32.exe
        142⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\Pclneicb.exe
        
        C:\Windows\system32\Pclneicb.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10740
        
        C:\Windows\SysWOW64\Pkceffcd.exe
        
        C:\Windows\system32\Pkceffcd.exe
        144⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\Pnbbbabh.exe
        
        C:\Windows\system32\Pnbbbabh.exe
        145⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\Peljol32.exe
        
        C:\Windows\system32\Peljol32.exe
        146⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\Pcojkhap.exe
        
        C:\Windows\system32\Pcojkhap.exe
        147⤵
        
        PID:10836

C:\Windows\SysWOW64\Pkfblfab.exe
C:\Windows\system32\Pkfblfab.exe
1⤵
PID:10856
- C:\Windows\SysWOW64\Pbpjhp32.exe
  C:\Windows\system32\Pbpjhp32.exe
  2⤵
  PID:10876
- - C:\Windows\SysWOW64\Pengdk32.exe
    C:\Windows\system32\Pengdk32.exe
    3⤵
    PID:10908
  - - C:\Windows\SysWOW64\Pgmcqggf.exe
      C:\Windows\system32\Pgmcqggf.exe
      4⤵
      PID:10928
    - - C:\Windows\SysWOW64\Pbbgnpgl.exe
        
        C:\Windows\system32\Pbbgnpgl.exe
        5⤵
        
        PID:10944
      - C:\Windows\SysWOW64\Pgopffec.exe
        
        C:\Windows\system32\Pgopffec.exe
        6⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        7⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\Pagdol32.exe
        
        C:\Windows\system32\Pagdol32.exe
        8⤵
        Drops file in System32 directory
        
        PID:10992
        
        C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        9⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        10⤵
        Drops file in System32 directory
        
        PID:11024
        
        C:\Windows\SysWOW64\Qeemej32.exe
        
        C:\Windows\system32\Qeemej32.exe
        11⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        12⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\Qbimoo32.exe
        
        C:\Windows\system32\Qbimoo32.exe
        13⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\Acjjfggb.exe
        
        C:\Windows\system32\Acjjfggb.exe
        14⤵
        Modifies registry class
        
        PID:11088
        
        C:\Windows\SysWOW64\Aaqgek32.exe
        
        C:\Windows\system32\Aaqgek32.exe
        15⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        16⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        17⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\Aacckjaf.exe
        
        C:\Windows\system32\Aacckjaf.exe
        18⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        19⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        20⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\Abbpem32.exe
        
        C:\Windows\system32\Abbpem32.exe
        21⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        22⤵
        
        PID:11216
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        23⤵
        Modifies registry class
        
        PID:10760
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        24⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        25⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        26⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        27⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        28⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        29⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        30⤵
        Modifies registry class
        
        PID:10468
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        31⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\Cahfmgoo.exe
        
        C:\Windows\system32\Cahfmgoo.exe
        32⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        33⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        34⤵
        
        PID:372
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        35⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10652
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        37⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        38⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        39⤵
        
        PID:11320
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        40⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        41⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11384
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        43⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        44⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        45⤵
        
        PID:11436
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        46⤵
        
        PID:11452
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        47⤵
        
        PID:11468
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        48⤵
        
        PID:11484
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11500
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        50⤵
        
        PID:11516
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:11628
        
        C:\Windows\SysWOW64\Hmnmgnoh.exe
        
        C:\Windows\system32\Hmnmgnoh.exe
        52⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\Idhnkf32.exe
        
        C:\Windows\system32\Idhnkf32.exe
        53⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        54⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\Jnlbojee.exe
        
        C:\Windows\system32\Jnlbojee.exe
        55⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\Kglmio32.exe
        
        C:\Windows\system32\Kglmio32.exe
        56⤵
        
        PID:11756
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        57⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\Ljclki32.exe
        
        C:\Windows\system32\Ljclki32.exe
        58⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        59⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\Lnadagbm.exe
        
        C:\Windows\system32\Lnadagbm.exe
        60⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\Lekmnajj.exe
        
        C:\Windows\system32\Lekmnajj.exe
        61⤵
        Drops file in System32 directory
        
        PID:11836
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11852
        
        C:\Windows\SysWOW64\Lndagg32.exe
        
        C:\Windows\system32\Lndagg32.exe
        63⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\Lenicahg.exe
        
        C:\Windows\system32\Lenicahg.exe
        64⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        65⤵
        
        PID:11900
        
        C:\Windows\SysWOW64\Mnfnlf32.exe
        
        C:\Windows\system32\Mnfnlf32.exe
        66⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\Mjmoag32.exe
        
        C:\Windows\system32\Mjmoag32.exe
        67⤵
        
        PID:11932
        
        C:\Windows\SysWOW64\Maggnali.exe
        
        C:\Windows\system32\Maggnali.exe
        68⤵
        
        PID:11948
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        69⤵
        
        PID:11964
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        70⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\Mgclpkac.exe
        
        C:\Windows\system32\Mgclpkac.exe
        71⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        72⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\Mgehfkop.exe
        
        C:\Windows\system32\Mgehfkop.exe
        73⤵
        
        PID:12044
        
        C:\Windows\SysWOW64\Mnpabe32.exe
        
        C:\Windows\system32\Mnpabe32.exe
        74⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\Njfagf32.exe
        
        C:\Windows\system32\Njfagf32.exe
        75⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        76⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        77⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\Nhmofj32.exe
        
        C:\Windows\system32\Nhmofj32.exe
        78⤵
        
        PID:12168
        
        C:\Windows\SysWOW64\Njkkbehl.exe
        
        C:\Windows\system32\Njkkbehl.exe
        79⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\Nagpeo32.exe
        
        C:\Windows\system32\Nagpeo32.exe
        80⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\Ndflak32.exe
        
        C:\Windows\system32\Ndflak32.exe
        81⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\Najmjokc.exe
        
        C:\Windows\system32\Najmjokc.exe
        82⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        83⤵
        
        PID:12248
        
        C:\Windows\SysWOW64\Omqmop32.exe
        
        C:\Windows\system32\Omqmop32.exe
        84⤵
        
        PID:12264
        
        C:\Windows\SysWOW64\Odjeljhd.exe
        
        C:\Windows\system32\Odjeljhd.exe
        85⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\Odmbaj32.exe
        
        C:\Windows\system32\Odmbaj32.exe
        86⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Okkdic32.exe
        
        C:\Windows\system32\Okkdic32.exe
        87⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Omjpeo32.exe
        
        C:\Windows\system32\Omjpeo32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        89⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Pknqoc32.exe
        
        C:\Windows\system32\Pknqoc32.exe
        90⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        91⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        92⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Phfjcf32.exe
        
        C:\Windows\system32\Phfjcf32.exe
        94⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        95⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        96⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Phigif32.exe
        
        C:\Windows\system32\Phigif32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        98⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Qaalblgi.exe
        
        C:\Windows\system32\Qaalblgi.exe
        99⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Aogiap32.exe
        
        C:\Windows\system32\Aogiap32.exe
        100⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        101⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\Addaif32.exe
        
        C:\Windows\system32\Addaif32.exe
        102⤵
        
        PID:11568
        
        C:\Windows\SysWOW64\Alkijdci.exe
        
        C:\Windows\system32\Alkijdci.exe
        103⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        104⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        105⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Aehgnied.exe
        
        C:\Windows\system32\Aehgnied.exe
        106⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        107⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        108⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        109⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        110⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Blielbfi.exe
        
        C:\Windows\system32\Blielbfi.exe
        111⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        112⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Bkobmnka.exe
        
        C:\Windows\system32\Bkobmnka.exe
        113⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        114⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        115⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        116⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        117⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        118⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        119⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        120⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        121⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        122⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        123⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        124⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        126⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        127⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        128⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        129⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        130⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        131⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        132⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        133⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        134⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        135⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        136⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        137⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        138⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        139⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        140⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        141⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        142⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        143⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        144⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        145⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        146⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        147⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        148⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        149⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        150⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        151⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        152⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        153⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        154⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        155⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        156⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        157⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        158⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        159⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        160⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        162⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        163⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        164⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        165⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        166⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        167⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        168⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        169⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        170⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        171⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        172⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        173⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        174⤵
        
        PID:680
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        175⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        177⤵
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        178⤵
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        179⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        180⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        181⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        182⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4332
        
        C:\Windows\SysWOW64\Gqbneq32.exe
        
        C:\Windows\system32\Gqbneq32.exe
        184⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Gkhbbi32.exe
        
        C:\Windows\system32\Gkhbbi32.exe
        185⤵
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Gnfooe32.exe
        
        C:\Windows\system32\Gnfooe32.exe
        186⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        187⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        188⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        189⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Hkohchko.exe
        
        C:\Windows\system32\Hkohchko.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4304
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1828
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        192⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        193⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        194⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        195⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        196⤵
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        197⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        198⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        199⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6964
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        201⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        202⤵
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        203⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        204⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        205⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        206⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        207⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        208⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        209⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        210⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7420
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        212⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        213⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        214⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        215⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        216⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        217⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        218⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        219⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        220⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        221⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        222⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        223⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        224⤵
        Modifies registry class
        
        PID:7460
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        225⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        226⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        227⤵
        Drops file in System32 directory
        
        PID:7968
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        228⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        229⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        230⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        231⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        232⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        233⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        234⤵
        Modifies registry class
        
        PID:7880
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        235⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        236⤵
        Modifies registry class
        
        PID:7960
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7928
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        238⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        239⤵
        Modifies registry class
        
        PID:7972
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        240⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        241⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        242⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        243⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        244⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        245⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        246⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        247⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        248⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Lkcccn32.exe
        
        C:\Windows\system32\Lkcccn32.exe
        249⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        250⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        251⤵
        Modifies registry class
        
        PID:7964
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        252⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        253⤵
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        254⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        255⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        256⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        257⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        258⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        259⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        260⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        261⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        262⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        263⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        264⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        265⤵
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        266⤵
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        267⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        268⤵
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        269⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        270⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        271⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        272⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        273⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        274⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        275⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        276⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        277⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        278⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        279⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        280⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        281⤵
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        282⤵
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        283⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        284⤵
        
        PID:984
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        285⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8240
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        287⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        288⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Didqkeeq.exe
        
        C:\Windows\system32\Didqkeeq.exe
        289⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:380
        
        C:\Windows\SysWOW64\Dekapfke.exe
        
        C:\Windows\system32\Dekapfke.exe
        290⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Dmbiackg.exe
        
        C:\Windows\system32\Dmbiackg.exe
        291⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Epjhcnbp.exe
        
        C:\Windows\system32\Epjhcnbp.exe
        292⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Egdqph32.exe
        
        C:\Windows\system32\Egdqph32.exe
        293⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Fnnimbaj.exe
        
        C:\Windows\system32\Fnnimbaj.exe
        294⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Fpmeimpn.exe
        
        C:\Windows\system32\Fpmeimpn.exe
        295⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Feimadoe.exe
        
        C:\Windows\system32\Feimadoe.exe
        296⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Flcfnn32.exe
        
        C:\Windows\system32\Flcfnn32.exe
        297⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Fcmnkh32.exe
        
        C:\Windows\system32\Fcmnkh32.exe
        298⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Fjgfgbek.exe
        
        C:\Windows\system32\Fjgfgbek.exe
        299⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Flfbcndo.exe
        
        C:\Windows\system32\Flfbcndo.exe
        300⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Fdmjdkda.exe
        
        C:\Windows\system32\Fdmjdkda.exe
        301⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Ffnglc32.exe
        
        C:\Windows\system32\Ffnglc32.exe
        302⤵
        Modifies registry class
        
        PID:8524
        
        C:\Windows\SysWOW64\Fneoma32.exe
        
        C:\Windows\system32\Fneoma32.exe
        303⤵
        Drops file in System32 directory
        
        PID:8792
        
        C:\Windows\SysWOW64\Agqhik32.exe
        
        C:\Windows\system32\Agqhik32.exe
        304⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Agcdnjcl.exe
        
        C:\Windows\system32\Agcdnjcl.exe
        305⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Ajaqjfbp.exe
        
        C:\Windows\system32\Ajaqjfbp.exe
        306⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\Bqkigp32.exe
        
        C:\Windows\system32\Bqkigp32.exe
        307⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Bnoiqd32.exe
        
        C:\Windows\system32\Bnoiqd32.exe
        308⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Bqnemp32.exe
        
        C:\Windows\system32\Bqnemp32.exe
        309⤵
        Drops file in System32 directory
        
        PID:8992
        
        C:\Windows\SysWOW64\Bjfjee32.exe
        
        C:\Windows\system32\Bjfjee32.exe
        310⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Bqpbboeg.exe
        
        C:\Windows\system32\Bqpbboeg.exe
        311⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Bbpolb32.exe
        
        C:\Windows\system32\Bbpolb32.exe
        312⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Bkhceh32.exe
        
        C:\Windows\system32\Bkhceh32.exe
        313⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Bdphnmjk.exe
        
        C:\Windows\system32\Bdphnmjk.exe
        314⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        315⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Bjmpfdhb.exe
        
        C:\Windows\system32\Bjmpfdhb.exe
        316⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Cbdhgaid.exe
        
        C:\Windows\system32\Cbdhgaid.exe
        317⤵
        Modifies registry class
        
        PID:8388
        
        C:\Windows\SysWOW64\Cgaqphgl.exe
        
        C:\Windows\system32\Cgaqphgl.exe
        318⤵
        Modifies registry class
        
        PID:8428
        
        C:\Windows\SysWOW64\Ceeaim32.exe
        
        C:\Windows\system32\Ceeaim32.exe
        319⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Cgcmeh32.exe
        
        C:\Windows\system32\Cgcmeh32.exe
        320⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Cgejkh32.exe
        
        C:\Windows\system32\Cgejkh32.exe
        321⤵
        Modifies registry class
        
        PID:8996
        
        C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        322⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Cbknhqbl.exe
        
        C:\Windows\system32\Cbknhqbl.exe
        323⤵
        Modifies registry class
        
        PID:8660
        
        C:\Windows\SysWOW64\Ciefek32.exe
        
        C:\Windows\system32\Ciefek32.exe
        324⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Ckcbaf32.exe
        
        C:\Windows\system32\Ckcbaf32.exe
        325⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Cnboma32.exe
        
        C:\Windows\system32\Cnboma32.exe
        326⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Cigcjj32.exe
        
        C:\Windows\system32\Cigcjj32.exe
        327⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Ckfofe32.exe
        
        C:\Windows\system32\Ckfofe32.exe
        328⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Dndlba32.exe
        
        C:\Windows\system32\Dndlba32.exe
        329⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\Dbphcpog.exe
        
        C:\Windows\system32\Dbphcpog.exe
        330⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Dendok32.exe
        
        C:\Windows\system32\Dendok32.exe
        331⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Dgmpkg32.exe
        
        C:\Windows\system32\Dgmpkg32.exe
        332⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Daeddlco.exe
        
        C:\Windows\system32\Daeddlco.exe
        333⤵
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        334⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Dlkiaece.exe
        
        C:\Windows\system32\Dlkiaece.exe
        335⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Dbdano32.exe
        
        C:\Windows\system32\Dbdano32.exe
        336⤵
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Dagajlal.exe
        
        C:\Windows\system32\Dagajlal.exe
        337⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Dgaiffii.exe
        
        C:\Windows\system32\Dgaiffii.exe
        338⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Dlmegd32.exe
        
        C:\Windows\system32\Dlmegd32.exe
        339⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\Dnkbcp32.exe
        
        C:\Windows\system32\Dnkbcp32.exe
        340⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Dbgndoho.exe
        
        C:\Windows\system32\Dbgndoho.exe
        341⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\Deejpjgc.exe
        
        C:\Windows\system32\Deejpjgc.exe
        342⤵
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Dhcfleff.exe
        
        C:\Windows\system32\Dhcfleff.exe
        343⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8720
        
        C:\Windows\SysWOW64\Dlobmd32.exe
        
        C:\Windows\system32\Dlobmd32.exe
        344⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Dnnoip32.exe
        
        C:\Windows\system32\Dnnoip32.exe
        345⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Dalkek32.exe
        
        C:\Windows\system32\Dalkek32.exe
        346⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Dehgejep.exe
        
        C:\Windows\system32\Dehgejep.exe
        347⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Eblgon32.exe
        
        C:\Windows\system32\Eblgon32.exe
        348⤵
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Eejcki32.exe
        
        C:\Windows\system32\Eejcki32.exe
        349⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Ehhpge32.exe
        
        C:\Windows\system32\Ehhpge32.exe
        350⤵
        
        PID:740
        
        C:\Windows\SysWOW64\Ejglcq32.exe
        
        C:\Windows\system32\Ejglcq32.exe
        351⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Ebnddn32.exe
        
        C:\Windows\system32\Ebnddn32.exe
        352⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Eelpqi32.exe
        
        C:\Windows\system32\Eelpqi32.exe
        353⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Ejnbdp32.exe
        
        C:\Windows\system32\Ejnbdp32.exe
        354⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\Eoindndf.exe
        
        C:\Windows\system32\Eoindndf.exe
        355⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Fhbbmc32.exe
        
        C:\Windows\system32\Fhbbmc32.exe
        356⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Fjpoio32.exe
        
        C:\Windows\system32\Fjpoio32.exe
        357⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Folkjnbc.exe
        
        C:\Windows\system32\Folkjnbc.exe
        358⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Fajgfiag.exe
        
        C:\Windows\system32\Fajgfiag.exe
        359⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Fiaogfai.exe
        
        C:\Windows\system32\Fiaogfai.exe
        360⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Flpkcbqm.exe
        
        C:\Windows\system32\Flpkcbqm.exe
        361⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Fongpm32.exe
        
        C:\Windows\system32\Fongpm32.exe
        362⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Falcli32.exe
        
        C:\Windows\system32\Falcli32.exe
        363⤵
        Modifies registry class
        
        PID:8360
        
        C:\Windows\SysWOW64\Ficlmf32.exe
        
        C:\Windows\system32\Ficlmf32.exe
        364⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Flbhia32.exe
        
        C:\Windows\system32\Flbhia32.exe
        365⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Fejlbgek.exe
        
        C:\Windows\system32\Fejlbgek.exe
        366⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Flddoa32.exe
        
        C:\Windows\system32\Flddoa32.exe
        367⤵
        
        PID:2236

C:\Windows\SysWOW64\Focakm32.exe
C:\Windows\system32\Focakm32.exe
1⤵
PID:8572
- C:\Windows\SysWOW64\Fbnmkk32.exe
  C:\Windows\system32\Fbnmkk32.exe
  2⤵
  PID:2636

C:\Windows\SysWOW64\Femigg32.exe
C:\Windows\system32\Femigg32.exe
1⤵
PID:4260
- C:\Windows\SysWOW64\Fhkecb32.exe
  C:\Windows\system32\Fhkecb32.exe
  2⤵
  PID:5452
- - C:\Windows\SysWOW64\Foenplji.exe
    C:\Windows\system32\Foenplji.exe
    3⤵
    PID:9224
  - - C:\Windows\SysWOW64\Fbqiak32.exe
      C:\Windows\system32\Fbqiak32.exe
      4⤵
      PID:9240
    - - C:\Windows\SysWOW64\Facjlhil.exe
        
        C:\Windows\system32\Facjlhil.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9136
      - C:\Windows\SysWOW64\Gikbneio.exe
        
        C:\Windows\system32\Gikbneio.exe
        6⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\Glinjqhb.exe
        
        C:\Windows\system32\Glinjqhb.exe
        7⤵
        Drops file in System32 directory
        
        PID:9332
        
        C:\Windows\SysWOW64\Gogjflhf.exe
        
        C:\Windows\system32\Gogjflhf.exe
        8⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Gaffbg32.exe
        
        C:\Windows\system32\Gaffbg32.exe
        9⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\Gimoce32.exe
        
        C:\Windows\system32\Gimoce32.exe
        10⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Glkkop32.exe
        
        C:\Windows\system32\Glkkop32.exe
        11⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Gojgkl32.exe
        
        C:\Windows\system32\Gojgkl32.exe
        12⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\Gedohfmp.exe
        
        C:\Windows\system32\Gedohfmp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9696
        
        C:\Windows\SysWOW64\Ghbkdald.exe
        
        C:\Windows\system32\Ghbkdald.exe
        14⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Glngep32.exe
        
        C:\Windows\system32\Glngep32.exe
        15⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\Gkqhpmkg.exe
        
        C:\Windows\system32\Gkqhpmkg.exe
        16⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Gajpmg32.exe
        
        C:\Windows\system32\Gajpmg32.exe
        17⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Geflne32.exe
        
        C:\Windows\system32\Geflne32.exe
        18⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Glpdjpbj.exe
        
        C:\Windows\system32\Glpdjpbj.exe
        19⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Ghgeoq32.exe
        
        C:\Windows\system32\Ghgeoq32.exe
        20⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\Gkeakl32.exe
        
        C:\Windows\system32\Gkeakl32.exe
        21⤵
        Drops file in System32 directory
        
        PID:9500
        
        C:\Windows\SysWOW64\Gclimi32.exe
        
        C:\Windows\system32\Gclimi32.exe
        22⤵
        Drops file in System32 directory
        
        PID:9532
        
        C:\Windows\SysWOW64\Gekeie32.exe
        
        C:\Windows\system32\Gekeie32.exe
        23⤵
        Modifies registry class
        
        PID:9556
        
        C:\Windows\SysWOW64\Hifaic32.exe
        
        C:\Windows\system32\Hifaic32.exe
        24⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Hleneo32.exe
        
        C:\Windows\system32\Hleneo32.exe
        25⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\Hocjaj32.exe
        
        C:\Windows\system32\Hocjaj32.exe
        26⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Haafnf32.exe
        
        C:\Windows\system32\Haafnf32.exe
        27⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\Hiinoc32.exe
        
        C:\Windows\system32\Hiinoc32.exe
        28⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\Hlgjko32.exe
        
        C:\Windows\system32\Hlgjko32.exe
        29⤵
        Modifies registry class
        
        PID:9920
        
        C:\Windows\SysWOW64\Hoefgj32.exe
        
        C:\Windows\system32\Hoefgj32.exe
        30⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Hcabhido.exe
        
        C:\Windows\system32\Hcabhido.exe
        31⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\Hepoddcc.exe
        
        C:\Windows\system32\Hepoddcc.exe
        32⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Hikkdc32.exe
        
        C:\Windows\system32\Hikkdc32.exe
        33⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\Hligqnjp.exe
        
        C:\Windows\system32\Hligqnjp.exe
        34⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Hccomh32.exe
        
        C:\Windows\system32\Hccomh32.exe
        35⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\Hebkid32.exe
        
        C:\Windows\system32\Hebkid32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9856
        
        C:\Windows\SysWOW64\Hhpheo32.exe
        
        C:\Windows\system32\Hhpheo32.exe
        37⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\Hkodak32.exe
        
        C:\Windows\system32\Hkodak32.exe
        38⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Hojpbigq.exe
        
        C:\Windows\system32\Hojpbigq.exe
        39⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\Hedhoc32.exe
        
        C:\Windows\system32\Hedhoc32.exe
        40⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\Hlnqln32.exe
        
        C:\Windows\system32\Hlnqln32.exe
        41⤵
        Drops file in System32 directory
        
        PID:9316
        
        C:\Windows\SysWOW64\Hakidd32.exe
        
        C:\Windows\system32\Hakidd32.exe
        42⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\Ikcmmjkb.exe
        
        C:\Windows\system32\Ikcmmjkb.exe
        43⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\Icjengld.exe
        
        C:\Windows\system32\Icjengld.exe
        44⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Iameid32.exe
        
        C:\Windows\system32\Iameid32.exe
        45⤵
        Modifies registry class
        
        PID:9976
        
        C:\Windows\SysWOW64\Ijdnka32.exe
        
        C:\Windows\system32\Ijdnka32.exe
        46⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\Ilcjgm32.exe
        
        C:\Windows\system32\Ilcjgm32.exe
        47⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Ikejbjip.exe
        
        C:\Windows\system32\Ikejbjip.exe
        48⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Icmbcg32.exe
        
        C:\Windows\system32\Icmbcg32.exe
        49⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Ieknpb32.exe
        
        C:\Windows\system32\Ieknpb32.exe
        50⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\Ihjjln32.exe
        
        C:\Windows\system32\Ihjjln32.exe
        51⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\Icooig32.exe
        
        C:\Windows\system32\Icooig32.exe
        52⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\Ihlgan32.exe
        
        C:\Windows\system32\Ihlgan32.exe
        53⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\Ikjcmi32.exe
        
        C:\Windows\system32\Ikjcmi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9672
        
        C:\Windows\SysWOW64\Iofpnhmc.exe
        
        C:\Windows\system32\Iofpnhmc.exe
        55⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\Ifphkbep.exe
        
        C:\Windows\system32\Ifphkbep.exe
        56⤵
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Iljpgl32.exe
        
        C:\Windows\system32\Iljpgl32.exe
        57⤵
        Modifies registry class
        
        PID:9888
        
        C:\Windows\SysWOW64\Iohlcg32.exe
        
        C:\Windows\system32\Iohlcg32.exe
        58⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Jfbdpabn.exe
        
        C:\Windows\system32\Jfbdpabn.exe
        59⤵
        Drops file in System32 directory
        
        PID:10052
        
        C:\Windows\SysWOW64\Jllmml32.exe
        
        C:\Windows\system32\Jllmml32.exe
        60⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\Jcfejfag.exe
        
        C:\Windows\system32\Jcfejfag.exe
        61⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\Jfdafa32.exe
        
        C:\Windows\system32\Jfdafa32.exe
        62⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\Jloibkhh.exe
        
        C:\Windows\system32\Jloibkhh.exe
        63⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\Jomeoggk.exe
        
        C:\Windows\system32\Jomeoggk.exe
        64⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Jbkbkbfo.exe
        
        C:\Windows\system32\Jbkbkbfo.exe
        65⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Jhejgl32.exe
        
        C:\Windows\system32\Jhejgl32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10480
        
        C:\Windows\SysWOW64\Jkcfch32.exe
        
        C:\Windows\system32\Jkcfch32.exe
        67⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\Jcknee32.exe
        
        C:\Windows\system32\Jcknee32.exe
        68⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Jfikaqme.exe
        
        C:\Windows\system32\Jfikaqme.exe
        69⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\Jhhgmlli.exe
        
        C:\Windows\system32\Jhhgmlli.exe
        70⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\Jkfcigkm.exe
        
        C:\Windows\system32\Jkfcigkm.exe
        71⤵
        
        PID:10308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dbhdeofn.exe

Filesize
50KB

MD5
a78281dc8500d55a1f935937b5d8f483

SHA1
4f25fe8541e159edc5aa5ee390025a63bef2e7fc

SHA256
03c6438921f4c03d8fe9523cc17359c9e0d8ab3b065779c05985b06c1d8e0a6d

SHA512
e48e3b154554fa977645fc2ff8b5a2c702898092a679f35cfdd835b4e6ca76326294561e27adfa3db34613bb106df2945d1d45e59a58ad7cb410c8eff81cae74

Download Submit
C:\Windows\SysWOW64\Dbhdeofn.exe

Filesize
50KB

MD5
a78281dc8500d55a1f935937b5d8f483

SHA1
4f25fe8541e159edc5aa5ee390025a63bef2e7fc

SHA256
03c6438921f4c03d8fe9523cc17359c9e0d8ab3b065779c05985b06c1d8e0a6d

SHA512
e48e3b154554fa977645fc2ff8b5a2c702898092a679f35cfdd835b4e6ca76326294561e27adfa3db34613bb106df2945d1d45e59a58ad7cb410c8eff81cae74

Download Submit
C:\Windows\SysWOW64\Dbjajo32.exe

Filesize
50KB

MD5
f0043c6a302f89b6a3de7f046da16975

SHA1
3db7dc11eb1f2eb8b1ee18aa21c89d6e2821afd9

SHA256
39e9345ddfb7ea37b7375e387163f7565b695110faa33eeab9080e938b904c78

SHA512
51af4dfaec16ed7b5e750b2ccf508872c1ab1a68a6263c93a43bcb86584a69df6925119cb485fe3e7f368a5f00f69976115a41026b9b7cd95165bce3c06e4e6f

Download Submit
C:\Windows\SysWOW64\Dbjajo32.exe

Filesize
50KB

MD5
f0043c6a302f89b6a3de7f046da16975

SHA1
3db7dc11eb1f2eb8b1ee18aa21c89d6e2821afd9

SHA256
39e9345ddfb7ea37b7375e387163f7565b695110faa33eeab9080e938b904c78

SHA512
51af4dfaec16ed7b5e750b2ccf508872c1ab1a68a6263c93a43bcb86584a69df6925119cb485fe3e7f368a5f00f69976115a41026b9b7cd95165bce3c06e4e6f

Download Submit
C:\Windows\SysWOW64\Diffmi32.exe

Filesize
50KB

MD5
6610c14c91cc519c791576bb01595498

SHA1
614d15c2528db541e8387f92c23627f8813e4cff

SHA256
1d4e9f7f365ae056254dbe9ef9e483feaf7549370ea24d531dcea01a124766ad

SHA512
7c0ce249baa6755b3a602e2d32cc4dc8471dd6fb0953f5dd94325b87d8e808d80607551b957c8ad9ef989ff85836e537bc45234ad8a9db8302caf8952d177f6f

Download Submit
C:\Windows\SysWOW64\Diffmi32.exe

Filesize
50KB

MD5
6610c14c91cc519c791576bb01595498

SHA1
614d15c2528db541e8387f92c23627f8813e4cff

SHA256
1d4e9f7f365ae056254dbe9ef9e483feaf7549370ea24d531dcea01a124766ad

SHA512
7c0ce249baa6755b3a602e2d32cc4dc8471dd6fb0953f5dd94325b87d8e808d80607551b957c8ad9ef989ff85836e537bc45234ad8a9db8302caf8952d177f6f

Download Submit
C:\Windows\SysWOW64\Dlbfcdkk.exe

Filesize
50KB

MD5
f8d499ea7a7b14020e29a8e7e2457edc

SHA1
b71f621c7641404baa349edf02fae979e0a694af

SHA256
38f1aa3e4596b03389793d511178dde2c8e709eff1d9ffe1fd0966d1d94bb31e

SHA512
6031291e0fd7d9d7d95dbfdb61aa2a99863237a3062a77404fcbd4842bba1f8eda9cf7ddc42fd5e580a5aaeb9615d07c866e4d2b1694f1fa65f0ae2d9969d429

Download Submit
C:\Windows\SysWOW64\Dlbfcdkk.exe

Filesize
50KB

MD5
f8d499ea7a7b14020e29a8e7e2457edc

SHA1
b71f621c7641404baa349edf02fae979e0a694af

SHA256
38f1aa3e4596b03389793d511178dde2c8e709eff1d9ffe1fd0966d1d94bb31e

SHA512
6031291e0fd7d9d7d95dbfdb61aa2a99863237a3062a77404fcbd4842bba1f8eda9cf7ddc42fd5e580a5aaeb9615d07c866e4d2b1694f1fa65f0ae2d9969d429

Download Submit
C:\Windows\SysWOW64\Dlebid32.exe

Filesize
50KB

MD5
43cbd6caf426ce1c40ffc6c29ace69cc

SHA1
94d6d6800577323ec4706a60743c513dbac1dc59

SHA256
111025c5b87cf59dc7e6d02546cf6283f8a3da21ffb3d627767054cde5298b60

SHA512
42ccc9e9caed040dd3fd0d1a8c77b295a5fa4251fe101b80a84c00b7e90bb88676cfde1cc2235bf2fa5b75881450caaa090d88c4a743eda35de75ac283d82beb

Download Submit
C:\Windows\SysWOW64\Dlebid32.exe

Filesize
50KB

MD5
43cbd6caf426ce1c40ffc6c29ace69cc

SHA1
94d6d6800577323ec4706a60743c513dbac1dc59

SHA256
111025c5b87cf59dc7e6d02546cf6283f8a3da21ffb3d627767054cde5298b60

SHA512
42ccc9e9caed040dd3fd0d1a8c77b295a5fa4251fe101b80a84c00b7e90bb88676cfde1cc2235bf2fa5b75881450caaa090d88c4a743eda35de75ac283d82beb

Download Submit
C:\Windows\SysWOW64\Eefjhhgo.exe

Filesize
50KB

MD5
1c694804608eae838d1675f1ad04c135

SHA1
e67f18f73ded5e01e5b9d2209ff447990586389c

SHA256
d985764bef6b861722fdb2589ee2feb10818834d75288ea0a226479ec8f0faa9

SHA512
5cc0fe1807ba39d029d220ad06a7fb700ddda6e78af419a9743fef354b54e2cb3bb0cb039cca35c0b5a43051071fc0acd0eda28ea5f31ec5df6bcf0b86e59d51

Download Submit
C:\Windows\SysWOW64\Eefjhhgo.exe

Filesize
50KB

MD5
1c694804608eae838d1675f1ad04c135

SHA1
e67f18f73ded5e01e5b9d2209ff447990586389c

SHA256
d985764bef6b861722fdb2589ee2feb10818834d75288ea0a226479ec8f0faa9

SHA512
5cc0fe1807ba39d029d220ad06a7fb700ddda6e78af419a9743fef354b54e2cb3bb0cb039cca35c0b5a43051071fc0acd0eda28ea5f31ec5df6bcf0b86e59d51

Download Submit
C:\Windows\SysWOW64\Eeifmhel.exe

Filesize
50KB

MD5
5fa4e09ddb64943ef30da6261d1d0dc4

SHA1
d4db3d5d96eaaa31ca91c89c8a1e18d768b5a808

SHA256
fbca2c57970bf54b924607a3fd050b5587d68da267cb4e27e6c25d8620704d26

SHA512
bde5c04ff7f279e1ff30ec824db81fc2f6d761948a6252b513ea743fd6c7aa8169997da1707c8acfb3a7f39300378a7a1e9c728c952a78dd58028c2ec79e4bf6

Download Submit
C:\Windows\SysWOW64\Eeifmhel.exe

Filesize
50KB

MD5
5fa4e09ddb64943ef30da6261d1d0dc4

SHA1
d4db3d5d96eaaa31ca91c89c8a1e18d768b5a808

SHA256
fbca2c57970bf54b924607a3fd050b5587d68da267cb4e27e6c25d8620704d26

SHA512
bde5c04ff7f279e1ff30ec824db81fc2f6d761948a6252b513ea743fd6c7aa8169997da1707c8acfb3a7f39300378a7a1e9c728c952a78dd58028c2ec79e4bf6

Download Submit
C:\Windows\SysWOW64\Efamflbg.exe

Filesize
50KB

MD5
2621132b4db1ef31c27f31e970045e07

SHA1
272eb73ec4808b636822211e77fccf99916d343f

SHA256
c1452926099a9aaecf36ef8d907349dd246e65a2d61fc6b1f5b12b166cc64cf3

SHA512
a5832e3068f1cbf7542695eb2fcfe0fb71f8cf5c048e4f7f4fc1aaec844f9442d1ca7ccce6ad19edd4f6076651c54b87801f3087120a34acd0abbb1ecc790b7d

Download Submit
C:\Windows\SysWOW64\Efamflbg.exe

Filesize
50KB

MD5
2621132b4db1ef31c27f31e970045e07

SHA1
272eb73ec4808b636822211e77fccf99916d343f

SHA256
c1452926099a9aaecf36ef8d907349dd246e65a2d61fc6b1f5b12b166cc64cf3

SHA512
a5832e3068f1cbf7542695eb2fcfe0fb71f8cf5c048e4f7f4fc1aaec844f9442d1ca7ccce6ad19edd4f6076651c54b87801f3087120a34acd0abbb1ecc790b7d

Download Submit
C:\Windows\SysWOW64\Elliiccq.exe

Filesize
50KB

MD5
6b56794c7a467b757a7f16ccb8b57b95

SHA1
2e3e2ab58a051f3327644cf7636bc215b1fdd8c1

SHA256
f82ce74632a96591b80d7b0c9bc1e7c60648eee4d377859dc09137b8a9e9c860

SHA512
89c1889e9a2ac49c082984a7190a4b68ec20c2972ed3916f1867978ecddeb9a67497f3e5b00739f210a56725eba0bbd73a34d9986cf136d569445ba81fafa050

Download Submit
C:\Windows\SysWOW64\Elliiccq.exe

Filesize
50KB

MD5
6b56794c7a467b757a7f16ccb8b57b95

SHA1
2e3e2ab58a051f3327644cf7636bc215b1fdd8c1

SHA256
f82ce74632a96591b80d7b0c9bc1e7c60648eee4d377859dc09137b8a9e9c860

SHA512
89c1889e9a2ac49c082984a7190a4b68ec20c2972ed3916f1867978ecddeb9a67497f3e5b00739f210a56725eba0bbd73a34d9986cf136d569445ba81fafa050

Download Submit
C:\Windows\SysWOW64\Elneoc32.exe

Filesize
50KB

MD5
20b0abc5d41fcde84b04457de2da2a9f

SHA1
b20d38d8c117145ace8ad0a5d6dec7f1b4a52d5b

SHA256
c79da33870a767d47686d1e7df74c96a6a5672f81d470901d85e1f464eb16bbe

SHA512
5aac32bbfbfa4b5ba5a909d7a7ae544fbb2ddc1f528d6001c4de740028e4161a0c43885fc84ae29f7a41f7f410fdfa52e0b25b99ddf5e8d4223c614a8219523c

Download Submit
C:\Windows\SysWOW64\Elneoc32.exe

Filesize
50KB

MD5
20b0abc5d41fcde84b04457de2da2a9f

SHA1
b20d38d8c117145ace8ad0a5d6dec7f1b4a52d5b

SHA256
c79da33870a767d47686d1e7df74c96a6a5672f81d470901d85e1f464eb16bbe

SHA512
5aac32bbfbfa4b5ba5a909d7a7ae544fbb2ddc1f528d6001c4de740028e4161a0c43885fc84ae29f7a41f7f410fdfa52e0b25b99ddf5e8d4223c614a8219523c

Download Submit
C:\Windows\SysWOW64\Eohhpodg.exe

Filesize
50KB

MD5
88d173ee2dd80241ff69fed29760453a

SHA1
a2a98db6a05c96b69d6409edccf647783bee4387

SHA256
9b5a90a57847cd215a0b113d584c4e2a9c86ba9eb9741f5d01bb7eefa81d0f02

SHA512
7efc32fd924dcf5309066ce64283b586061489f314ba43ffad72a3c5e24ed521afb70ff0adf685a454a7da5203f9a752149a4b1c8bd56ab8abbdb02a49034b36

Download Submit
C:\Windows\SysWOW64\Eohhpodg.exe

Filesize
50KB

MD5
88d173ee2dd80241ff69fed29760453a

SHA1
a2a98db6a05c96b69d6409edccf647783bee4387

SHA256
9b5a90a57847cd215a0b113d584c4e2a9c86ba9eb9741f5d01bb7eefa81d0f02

SHA512
7efc32fd924dcf5309066ce64283b586061489f314ba43ffad72a3c5e24ed521afb70ff0adf685a454a7da5203f9a752149a4b1c8bd56ab8abbdb02a49034b36

Download Submit
C:\Windows\SysWOW64\Epbkoboo.exe

Filesize
50KB

MD5
767e11f3b62e5df890c60713b9b37d34

SHA1
19da084b256283a467e13e523188d60154fc4c0f

SHA256
e33b3b69079ea524191f538396ea7bdbe9cf4552894f26a5958c33fe99c15210

SHA512
2819328821cec9af088f3e3045b075a0f8908757a97d4db25c69d25c0f6ad1af03d5074ee785d7573ff0f25d53f1c688fdc6a3b1e7fc75d8482d7a767b13d24c

Download Submit
C:\Windows\SysWOW64\Epbkoboo.exe

Filesize
50KB

MD5
767e11f3b62e5df890c60713b9b37d34

SHA1
19da084b256283a467e13e523188d60154fc4c0f

SHA256
e33b3b69079ea524191f538396ea7bdbe9cf4552894f26a5958c33fe99c15210

SHA512
2819328821cec9af088f3e3045b075a0f8908757a97d4db25c69d25c0f6ad1af03d5074ee785d7573ff0f25d53f1c688fdc6a3b1e7fc75d8482d7a767b13d24c

Download Submit
C:\Windows\SysWOW64\Eplneagd.exe

Filesize
50KB

MD5
4ff4b74d7a3209e162de3fbbda04a92b

SHA1
b250be1a34c08a685ec54dbf7de426293177d640

SHA256
66f1d1e15d58026ba3f025ed29264241cd0261002e96d879d5c8e902fcd5c303

SHA512
b54c1fcf16b15fa1fdd82bc6ed096c4482329e10dee68cd6e98d16c416875ba5189a720d993f1e5bd3d21fc72da239ff3e9c514b654fbff3b256c94ba802bd37

Download Submit
C:\Windows\SysWOW64\Eplneagd.exe

Filesize
50KB

MD5
4ff4b74d7a3209e162de3fbbda04a92b

SHA1
b250be1a34c08a685ec54dbf7de426293177d640

SHA256
66f1d1e15d58026ba3f025ed29264241cd0261002e96d879d5c8e902fcd5c303

SHA512
b54c1fcf16b15fa1fdd82bc6ed096c4482329e10dee68cd6e98d16c416875ba5189a720d993f1e5bd3d21fc72da239ff3e9c514b654fbff3b256c94ba802bd37

Download Submit
C:\Windows\SysWOW64\Fbmggl32.exe

Filesize
50KB

MD5
4801497e70d470a095a82bef0c035c6c

SHA1
9add1b65a5874cca19372f8bf30319f4349de312

SHA256
06afba66c1bb25868add797cc41637924c67e8d09cdd6273a7abdff882d9d5c4

SHA512
3d8f77ce4baa23f99574d63c733ed6dc419407acf642f14bfd14b8412e7b7352a9a2c2fe8e663c275c9b41108cdaed9c32a4747245fdac0dfd0e9e0aaa5cefcf

Download Submit
C:\Windows\SysWOW64\Fbmggl32.exe

Filesize
50KB

MD5
4801497e70d470a095a82bef0c035c6c

SHA1
9add1b65a5874cca19372f8bf30319f4349de312

SHA256
06afba66c1bb25868add797cc41637924c67e8d09cdd6273a7abdff882d9d5c4

SHA512
3d8f77ce4baa23f99574d63c733ed6dc419407acf642f14bfd14b8412e7b7352a9a2c2fe8e663c275c9b41108cdaed9c32a4747245fdac0dfd0e9e0aaa5cefcf

Download Submit
C:\Windows\SysWOW64\Fcaqblpp.exe

Filesize
50KB

MD5
11493f27fc4bccd680141217329f80fb

SHA1
398543f5c25c6f71895dce3389a40fe4cdac47d8

SHA256
f8a3467b9691bff47ccb24b854797cc2338559105be30cf63779d25265482e97

SHA512
4f093e1f2573257e1ccccddf2dd488727ecb521ff2dd347e46eafcba63e4e64cfd73214b421172193e9cda7a9f0b4bb9f6ee378104a278569884c4e9e80b13bf

Download Submit
C:\Windows\SysWOW64\Fcaqblpp.exe

Filesize
50KB

MD5
11493f27fc4bccd680141217329f80fb

SHA1
398543f5c25c6f71895dce3389a40fe4cdac47d8

SHA256
f8a3467b9691bff47ccb24b854797cc2338559105be30cf63779d25265482e97

SHA512
4f093e1f2573257e1ccccddf2dd488727ecb521ff2dd347e46eafcba63e4e64cfd73214b421172193e9cda7a9f0b4bb9f6ee378104a278569884c4e9e80b13bf

Download Submit
C:\Windows\SysWOW64\Figocflb.exe

Filesize
50KB

MD5
09484c563f372e56cf2959f347917aad

SHA1
f2e5d7ece8ef7938e201dd659027ff52764a1ae5

SHA256
7c5c21ef3a5144678cca77d62480ff70ff70f7d51bca67c832933ddb5b7a5a15

SHA512
8f73c3c380711b31ade302da90624208484634ab0a15605045cd6a04abb732198f34129931be089d5b7490e602a1de3ea35517aae63656804cd7591cca46143e

Download Submit
C:\Windows\SysWOW64\Figocflb.exe

Filesize
50KB

MD5
09484c563f372e56cf2959f347917aad

SHA1
f2e5d7ece8ef7938e201dd659027ff52764a1ae5

SHA256
7c5c21ef3a5144678cca77d62480ff70ff70f7d51bca67c832933ddb5b7a5a15

SHA512
8f73c3c380711b31ade302da90624208484634ab0a15605045cd6a04abb732198f34129931be089d5b7490e602a1de3ea35517aae63656804cd7591cca46143e

Download Submit
C:\Windows\SysWOW64\Flcojb32.exe

Filesize
50KB

MD5
9e7cd146266aaee06fba38188ca566ef

SHA1
927f5eb3914381adfd24d88aed6fcfb5a324c90c

SHA256
29c9f2305b25f788e70098e6bdffe1528c2a4c24f501bfc26d253ca3266ae512

SHA512
bca61f0e253afbcdc16d5aad2a93d0c3b911a728020808f69b7d0f8809f98798d70c3c9b839217d3990ff92c2632b78f62dfbdaa88850429c7e3ed687387e53e

Download Submit
C:\Windows\SysWOW64\Flcojb32.exe

Filesize
50KB

MD5
9e7cd146266aaee06fba38188ca566ef

SHA1
927f5eb3914381adfd24d88aed6fcfb5a324c90c

SHA256
29c9f2305b25f788e70098e6bdffe1528c2a4c24f501bfc26d253ca3266ae512

SHA512
bca61f0e253afbcdc16d5aad2a93d0c3b911a728020808f69b7d0f8809f98798d70c3c9b839217d3990ff92c2632b78f62dfbdaa88850429c7e3ed687387e53e

Download Submit
C:\Windows\SysWOW64\Fochlmjj.exe

Filesize
50KB

MD5
20da5c1a9efd56c4731208c4c95ac444

SHA1
42b4fa56f2946ac4b9f935e006ec80a3fef5d86d

SHA256
737f1548047f201d1985d58e4bef0f705de8766693e247ef8e6090bb97c2a00f

SHA512
6c88e401c56dc000d9a40d6fdc1c460bd484fa8b4441ea3d5f3cb56b926c7db7326f21eca12634b898669800656126421c30839814bfb9980ee208aed4ff3730

Download Submit
C:\Windows\SysWOW64\Fochlmjj.exe

Filesize
50KB

MD5
20da5c1a9efd56c4731208c4c95ac444

SHA1
42b4fa56f2946ac4b9f935e006ec80a3fef5d86d

SHA256
737f1548047f201d1985d58e4bef0f705de8766693e247ef8e6090bb97c2a00f

SHA512
6c88e401c56dc000d9a40d6fdc1c460bd484fa8b4441ea3d5f3cb56b926c7db7326f21eca12634b898669800656126421c30839814bfb9980ee208aed4ff3730

Download Submit
C:\Windows\SysWOW64\Fojnll32.exe

Filesize
50KB

MD5
5fe3f6c7d9075d3f48841ba6537506fe

SHA1
4f1b45814e1c954e345c4fd2a29fc7ebf90c2fef

SHA256
3bca2892386cd3344d327c352868846881317d808c09419a99c093fdced22623

SHA512
740a44d3d17b5e52869fbe981afeca60e26c2ec2c38be44aecf5695148bf50e0a43998468b72deda50678c4bf47a48b94bb7fc55f391074fa9278f5caef851bb

Download Submit
C:\Windows\SysWOW64\Fojnll32.exe

Filesize
50KB

MD5
5fe3f6c7d9075d3f48841ba6537506fe

SHA1
4f1b45814e1c954e345c4fd2a29fc7ebf90c2fef

SHA256
3bca2892386cd3344d327c352868846881317d808c09419a99c093fdced22623

SHA512
740a44d3d17b5e52869fbe981afeca60e26c2ec2c38be44aecf5695148bf50e0a43998468b72deda50678c4bf47a48b94bb7fc55f391074fa9278f5caef851bb

Download Submit
C:\Windows\SysWOW64\Fpeakpoj.exe

Filesize
50KB

MD5
54daeb0d57cae85568f6ac6aa4fddfd5

SHA1
970cd9faa9a77335ae782d34a1152de2556fd871

SHA256
fb739c9adebe4602e1b63b44d9db77375721ebfd593c5a5c89c86e9a8751d964

SHA512
9ef1b953fd3e043bf5867b56f9a91718a529c860c3a0a04f0b91b1fbece5f9a316c3d60ffbfde16817247a4519677b1d85c38a8270dc694a63c29366564a12bc

Download Submit
C:\Windows\SysWOW64\Fpeakpoj.exe

Filesize
50KB

MD5
54daeb0d57cae85568f6ac6aa4fddfd5

SHA1
970cd9faa9a77335ae782d34a1152de2556fd871

SHA256
fb739c9adebe4602e1b63b44d9db77375721ebfd593c5a5c89c86e9a8751d964

SHA512
9ef1b953fd3e043bf5867b56f9a91718a529c860c3a0a04f0b91b1fbece5f9a316c3d60ffbfde16817247a4519677b1d85c38a8270dc694a63c29366564a12bc

Download Submit
C:\Windows\SysWOW64\Gcbiii32.exe

Filesize
50KB

MD5
8032868e7af55fbec117860498543c98

SHA1
fed536d7f4543969c2b98c6c651e6b7fa89fc873

SHA256
872dd1704e448826c6329ca7b35fb2c146ac3a3075e19b414d61db37de774ede

SHA512
0b2cf9c90d2ff69e14c2a620f9e583f4cf22441e29736e104456a3c74a237431a7e54735098dc348d2a353b8d52569de745cadb2c0d151bf7165299bf06482af

Download Submit
C:\Windows\SysWOW64\Gcbiii32.exe

Filesize
50KB

MD5
8032868e7af55fbec117860498543c98

SHA1
fed536d7f4543969c2b98c6c651e6b7fa89fc873

SHA256
872dd1704e448826c6329ca7b35fb2c146ac3a3075e19b414d61db37de774ede

SHA512
0b2cf9c90d2ff69e14c2a620f9e583f4cf22441e29736e104456a3c74a237431a7e54735098dc348d2a353b8d52569de745cadb2c0d151bf7165299bf06482af

Download Submit
C:\Windows\SysWOW64\Gchfbk32.exe

Filesize
50KB

MD5
2c611b647fa8328b55d84ea1916c5042

SHA1
04056e073255acd1b1c2a719f83637e9be7233e6

SHA256
39b9ada5f1ea6f3145e53dd428ab2ec30ee2161c47abeca7e7d74dfd4ead2dbf

SHA512
d2df70d82b2d19fc2eeb631daf54f2f657fe62c3c813a81b2420e6a7f837cb6e5b7c6922190872b9bce6ee8737402b9745e5132b3f64f86372dc83b172efda97

Download Submit
C:\Windows\SysWOW64\Gchfbk32.exe

Filesize
50KB

MD5
2c611b647fa8328b55d84ea1916c5042

SHA1
04056e073255acd1b1c2a719f83637e9be7233e6

SHA256
39b9ada5f1ea6f3145e53dd428ab2ec30ee2161c47abeca7e7d74dfd4ead2dbf

SHA512
d2df70d82b2d19fc2eeb631daf54f2f657fe62c3c813a81b2420e6a7f837cb6e5b7c6922190872b9bce6ee8737402b9745e5132b3f64f86372dc83b172efda97

Download Submit
C:\Windows\SysWOW64\Gckchj32.exe

Filesize
50KB

MD5
161e316f916f954bbb63769c00f5876c

SHA1
b314a3a458b108b9eec85865acafc634c3aa909c

SHA256
ddd6fb03862553d567064598277fca0f9ba60028decd0c1836fbb15b4ac27b08

SHA512
c8c937405043f7bb1d7ac4b48638e03bfaf95ca75709f98ea7a30bc59af25d8d4928306e7b2e559d012167c0376287988f8cd15d7c63fb139ffad20953722c2d

Download Submit
C:\Windows\SysWOW64\Gckchj32.exe

Filesize
50KB

MD5
161e316f916f954bbb63769c00f5876c

SHA1
b314a3a458b108b9eec85865acafc634c3aa909c

SHA256
ddd6fb03862553d567064598277fca0f9ba60028decd0c1836fbb15b4ac27b08

SHA512
c8c937405043f7bb1d7ac4b48638e03bfaf95ca75709f98ea7a30bc59af25d8d4928306e7b2e559d012167c0376287988f8cd15d7c63fb139ffad20953722c2d

Download Submit
C:\Windows\SysWOW64\Ggilni32.exe

Filesize
50KB

MD5
3df71585d0eef2df51bccb7e39f4e165

SHA1
36b66dbe0a6d078a778efdc118bf807b3cb757f6

SHA256
e3ceea9dd524948a1a74cb5af836088308dc9c28d23c777d9f474f0417766f40

SHA512
afababea1938ced3ad501276dfd2fca2238fcb00ecc6c92448d15ca95270ee128c26aafff4dab43860de9f9d3a49cffa28f2497eeec9768c76c015a19a7de2d1

Download Submit
C:\Windows\SysWOW64\Ggilni32.exe

Filesize
50KB

MD5
3df71585d0eef2df51bccb7e39f4e165

SHA1
36b66dbe0a6d078a778efdc118bf807b3cb757f6

SHA256
e3ceea9dd524948a1a74cb5af836088308dc9c28d23c777d9f474f0417766f40

SHA512
afababea1938ced3ad501276dfd2fca2238fcb00ecc6c92448d15ca95270ee128c26aafff4dab43860de9f9d3a49cffa28f2497eeec9768c76c015a19a7de2d1

Download Submit
C:\Windows\SysWOW64\Gheoka32.exe

Filesize
50KB

MD5
e724e2ad1ed43c5aba25bf6708943210

SHA1
4e54a2ceb8e21cb75bcedc4d896a6ccd3806ab89

SHA256
5d60926b6df98a6d205e8b919065dfd9ea78153a80bb410ba1e5b58195d8ff3d

SHA512
0fc09abee9552585b4bcd28d5563e6105533e595f142c4eae125749e54f5616a130bbcaf0273c54decbe5547644fdd9c76d1b97450e7f68d397a39784a71b558

Download Submit
C:\Windows\SysWOW64\Gheoka32.exe

Filesize
50KB

MD5
e724e2ad1ed43c5aba25bf6708943210

SHA1
4e54a2ceb8e21cb75bcedc4d896a6ccd3806ab89

SHA256
5d60926b6df98a6d205e8b919065dfd9ea78153a80bb410ba1e5b58195d8ff3d

SHA512
0fc09abee9552585b4bcd28d5563e6105533e595f142c4eae125749e54f5616a130bbcaf0273c54decbe5547644fdd9c76d1b97450e7f68d397a39784a71b558

Download Submit
C:\Windows\SysWOW64\Gieled32.exe

Filesize
50KB

MD5
4835bf05b6308337df5ff17eb7fb5875

SHA1
9ea17891e9073e305e5e5db2855f5fc92d14a379

SHA256
3ed268dee0e350d6acbcbdc7733cc2f0c4d2148afa7a4705f0caacdfab11458e

SHA512
301bcec3bc8cf7d257b740f4b217c16f1dfd97ca741f64782e2c62e19d46853e1339d733047e0e7bb688119f61dc6cb3d74167fbe173e87da93658ee8d2c6816

Download Submit
C:\Windows\SysWOW64\Gieled32.exe

Filesize
50KB

MD5
4835bf05b6308337df5ff17eb7fb5875

SHA1
9ea17891e9073e305e5e5db2855f5fc92d14a379

SHA256
3ed268dee0e350d6acbcbdc7733cc2f0c4d2148afa7a4705f0caacdfab11458e

SHA512
301bcec3bc8cf7d257b740f4b217c16f1dfd97ca741f64782e2c62e19d46853e1339d733047e0e7bb688119f61dc6cb3d74167fbe173e87da93658ee8d2c6816

Download Submit
C:\Windows\SysWOW64\Gjiepdkm.exe

Filesize
50KB

MD5
180d75be18752a37bfe7a854548deedb

SHA1
2b55209625a4f74dd0b786d4504decc7e454de14

SHA256
77eaebf663b375f6f8f1ed44f6a1eb653ddec0ea45a6e59535e2537dcdba8940

SHA512
f946e4c4be9a88849f72d6e046aee2f2e66fa9d9ee079aaaebba882ef81d18d038566940ffdbe60d6e08da298a08f8b28a401f022357fe417773f131d12e9614

Download Submit
C:\Windows\SysWOW64\Gjiepdkm.exe

Filesize
50KB

MD5
180d75be18752a37bfe7a854548deedb

SHA1
2b55209625a4f74dd0b786d4504decc7e454de14

SHA256
77eaebf663b375f6f8f1ed44f6a1eb653ddec0ea45a6e59535e2537dcdba8940

SHA512
f946e4c4be9a88849f72d6e046aee2f2e66fa9d9ee079aaaebba882ef81d18d038566940ffdbe60d6e08da298a08f8b28a401f022357fe417773f131d12e9614

Download Submit
C:\Windows\SysWOW64\Godqbk32.exe

Filesize
50KB

MD5
901dc0cfee9f67d0b4e91e83e7584bfa

SHA1
5e1f8b3464a0ebe941feb8ea5444a8b74d7402c1

SHA256
0ef1add5c13e19b6a878c6d36eaac4343f7edf78ff0bbdd7578eea0a63a69f34

SHA512
2587c904c209bcf5864c3be63115f841d06675e53add631254fda68ce92294a10bdf2875a6911ad8bde315fc58de73a1ea354fb85a338a70589707fed4577b0a

Download Submit
C:\Windows\SysWOW64\Godqbk32.exe

Filesize
50KB

MD5
901dc0cfee9f67d0b4e91e83e7584bfa

SHA1
5e1f8b3464a0ebe941feb8ea5444a8b74d7402c1

SHA256
0ef1add5c13e19b6a878c6d36eaac4343f7edf78ff0bbdd7578eea0a63a69f34

SHA512
2587c904c209bcf5864c3be63115f841d06675e53add631254fda68ce92294a10bdf2875a6911ad8bde315fc58de73a1ea354fb85a338a70589707fed4577b0a

Download Submit
C:\Windows\SysWOW64\Hcdfni32.exe

Filesize
50KB

MD5
7ea2d3f5cb2d2622c54d596488eb0767

SHA1
8b00540f958dd8779ea3bfd1b5ecab6c07b954ec

SHA256
b1938889321f86362f8c448119cd572ef29634c0d9329a38cbb1275afe0c9bd7

SHA512
795d860c2590be353e20e449037a05c120e33cb33b7f8698867712f74c3c446f0f1e68a78dfce333420459007e4d0c2bc28f4d16a7ef4153778aae8b539ba4b4

Download Submit
C:\Windows\SysWOW64\Hcdfni32.exe

Filesize
50KB

MD5
7ea2d3f5cb2d2622c54d596488eb0767

SHA1
8b00540f958dd8779ea3bfd1b5ecab6c07b954ec

SHA256
b1938889321f86362f8c448119cd572ef29634c0d9329a38cbb1275afe0c9bd7

SHA512
795d860c2590be353e20e449037a05c120e33cb33b7f8698867712f74c3c446f0f1e68a78dfce333420459007e4d0c2bc28f4d16a7ef4153778aae8b539ba4b4

Download Submit
C:\Windows\SysWOW64\Hcnidh32.exe

Filesize
50KB

MD5
d5a1fbcdfff9f3daf29596c07cecb3cb

SHA1
77e741c52f4c23f087748d169496d3a41b1d675d

SHA256
203bca20de4261cec4b6bab92dbdb8054971255eace04c63b3d5f24857114497

SHA512
fe2104538a1df4345acae911527526479613a89491bf896c2a264bbe34036db45691622a42c0dce8307f4488317940f4f612b1f3309d6b68379106ca90cf73ed

Download Submit
C:\Windows\SysWOW64\Hcnidh32.exe

Filesize
50KB

MD5
d5a1fbcdfff9f3daf29596c07cecb3cb

SHA1
77e741c52f4c23f087748d169496d3a41b1d675d

SHA256
203bca20de4261cec4b6bab92dbdb8054971255eace04c63b3d5f24857114497

SHA512
fe2104538a1df4345acae911527526479613a89491bf896c2a264bbe34036db45691622a42c0dce8307f4488317940f4f612b1f3309d6b68379106ca90cf73ed

Download Submit
C:\Windows\SysWOW64\Hhobap32.exe

Filesize
50KB

MD5
4b39d67928eeb30b18c6160c6e6188de

SHA1
2c9f6e57c53cafd57d0bff1e04e6708cd59ce5a4

SHA256
8bad9a97cb933b98035be122b454b15e09243dc0ea03ad9da4dfb5cb1794bc5b

SHA512
6c82c422abb1a245dba623c7512402aa3a477187283c3d0c1b8c4b46042480ab177f7d2d80c23f0b4d61a9b50c627f6deff8e1258775b73f331390f00219bfdd

Download Submit
C:\Windows\SysWOW64\Hhobap32.exe

Filesize
50KB

MD5
4b39d67928eeb30b18c6160c6e6188de

SHA1
2c9f6e57c53cafd57d0bff1e04e6708cd59ce5a4

SHA256
8bad9a97cb933b98035be122b454b15e09243dc0ea03ad9da4dfb5cb1794bc5b

SHA512
6c82c422abb1a245dba623c7512402aa3a477187283c3d0c1b8c4b46042480ab177f7d2d80c23f0b4d61a9b50c627f6deff8e1258775b73f331390f00219bfdd

Download Submit
C:\Windows\SysWOW64\Hpmpbm32.exe

Filesize
50KB

MD5
0b2bd20c93f99865fae578cd6d082131

SHA1
7fb0b65a8b09bfb024d82f319304b94733b2ff6a

SHA256
a831e6edf541186112517e2bbbb9af5c61190e960bb62705d06cf898910fda35

SHA512
b6a5f9a2d03d508a7640b5349e4749ca01005961e99989a150ca7a098e87c73124b410a02821177305b19a2319256a05212fdfe94c10062d3a59fe5fa40e5373

Download Submit
C:\Windows\SysWOW64\Hpmpbm32.exe

Filesize
50KB

MD5
0b2bd20c93f99865fae578cd6d082131

SHA1
7fb0b65a8b09bfb024d82f319304b94733b2ff6a

SHA256
a831e6edf541186112517e2bbbb9af5c61190e960bb62705d06cf898910fda35

SHA512
b6a5f9a2d03d508a7640b5349e4749ca01005961e99989a150ca7a098e87c73124b410a02821177305b19a2319256a05212fdfe94c10062d3a59fe5fa40e5373

Download Submit
memory/60-291-0x0000000000000000-mapping.dmp

Download
memory/60-303-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/208-198-0x0000000000000000-mapping.dmp

Download
memory/208-241-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/332-264-0x0000000000000000-mapping.dmp

Download
memory/332-278-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/440-297-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/440-285-0x0000000000000000-mapping.dmp

Download
memory/536-306-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/536-294-0x0000000000000000-mapping.dmp

Download
memory/540-283-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/540-269-0x0000000000000000-mapping.dmp

Download
memory/680-134-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/860-262-0x0000000000000000-mapping.dmp

Download
memory/860-276-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/888-322-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/888-314-0x0000000000000000-mapping.dmp

Download
memory/1000-312-0x0000000000000000-mapping.dmp

Download
memory/1000-320-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1256-211-0x0000000000000000-mapping.dmp

Download
memory/1256-247-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1304-268-0x0000000000000000-mapping.dmp

Download
memory/1304-282-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1384-270-0x0000000000000000-mapping.dmp

Download
memory/1384-284-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1388-161-0x0000000000000000-mapping.dmp

Download
memory/1388-194-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1476-281-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1476-267-0x0000000000000000-mapping.dmp

Download
memory/1480-279-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1480-265-0x0000000000000000-mapping.dmp

Download
memory/1504-259-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1504-235-0x0000000000000000-mapping.dmp

Download
memory/1636-257-0x0000000000000000-mapping.dmp

Download
memory/1636-273-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1776-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1776-286-0x0000000000000000-mapping.dmp

Download
memory/1952-287-0x0000000000000000-mapping.dmp

Download
memory/1952-299-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-260-0x0000000000000000-mapping.dmp

Download
memory/2044-274-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2368-149-0x0000000000000000-mapping.dmp

Download
memory/2368-186-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2380-272-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2380-248-0x0000000000000000-mapping.dmp

Download
memory/2412-143-0x0000000000000000-mapping.dmp

Download
memory/2412-182-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2460-304-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2460-292-0x0000000000000000-mapping.dmp

Download
memory/2484-243-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2484-204-0x0000000000000000-mapping.dmp

Download
memory/2788-244-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2788-208-0x0000000000000000-mapping.dmp

Download
memory/2916-311-0x0000000000000000-mapping.dmp

Download
memory/2916-319-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3024-266-0x0000000000000000-mapping.dmp

Download
memory/3024-280-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3064-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3064-140-0x0000000000000000-mapping.dmp

Download
memory/3136-229-0x0000000000000000-mapping.dmp

Download
memory/3136-256-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3212-176-0x0000000000000000-mapping.dmp

Download
memory/3212-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3432-253-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3432-220-0x0000000000000000-mapping.dmp

Download
memory/3440-309-0x0000000000000000-mapping.dmp

Download
memory/3440-317-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3468-132-0x0000000000000000-mapping.dmp

Download
memory/3468-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3472-310-0x0000000000000000-mapping.dmp

Download
memory/3472-318-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3488-295-0x0000000000000000-mapping.dmp

Download
memory/3488-307-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3556-315-0x0000000000000000-mapping.dmp

Download
memory/3556-323-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3596-316-0x0000000000000000-mapping.dmp

Download
memory/3700-261-0x0000000000000000-mapping.dmp

Download
memory/3700-275-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3808-289-0x0000000000000000-mapping.dmp

Download
memory/3808-301-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3848-238-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3848-181-0x0000000000000000-mapping.dmp

Download
memory/3904-167-0x0000000000000000-mapping.dmp

Download
memory/3904-199-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-250-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-217-0x0000000000000000-mapping.dmp

Download
memory/4024-258-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4024-232-0x0000000000000000-mapping.dmp

Download
memory/4136-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4136-173-0x0000000000000000-mapping.dmp

Download
memory/4188-193-0x0000000000000000-mapping.dmp

Download
memory/4188-240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4228-187-0x0000000000000000-mapping.dmp

Download
memory/4228-239-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4304-226-0x0000000000000000-mapping.dmp

Download
memory/4304-255-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4360-197-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4360-164-0x0000000000000000-mapping.dmp

Download
memory/4512-263-0x0000000000000000-mapping.dmp

Download
memory/4512-277-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4536-185-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4536-146-0x0000000000000000-mapping.dmp

Download
memory/4548-254-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4548-223-0x0000000000000000-mapping.dmp

Download
memory/4580-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4580-137-0x0000000000000000-mapping.dmp

Download
memory/4616-271-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4616-242-0x0000000000000000-mapping.dmp

Download
memory/4656-300-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4656-288-0x0000000000000000-mapping.dmp

Download
memory/4716-302-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4716-290-0x0000000000000000-mapping.dmp

Download
memory/4720-321-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4720-313-0x0000000000000000-mapping.dmp

Download
memory/4724-305-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4724-293-0x0000000000000000-mapping.dmp

Download
memory/4816-158-0x0000000000000000-mapping.dmp

Download
memory/4816-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4900-155-0x0000000000000000-mapping.dmp

Download
memory/4900-190-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4908-188-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4908-152-0x0000000000000000-mapping.dmp

Download
memory/4988-308-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4988-296-0x0000000000000000-mapping.dmp

Download
memory/5060-214-0x0000000000000000-mapping.dmp

Download
memory/5060-249-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5092-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5092-170-0x0000000000000000-mapping.dmp

Download