a19ae3e43ae6556aa3e0e7ee05c3c07836902f760a43d312778af3b7093ecf96

Analysis

max time kernel
172s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a19ae3e43ae6556aa3e0e7ee05c3c07836902f760a43d312778af3b7093ecf96.exe
Size

50KB
MD5

31ee7ce727323c249ff9148e1a625ef0
SHA1

23f7e70eadf9cbbb482cdb8c5a95b3c9ca39f022
SHA256

a19ae3e43ae6556aa3e0e7ee05c3c07836902f760a43d312778af3b7093ecf96
SHA512

a2bd535d691218b12af903e565116ca6282087242bffa71abb1e73a01a289333268026ef50b902864086f5e30f6e304563440c58c37dbd4a5b6fd155d60be01e
SSDEEP

768:FJE/Cp+hXnAd8CW9QPEgkuE2OfSoqcORvZ4LrZ5jq/1H5:/Uhwd8aHkuE9ivZ+Hc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ohiemobf.exeDgdgijhp.exeBnbeggmi.exeCljomc32.exeDannij32.exeGhegao32.exeAclpap32.exeBfdodjhm.exeOohnonij.exePpopjp32.exeQjlnnemp.exeHgnoki32.exeNmomchdg.exeIpjoee32.exeAompak32.exeDmifkecb.exeHcgjhega.exeEcmeig32.exeNijeec32.exeDpjompqc.exeNifnao32.exeEagaoh32.exeEaindh32.exeJgogbgei.exeNjghbl32.exeHeegad32.exeCjjcfabm.exePfnegggi.exeAqmlknnd.exeEmgblc32.exeGcqhcgqi.exeLpmmhpgp.exeAgjhgngj.exePlimfb32.exeBoikpiie.exeCpjdiadb.exePifgoglh.exeFfhnen32.exeFcloob32.exeOkgaijaj.exeFipkjb32.exeGmpcmkaa.exeKaajfe32.exeNnimia32.exeDmoafjhi.exeBfedoc32.exeDinmhkke.exeJjdjoane.exeMlpokp32.exeGggfme32.exeBjlbhbkn.exeGddqejni.exeHfnpca32.exeMngegmbc.exeBmbiamhi.exeKqbkfkal.exeMjneln32.exeGbfldf32.exeDmhkoaco.exeJgpfmncg.exeQcbfakec.exeHpbiip32.exeOehlkc32.exeBpemkcck.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohiemobf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbeggmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cljomc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dannij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghegao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oohnonij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppopjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjlnnemp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgnoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmomchdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipjoee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aompak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcgjhega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecmeig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nijeec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nifnao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eagaoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaindh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgogbgei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njghbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjjcfabm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfnegggi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqmlknnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emgblc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcqhcgqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpmmhpgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plimfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boikpiie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpjdiadb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pifgoglh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffhnen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcloob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okgaijaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fipkjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmpcmkaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaajfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnimia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmoafjhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfedoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinmhkke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjdjoane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlpokp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gggfme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjlbhbkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddqejni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfnpca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mngegmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbiamhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqbkfkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjneln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbfldf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmhkoaco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgpfmncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcbfakec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbiip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oehlkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpemkcck.exe

Executes dropped EXE 64 IoCs

Processes:

Lfpcdaob.exeLialfl32.exeLfelpq32.exeLmodlkbi.exeMblmdaqq.exeMopmnf32.exeMelffm32.exeMkfncgeo.exeMflbpp32.exeNmjdhi32.exeNnlqpanj.exeNlpaiemd.exeNbjifp32.exeNmomchdg.exeNblfkobn.exeNmajihbd.exeNfjoan32.exeNpbcjc32.exeNeokbj32.exeOngpkpdm.exeOimdihdc.exeOnjmao32.exeOedeniig.exeOpiikbim.exeOmmjdfhg.exeOmpfjf32.exePifgoglh.exePpblaaab.exePepdihoj.exePlimfb32.exePfoackfl.exePllilaed.exePedndg32.exePlnfaaba.exeQbjkckhk.exeQeigpfgo.exeQidcpe32.exeQlcplq32.exeQbmhikfi.exeAekdefel.exeAlelbpmi.exeAgkqoilo.exeAlgigpkf.exeAbaadj32.exeAepmpe32.exeAcdnjjpq.exeAmlombnd.exeBchgei32.exeBckdji32.exeBnphha32.exeBigimb32.exeBneacaei.exeBofnji32.exeBjlbhbkn.exeBoikpiie.exeCnjknp32.exeCokgehgb.exeCjqlca32.exeComdkh32.exeCfgmhbml.exeClaedl32.exeCckmaflf.exeCnqaoo32.exeCobnfgaj.exe

pid	process
3360	Lfpcdaob.exe
4624	Lialfl32.exe
4840	Lfelpq32.exe
4788	Lmodlkbi.exe
4808	Mblmdaqq.exe
4688	Mopmnf32.exe
2308	Melffm32.exe
4476	Mkfncgeo.exe
4672	Mflbpp32.exe
4928	Nmjdhi32.exe
4268	Nnlqpanj.exe
544	Nlpaiemd.exe
1376	Nbjifp32.exe
2808	Nmomchdg.exe
3980	Nblfkobn.exe
2636	Nmajihbd.exe
1388	Nfjoan32.exe
204	Npbcjc32.exe
4892	Neokbj32.exe
3364	Ongpkpdm.exe
5052	Oimdihdc.exe
2652	Onjmao32.exe
3672	Oedeniig.exe
4908	Opiikbim.exe
3708	Ommjdfhg.exe
4228	Ompfjf32.exe
4964	Pifgoglh.exe
1088	Ppblaaab.exe
4048	Pepdihoj.exe
3912	Plimfb32.exe
2248	Pfoackfl.exe
2260	Pllilaed.exe
2616	Pedndg32.exe
2212	Plnfaaba.exe
444	Qbjkckhk.exe
3756	Qeigpfgo.exe
4460	Qidcpe32.exe
3224	Qlcplq32.exe
740	Qbmhikfi.exe
4940	Aekdefel.exe
2600	Alelbpmi.exe
1740	Agkqoilo.exe
4028	Algigpkf.exe
4880	Abaadj32.exe
4796	Aepmpe32.exe
3740	Acdnjjpq.exe
2460	Amlombnd.exe
880	Bchgei32.exe
1408	Bckdji32.exe
1172	Bnphha32.exe
5104	Bigimb32.exe
1404	Bneacaei.exe
4300	Bofnji32.exe
5084	Bjlbhbkn.exe
3712	Boikpiie.exe
1548	Cnjknp32.exe
1768	Cokgehgb.exe
3192	Cjqlca32.exe
1552	Comdkh32.exe
4344	Cfgmhbml.exe
2208	Claedl32.exe
2828	Cckmaflf.exe
1372	Cnqaoo32.exe
4152	Cobnfgaj.exe

Drops file in System32 directory 64 IoCs

Processes:

Djdflp32.exePmpfcl32.exeCpjdiadb.exeNmjdhi32.exeFmbflm32.exeJopaejlo.exeKolaqh32.exePlimfb32.exeBeglgani.exePgflqkdd.exeLnbklm32.exeIajmmm32.exeJmjojh32.exeBigimb32.exeFnofgk32.exeHhagmm32.exeAcgolj32.exeEiildjag.exeHcbpme32.exeHjdcfp32.exeImpldi32.exeNnlqpanj.exeDnhgoned.exeEjhkjn32.exeDjmibn32.exeFcmnkh32.exeJondojna.exeFjkqgk32.exeEfdjgo32.exeNahgoe32.exeGnoacp32.exeHhmmkcko.exeGpjfng32.exeAqncedbp.exePoodpmca.exeQcdbfk32.exeOogpjbbb.exeHnjaonij.exeCqajpj32.exeCjjcfabm.exeKahpgcch.exeAclpap32.exeDgdgijhp.exePoqckdap.exeDmifkecb.exeGqkajk32.exeAcdnjjpq.exeGmnfnfnf.exeBmkcqn32.exeDmglcj32.exeNcmaai32.exeBnphha32.exeNjiegl32.exeHmlbij32.exeJbdlop32.exeLolcnman.exeDlfniafa.exeAnogiicl.exeBciehh32.exeLeopnglc.exeOoejohhq.exeDmoafjhi.exeFqkfmgbp.exeEekaebcm.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Nmiakk32.dll	Djdflp32.exe
File created	C:\Windows\SysWOW64\Poqckdap.exe	Pmpfcl32.exe
File created	C:\Windows\SysWOW64\Ccipelcf.exe	Cpjdiadb.exe
File opened for modification	C:\Windows\SysWOW64\Nnlqpanj.exe	Nmjdhi32.exe
File created	C:\Windows\SysWOW64\Fodobp32.dll	Fmbflm32.exe
File opened for modification	C:\Windows\SysWOW64\Kaonaekb.exe	Jopaejlo.exe
File opened for modification	C:\Windows\SysWOW64\Lpmmhpgp.exe	Kolaqh32.exe
File created	C:\Windows\SysWOW64\Pfoackfl.exe	Plimfb32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Lmdijf32.dll	Pgflqkdd.exe
File opened for modification	C:\Windows\SysWOW64\Lihpif32.exe	Lnbklm32.exe
File created	C:\Windows\SysWOW64\Ieeimlep.exe	Iajmmm32.exe
File opened for modification	C:\Windows\SysWOW64\Jddggb32.exe	Jmjojh32.exe
File opened for modification	C:\Windows\SysWOW64\Bneacaei.exe	Bigimb32.exe
File created	C:\Windows\SysWOW64\Fcloob32.exe	Fnofgk32.exe
File created	C:\Windows\SysWOW64\Gogiek32.dll	Hhagmm32.exe
File created	C:\Windows\SysWOW64\Ajqgidij.exe	Acgolj32.exe
File opened for modification	C:\Windows\SysWOW64\Eaqdegaj.exe	Eiildjag.exe
File created	C:\Windows\SysWOW64\Kgaljo32.dll	Hcbpme32.exe
File created	C:\Windows\SysWOW64\Hbcbcc32.dll	Hjdcfp32.exe
File created	C:\Windows\SysWOW64\Ddifbphg.dll	Impldi32.exe
File created	C:\Windows\SysWOW64\Nfppejnc.dll	Nnlqpanj.exe
File opened for modification	C:\Windows\SysWOW64\Doidgf32.exe	Dnhgoned.exe
File created	C:\Windows\SysWOW64\Oabghefk.dll	Ejhkjn32.exe
File created	C:\Windows\SysWOW64\Eipinkib.exe	Djmibn32.exe
File created	C:\Windows\SysWOW64\Bdnofdgl.dll	Fcmnkh32.exe
File opened for modification	C:\Windows\SysWOW64\Jgiiclkl.exe	Jondojna.exe
File opened for modification	C:\Windows\SysWOW64\Gmimcg32.exe	Fjkqgk32.exe
File created	C:\Windows\SysWOW64\Gcklla32.dll	Efdjgo32.exe
File opened for modification	C:\Windows\SysWOW64\Niooqcad.exe	Nahgoe32.exe
File created	C:\Windows\SysWOW64\Gdhjpjjd.exe	Gnoacp32.exe
File created	C:\Windows\SysWOW64\Hfajlp32.exe	Hhmmkcko.exe
File created	C:\Windows\SysWOW64\Kennoank.dll	Gpjfng32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Pgflqkdd.exe	Poodpmca.exe
File created	C:\Windows\SysWOW64\Qfbobf32.exe	Qcdbfk32.exe
File opened for modification	C:\Windows\SysWOW64\Heegad32.exe	Oogpjbbb.exe
File created	C:\Windows\SysWOW64\Dmdmpk32.dll	Hnjaonij.exe
File created	C:\Windows\SysWOW64\Qccoeglp.dll	Cqajpj32.exe
File created	C:\Windows\SysWOW64\Iamfph32.dll	Cjjcfabm.exe
File created	C:\Windows\SysWOW64\Kdfmcobk.exe	Kahpgcch.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Dmnpfd32.exe	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Kgjlgghg.dll	Poqckdap.exe
File created	C:\Windows\SysWOW64\Ebldoh32.dll	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Foeeml32.dll	Gqkajk32.exe
File created	C:\Windows\SysWOW64\Amlombnd.exe	Acdnjjpq.exe
File created	C:\Windows\SysWOW64\Opkpkh32.dll	Gmnfnfnf.exe
File created	C:\Windows\SysWOW64\Boipmj32.exe	Bmkcqn32.exe
File created	C:\Windows\SysWOW64\Ddadpdmn.exe	Dmglcj32.exe
File created	C:\Windows\SysWOW64\Napameoi.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Edhlbdad.dll	Bnphha32.exe
File created	C:\Windows\SysWOW64\Nonlon32.dll	Njiegl32.exe
File opened for modification	C:\Windows\SysWOW64\Ipjoee32.exe	Hmlbij32.exe
File created	C:\Windows\SysWOW64\Jdbhkk32.exe	Jbdlop32.exe
File created	C:\Windows\SysWOW64\Lkcccn32.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Pjqgggni.dll	Dlfniafa.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Bgeaifia.exe	Bciehh32.exe
File created	C:\Windows\SysWOW64\Lijlof32.exe	Leopnglc.exe
File created	C:\Windows\SysWOW64\Fipkjb32.exe	Ooejohhq.exe
File created	C:\Windows\SysWOW64\Epalclhk.dll	Dmoafjhi.exe
File created	C:\Windows\SysWOW64\Hgoodiad.dll	Fqkfmgbp.exe
File created	C:\Windows\SysWOW64\Acbmpm32.dll	Eekaebcm.exe

Modifies registry class 64 IoCs

Processes:

Ejmdemoh.exeBmpcfdmg.exeDclkee32.exeHpbiip32.exeAgojdnng.exeNkjqme32.exeEglkdbag.exeBgnkhg32.exeJjdjoane.exeFmgpmg32.exeOohnonij.exeAjhniccb.exeGjnlha32.exeNbjifp32.exeFcloob32.exeJddggb32.exePpopjp32.exeEaindh32.exeLmodlkbi.exeEabbjc32.exeHcembe32.exeJopaejlo.exeLialfl32.exeFplicd32.exeCgndoeag.exeEiijfd32.exeHcbpme32.exePqcjepfo.exeBihjfnmm.exeHjchaf32.exeIlhkigcd.exeKoekpi32.exeLdpoinjq.exeAlbpff32.exeGadimkpb.exeIhagfb32.exeCjqlca32.exeAgiamhdo.exeIdbodn32.exeComdkh32.exeEaqdegaj.exeFfjkdc32.exeCjgbcpap.exeBnkgeg32.exePlhnda32.exeEpeohn32.exeCpjdiadb.exeAjeadd32.exeNahgoe32.exeBckddn32.exeFmbflm32.exeHhbkinel.exeLcjldk32.exeFlhoinbl.exeHmdlhk32.exeHmkeekag.exeGmfpgmil.exeFqkfmgbp.exeNajceeoo.exeFcmnkh32.exeEdmclccp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejmdemoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dclkee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpbiip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpmgngb.dll"	Agojdnng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjqme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebjhg32.dll"	Eglkdbag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgnkhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjdjoane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmgpmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oohnonij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kidiae32.dll"	Ajhniccb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjnlha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbjifp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eglkdbag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcloob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkdla32.dll"	Jddggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfafakb.dll"	Ppopjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eaindh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehmfihf.dll"	Lmodlkbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcembe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jopaejlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lialfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fplicd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpnbg32.dll"	Cgndoeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiijfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcbpme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqcjepfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bihjfnmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfokdq32.dll"	Hjchaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilhkigcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koekpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldpoinjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Albpff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gadimkpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihagfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofokb32.dll"	Cjqlca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agiamhdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idbodn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Comdkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaqdegaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allchp32.dll"	Ffjkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjgbcpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plhnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epeohn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpjdiadb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkmnj32.dll"	Ajeadd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befhip32.dll"	Nahgoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bckddn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fodobp32.dll"	Fmbflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglcqmml.dll"	Jopaejlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhbkinel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblipdgh.dll"	Flhoinbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdlhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpigao32.dll"	Hmkeekag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqcjihb.dll"	Gmfpgmil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqkfmgbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpldkpc.dll"	Najceeoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnofdgl.dll"	Fcmnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edmclccp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a19ae3e43ae6556aa3e0e7ee05c3c07836902f760a43d312778af3b7093ecf96.exeLfpcdaob.exeLialfl32.exeLfelpq32.exeLmodlkbi.exeMblmdaqq.exeMopmnf32.exeMelffm32.exeMkfncgeo.exeMflbpp32.exeNmjdhi32.exeNnlqpanj.exeNlpaiemd.exeNbjifp32.exeNmomchdg.exeNblfkobn.exeNmajihbd.exeNfjoan32.exeNpbcjc32.exeNeokbj32.exeOngpkpdm.exeOimdihdc.exe

description	pid	process	target process
PID 2200 wrote to memory of 3360	2200	a19ae3e43ae6556aa3e0e7ee05c3c07836902f760a43d312778af3b7093ecf96.exe	Lfpcdaob.exe
PID 2200 wrote to memory of 3360	2200	a19ae3e43ae6556aa3e0e7ee05c3c07836902f760a43d312778af3b7093ecf96.exe	Lfpcdaob.exe
PID 2200 wrote to memory of 3360	2200	a19ae3e43ae6556aa3e0e7ee05c3c07836902f760a43d312778af3b7093ecf96.exe	Lfpcdaob.exe
PID 3360 wrote to memory of 4624	3360	Lfpcdaob.exe	Lialfl32.exe
PID 3360 wrote to memory of 4624	3360	Lfpcdaob.exe	Lialfl32.exe
PID 3360 wrote to memory of 4624	3360	Lfpcdaob.exe	Lialfl32.exe
PID 4624 wrote to memory of 4840	4624	Lialfl32.exe	Lfelpq32.exe
PID 4624 wrote to memory of 4840	4624	Lialfl32.exe	Lfelpq32.exe
PID 4624 wrote to memory of 4840	4624	Lialfl32.exe	Lfelpq32.exe
PID 4840 wrote to memory of 4788	4840	Lfelpq32.exe	Lmodlkbi.exe
PID 4840 wrote to memory of 4788	4840	Lfelpq32.exe	Lmodlkbi.exe
PID 4840 wrote to memory of 4788	4840	Lfelpq32.exe	Lmodlkbi.exe
PID 4788 wrote to memory of 4808	4788	Lmodlkbi.exe	Mblmdaqq.exe
PID 4788 wrote to memory of 4808	4788	Lmodlkbi.exe	Mblmdaqq.exe
PID 4788 wrote to memory of 4808	4788	Lmodlkbi.exe	Mblmdaqq.exe
PID 4808 wrote to memory of 4688	4808	Mblmdaqq.exe	Mopmnf32.exe
PID 4808 wrote to memory of 4688	4808	Mblmdaqq.exe	Mopmnf32.exe
PID 4808 wrote to memory of 4688	4808	Mblmdaqq.exe	Mopmnf32.exe
PID 4688 wrote to memory of 2308	4688	Mopmnf32.exe	Melffm32.exe
PID 4688 wrote to memory of 2308	4688	Mopmnf32.exe	Melffm32.exe
PID 4688 wrote to memory of 2308	4688	Mopmnf32.exe	Melffm32.exe
PID 2308 wrote to memory of 4476	2308	Melffm32.exe	Mkfncgeo.exe
PID 2308 wrote to memory of 4476	2308	Melffm32.exe	Mkfncgeo.exe
PID 2308 wrote to memory of 4476	2308	Melffm32.exe	Mkfncgeo.exe
PID 4476 wrote to memory of 4672	4476	Mkfncgeo.exe	Mflbpp32.exe
PID 4476 wrote to memory of 4672	4476	Mkfncgeo.exe	Mflbpp32.exe
PID 4476 wrote to memory of 4672	4476	Mkfncgeo.exe	Mflbpp32.exe
PID 4672 wrote to memory of 4928	4672	Mflbpp32.exe	Nmjdhi32.exe
PID 4672 wrote to memory of 4928	4672	Mflbpp32.exe	Nmjdhi32.exe
PID 4672 wrote to memory of 4928	4672	Mflbpp32.exe	Nmjdhi32.exe
PID 4928 wrote to memory of 4268	4928	Nmjdhi32.exe	Nnlqpanj.exe
PID 4928 wrote to memory of 4268	4928	Nmjdhi32.exe	Nnlqpanj.exe
PID 4928 wrote to memory of 4268	4928	Nmjdhi32.exe	Nnlqpanj.exe
PID 4268 wrote to memory of 544	4268	Nnlqpanj.exe	Nlpaiemd.exe
PID 4268 wrote to memory of 544	4268	Nnlqpanj.exe	Nlpaiemd.exe
PID 4268 wrote to memory of 544	4268	Nnlqpanj.exe	Nlpaiemd.exe
PID 544 wrote to memory of 1376	544	Nlpaiemd.exe	Nbjifp32.exe
PID 544 wrote to memory of 1376	544	Nlpaiemd.exe	Nbjifp32.exe
PID 544 wrote to memory of 1376	544	Nlpaiemd.exe	Nbjifp32.exe
PID 1376 wrote to memory of 2808	1376	Nbjifp32.exe	Nmomchdg.exe
PID 1376 wrote to memory of 2808	1376	Nbjifp32.exe	Nmomchdg.exe
PID 1376 wrote to memory of 2808	1376	Nbjifp32.exe	Nmomchdg.exe
PID 2808 wrote to memory of 3980	2808	Nmomchdg.exe	Nblfkobn.exe
PID 2808 wrote to memory of 3980	2808	Nmomchdg.exe	Nblfkobn.exe
PID 2808 wrote to memory of 3980	2808	Nmomchdg.exe	Nblfkobn.exe
PID 3980 wrote to memory of 2636	3980	Nblfkobn.exe	Nmajihbd.exe
PID 3980 wrote to memory of 2636	3980	Nblfkobn.exe	Nmajihbd.exe
PID 3980 wrote to memory of 2636	3980	Nblfkobn.exe	Nmajihbd.exe
PID 2636 wrote to memory of 1388	2636	Nmajihbd.exe	Nfjoan32.exe
PID 2636 wrote to memory of 1388	2636	Nmajihbd.exe	Nfjoan32.exe
PID 2636 wrote to memory of 1388	2636	Nmajihbd.exe	Nfjoan32.exe
PID 1388 wrote to memory of 204	1388	Nfjoan32.exe	Npbcjc32.exe
PID 1388 wrote to memory of 204	1388	Nfjoan32.exe	Npbcjc32.exe
PID 1388 wrote to memory of 204	1388	Nfjoan32.exe	Npbcjc32.exe
PID 204 wrote to memory of 4892	204	Npbcjc32.exe	Neokbj32.exe
PID 204 wrote to memory of 4892	204	Npbcjc32.exe	Neokbj32.exe
PID 204 wrote to memory of 4892	204	Npbcjc32.exe	Neokbj32.exe
PID 4892 wrote to memory of 3364	4892	Neokbj32.exe	Ongpkpdm.exe
PID 4892 wrote to memory of 3364	4892	Neokbj32.exe	Ongpkpdm.exe
PID 4892 wrote to memory of 3364	4892	Neokbj32.exe	Ongpkpdm.exe
PID 3364 wrote to memory of 5052	3364	Ongpkpdm.exe	Oimdihdc.exe
PID 3364 wrote to memory of 5052	3364	Ongpkpdm.exe	Oimdihdc.exe
PID 3364 wrote to memory of 5052	3364	Ongpkpdm.exe	Oimdihdc.exe
PID 5052 wrote to memory of 2652	5052	Oimdihdc.exe	Onjmao32.exe

C:\Users\Admin\AppData\Local\Temp\a19ae3e43ae6556aa3e0e7ee05c3c07836902f760a43d312778af3b7093ecf96.exe
"C:\Users\Admin\AppData\Local\Temp\a19ae3e43ae6556aa3e0e7ee05c3c07836902f760a43d312778af3b7093ecf96.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\Lfpcdaob.exe
  C:\Windows\system32\Lfpcdaob.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\Lialfl32.exe
    C:\Windows\system32\Lialfl32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\Lfelpq32.exe
      C:\Windows\system32\Lfelpq32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\SysWOW64\Lmodlkbi.exe
        
        C:\Windows\system32\Lmodlkbi.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\SysWOW64\Mblmdaqq.exe
        
        C:\Windows\system32\Mblmdaqq.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Mopmnf32.exe
        
        C:\Windows\system32\Mopmnf32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Melffm32.exe
        
        C:\Windows\system32\Melffm32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Mkfncgeo.exe
        
        C:\Windows\system32\Mkfncgeo.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Mflbpp32.exe
        
        C:\Windows\system32\Mflbpp32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Nmjdhi32.exe
        
        C:\Windows\system32\Nmjdhi32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Nnlqpanj.exe
        
        C:\Windows\system32\Nnlqpanj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Nlpaiemd.exe
        
        C:\Windows\system32\Nlpaiemd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Nbjifp32.exe
        
        C:\Windows\system32\Nbjifp32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Nmomchdg.exe
        
        C:\Windows\system32\Nmomchdg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Nblfkobn.exe
        
        C:\Windows\system32\Nblfkobn.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Nmajihbd.exe
        
        C:\Windows\system32\Nmajihbd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Nfjoan32.exe
        
        C:\Windows\system32\Nfjoan32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Npbcjc32.exe
        
        C:\Windows\system32\Npbcjc32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:204
        
        C:\Windows\SysWOW64\Neokbj32.exe
        
        C:\Windows\system32\Neokbj32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Ongpkpdm.exe
        
        C:\Windows\system32\Ongpkpdm.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Oimdihdc.exe
        
        C:\Windows\system32\Oimdihdc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Onjmao32.exe
        
        C:\Windows\system32\Onjmao32.exe
        23⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\Oedeniig.exe
        
        C:\Windows\system32\Oedeniig.exe
        24⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Opiikbim.exe
        
        C:\Windows\system32\Opiikbim.exe
        25⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Ommjdfhg.exe
        
        C:\Windows\system32\Ommjdfhg.exe
        26⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Ompfjf32.exe
        
        C:\Windows\system32\Ompfjf32.exe
        27⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Pifgoglh.exe
        
        C:\Windows\system32\Pifgoglh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Ppblaaab.exe
        
        C:\Windows\system32\Ppblaaab.exe
        29⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Pepdihoj.exe
        
        C:\Windows\system32\Pepdihoj.exe
        30⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Plimfb32.exe
        
        C:\Windows\system32\Plimfb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Pfoackfl.exe
        
        C:\Windows\system32\Pfoackfl.exe
        32⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Pllilaed.exe
        
        C:\Windows\system32\Pllilaed.exe
        33⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Pedndg32.exe
        
        C:\Windows\system32\Pedndg32.exe
        34⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Plnfaaba.exe
        
        C:\Windows\system32\Plnfaaba.exe
        35⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Qbjkckhk.exe
        
        C:\Windows\system32\Qbjkckhk.exe
        36⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Qeigpfgo.exe
        
        C:\Windows\system32\Qeigpfgo.exe
        37⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Qidcpe32.exe
        
        C:\Windows\system32\Qidcpe32.exe
        38⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Qlcplq32.exe
        
        C:\Windows\system32\Qlcplq32.exe
        39⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Qbmhikfi.exe
        
        C:\Windows\system32\Qbmhikfi.exe
        40⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Aekdefel.exe
        
        C:\Windows\system32\Aekdefel.exe
        41⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Alelbpmi.exe
        
        C:\Windows\system32\Alelbpmi.exe
        42⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Agkqoilo.exe
        
        C:\Windows\system32\Agkqoilo.exe
        43⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Algigpkf.exe
        
        C:\Windows\system32\Algigpkf.exe
        44⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Abaadj32.exe
        
        C:\Windows\system32\Abaadj32.exe
        45⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Aepmpe32.exe
        
        C:\Windows\system32\Aepmpe32.exe
        46⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Acdnjjpq.exe
        
        C:\Windows\system32\Acdnjjpq.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Amlombnd.exe
        
        C:\Windows\system32\Amlombnd.exe
        48⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Bchgei32.exe
        
        C:\Windows\system32\Bchgei32.exe
        49⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\Bckdji32.exe
        
        C:\Windows\system32\Bckdji32.exe
        50⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Bnphha32.exe
        
        C:\Windows\system32\Bnphha32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Bigimb32.exe
        
        C:\Windows\system32\Bigimb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Bneacaei.exe
        
        C:\Windows\system32\Bneacaei.exe
        53⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Bofnji32.exe
        
        C:\Windows\system32\Bofnji32.exe
        54⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Bjlbhbkn.exe
        
        C:\Windows\system32\Bjlbhbkn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Boikpiie.exe
        
        C:\Windows\system32\Boikpiie.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\Cnjknp32.exe
        
        C:\Windows\system32\Cnjknp32.exe
        57⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Cokgehgb.exe
        
        C:\Windows\system32\Cokgehgb.exe
        58⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Cjqlca32.exe
        
        C:\Windows\system32\Cjqlca32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Comdkh32.exe
        
        C:\Windows\system32\Comdkh32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Cfgmhbml.exe
        
        C:\Windows\system32\Cfgmhbml.exe
        61⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Claedl32.exe
        
        C:\Windows\system32\Claedl32.exe
        62⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Cckmaflf.exe
        
        C:\Windows\system32\Cckmaflf.exe
        63⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Cnqaoo32.exe
        
        C:\Windows\system32\Cnqaoo32.exe
        64⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Cobnfgaj.exe
        
        C:\Windows\system32\Cobnfgaj.exe
        65⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Cjgbcpap.exe
        
        C:\Windows\system32\Cjgbcpap.exe
        66⤵
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Cqajpj32.exe
        
        C:\Windows\system32\Cqajpj32.exe
        67⤵
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Dnhgoned.exe
        
        C:\Windows\system32\Dnhgoned.exe
        68⤵
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Doidgf32.exe
        
        C:\Windows\system32\Doidgf32.exe
        69⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Dqhpai32.exe
        
        C:\Windows\system32\Dqhpai32.exe
        70⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Dfeiip32.exe
        
        C:\Windows\system32\Dfeiip32.exe
        71⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\Dmoafjhi.exe
        
        C:\Windows\system32\Dmoafjhi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:508
        
        C:\Windows\SysWOW64\Dgeeccho.exe
        
        C:\Windows\system32\Dgeeccho.exe
        73⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Eqmjlinp.exe
        
        C:\Windows\system32\Eqmjlinp.exe
        74⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Efjbdpmg.exe
        
        C:\Windows\system32\Efjbdpmg.exe
        75⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Enajemmi.exe
        
        C:\Windows\system32\Enajemmi.exe
        76⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Ecnbndkq.exe
        
        C:\Windows\system32\Ecnbndkq.exe
        77⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\Ejhkjn32.exe
        
        C:\Windows\system32\Ejhkjn32.exe
        78⤵
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Eqbcghjj.exe
        
        C:\Windows\system32\Eqbcghjj.exe
        79⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Eglkdbag.exe
        
        C:\Windows\system32\Eglkdbag.exe
        80⤵
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Enfcql32.exe
        
        C:\Windows\system32\Enfcql32.exe
        81⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Eogphdob.exe
        
        C:\Windows\system32\Eogphdob.exe
        82⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Ejmdemoh.exe
        
        C:\Windows\system32\Ejmdemoh.exe
        83⤵
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Emkqainl.exe
        
        C:\Windows\system32\Emkqainl.exe
        84⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Eceinc32.exe
        
        C:\Windows\system32\Eceinc32.exe
        85⤵
        
        PID:512
        
        C:\Windows\SysWOW64\Enjmlleo.exe
        
        C:\Windows\system32\Enjmlleo.exe
        86⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Fplicd32.exe
        
        C:\Windows\system32\Fplicd32.exe
        87⤵
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Fffapnbj.exe
        
        C:\Windows\system32\Fffapnbj.exe
        88⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Fqkfmgbp.exe
        
        C:\Windows\system32\Fqkfmgbp.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Ffhnen32.exe
        
        C:\Windows\system32\Ffhnen32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3580
        
        C:\Windows\SysWOW64\Fnofgk32.exe
        
        C:\Windows\system32\Fnofgk32.exe
        91⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Fcloob32.exe
        
        C:\Windows\system32\Fcloob32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Ffjkkm32.exe
        
        C:\Windows\system32\Ffjkkm32.exe
        93⤵
        
        PID:8
        
        C:\Windows\SysWOW64\Fnaclk32.exe
        
        C:\Windows\system32\Fnaclk32.exe
        94⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Fpcpdcee.exe
        
        C:\Windows\system32\Fpcpdcee.exe
        95⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Fgjgepeg.exe
        
        C:\Windows\system32\Fgjgepeg.exe
        96⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\Fndpbjmd.exe
        
        C:\Windows\system32\Fndpbjmd.exe
        97⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Fmgpmg32.exe
        
        C:\Windows\system32\Fmgpmg32.exe
        98⤵
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Fpelib32.exe
        
        C:\Windows\system32\Fpelib32.exe
        99⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Fjkqgk32.exe
        
        C:\Windows\system32\Fjkqgk32.exe
        100⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Fjkqgk32.exe
        
        C:\Windows\system32\Fjkqgk32.exe
        101⤵
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Gmimcg32.exe
        
        C:\Windows\system32\Gmimcg32.exe
        102⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Gccepqii.exe
        
        C:\Windows\system32\Gccepqii.exe
        103⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Ggoapp32.exe
        
        C:\Windows\system32\Ggoapp32.exe
        104⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Gjmmlk32.exe
        
        C:\Windows\system32\Gjmmlk32.exe
        105⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Gnhimi32.exe
        
        C:\Windows\system32\Gnhimi32.exe
        106⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Gageie32.exe
        
        C:\Windows\system32\Gageie32.exe
        107⤵
        
        PID:728
        
        C:\Windows\SysWOW64\Gganfooo.exe
        
        C:\Windows\system32\Gganfooo.exe
        108⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Gmnfnfnf.exe
        
        C:\Windows\system32\Gmnfnfnf.exe
        109⤵
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Ggcjkoml.exe
        
        C:\Windows\system32\Ggcjkoml.exe
        110⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Gjaggjlp.exe
        
        C:\Windows\system32\Gjaggjlp.exe
        111⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\Galodddm.exe
        
        C:\Windows\system32\Galodddm.exe
        112⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Ghegao32.exe
        
        C:\Windows\system32\Ghegao32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:896
        
        C:\Windows\SysWOW64\Gmbpie32.exe
        
        C:\Windows\system32\Gmbpie32.exe
        114⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\Gpaleq32.exe
        
        C:\Windows\system32\Gpaleq32.exe
        115⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Hjfpbi32.exe
        
        C:\Windows\system32\Hjfpbi32.exe
        116⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Hpchkqfb.exe
        
        C:\Windows\system32\Hpchkqfb.exe
        117⤵
        
        PID:440
        
        C:\Windows\SysWOW64\Hagnpbjp.exe
        
        C:\Windows\system32\Hagnpbjp.exe
        118⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Hhagmm32.exe
        
        C:\Windows\system32\Hhagmm32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        120⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        122⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        123⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        124⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        125⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        126⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        128⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        129⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        130⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        132⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        133⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        134⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        135⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        137⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        138⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        139⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        140⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        141⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        142⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        143⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        144⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        145⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        146⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        147⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        148⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        149⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        150⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        151⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        152⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Oepifi32.exe
        
        C:\Windows\system32\Oepifi32.exe
        153⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Opemca32.exe
        
        C:\Windows\system32\Opemca32.exe
        154⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Oohnonij.exe
        
        C:\Windows\system32\Oohnonij.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Ohqbhdpj.exe
        
        C:\Windows\system32\Ohqbhdpj.exe
        156⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Ophjiaql.exe
        
        C:\Windows\system32\Ophjiaql.exe
        157⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Pgbbek32.exe
        
        C:\Windows\system32\Pgbbek32.exe
        158⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Pjpobg32.exe
        
        C:\Windows\system32\Pjpobg32.exe
        159⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Pomgjn32.exe
        
        C:\Windows\system32\Pomgjn32.exe
        160⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Pfgogh32.exe
        
        C:\Windows\system32\Pfgogh32.exe
        161⤵
        
        PID:396
        
        C:\Windows\SysWOW64\Poodpmca.exe
        
        C:\Windows\system32\Poodpmca.exe
        162⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Pgflqkdd.exe
        
        C:\Windows\system32\Pgflqkdd.exe
        163⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Pfillg32.exe
        
        C:\Windows\system32\Pfillg32.exe
        164⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Pjehmfch.exe
        
        C:\Windows\system32\Pjehmfch.exe
        165⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Phhhhc32.exe
        
        C:\Windows\system32\Phhhhc32.exe
        166⤵
        
        PID:912
        
        C:\Windows\SysWOW64\Ppopjp32.exe
        
        C:\Windows\system32\Ppopjp32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Poaqemao.exe
        
        C:\Windows\system32\Poaqemao.exe
        168⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Pgihfj32.exe
        
        C:\Windows\system32\Pgihfj32.exe
        169⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Pflibgil.exe
        
        C:\Windows\system32\Pflibgil.exe
        170⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Ppamophb.exe
        
        C:\Windows\system32\Ppamophb.exe
        171⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Pfnegggi.exe
        
        C:\Windows\system32\Pfnegggi.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:528
        
        C:\Windows\SysWOW64\Plhnda32.exe
        
        C:\Windows\system32\Plhnda32.exe
        173⤵
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Pqcjepfo.exe
        
        C:\Windows\system32\Pqcjepfo.exe
        174⤵
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Qcbfakec.exe
        
        C:\Windows\system32\Qcbfakec.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4268
        
        C:\Windows\SysWOW64\Qjlnnemp.exe
        
        C:\Windows\system32\Qjlnnemp.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5076
        
        C:\Windows\SysWOW64\Qljjjqlc.exe
        
        C:\Windows\system32\Qljjjqlc.exe
        177⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Qcdbfk32.exe
        
        C:\Windows\system32\Qcdbfk32.exe
        178⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\Qfbobf32.exe
        
        C:\Windows\system32\Qfbobf32.exe
        179⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Qjnkcekm.exe
        
        C:\Windows\system32\Qjnkcekm.exe
        180⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Qqhcpo32.exe
        
        C:\Windows\system32\Qqhcpo32.exe
        181⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Acgolj32.exe
        
        C:\Windows\system32\Acgolj32.exe
        182⤵
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Ajqgidij.exe
        
        C:\Windows\system32\Ajqgidij.exe
        183⤵
        
        PID:204
        
        C:\Windows\SysWOW64\Ahchda32.exe
        
        C:\Windows\system32\Ahchda32.exe
        20⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\Aqkpeopg.exe
        
        C:\Windows\system32\Aqkpeopg.exe
        21⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Aompak32.exe
        
        C:\Windows\system32\Aompak32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3576
        
        C:\Windows\SysWOW64\Agdhbi32.exe
        
        C:\Windows\system32\Agdhbi32.exe
        23⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Aqmlknnd.exe
        
        C:\Windows\system32\Aqmlknnd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3532
        
        C:\Windows\SysWOW64\Aggegh32.exe
        
        C:\Windows\system32\Aggegh32.exe
        25⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Ajeadd32.exe
        
        C:\Windows\system32\Ajeadd32.exe
        26⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Amcmpodi.exe
        
        C:\Windows\system32\Amcmpodi.exe
        27⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Agiamhdo.exe
        
        C:\Windows\system32\Agiamhdo.exe
        28⤵
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Ajhniccb.exe
        
        C:\Windows\system32\Ajhniccb.exe
        29⤵
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Aodfajaj.exe
        
        C:\Windows\system32\Aodfajaj.exe
        30⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Aglnbhal.exe
        
        C:\Windows\system32\Aglnbhal.exe
        31⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\Ajjjocap.exe
        
        C:\Windows\system32\Ajjjocap.exe
        32⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Amhfkopc.exe
        
        C:\Windows\system32\Amhfkopc.exe
        33⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\Bogcgj32.exe
        
        C:\Windows\system32\Bogcgj32.exe
        34⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Bgnkhg32.exe
        
        C:\Windows\system32\Bgnkhg32.exe
        35⤵
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\Bfqkddfd.exe
        
        C:\Windows\system32\Bfqkddfd.exe
        36⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Bmkcqn32.exe
        
        C:\Windows\system32\Bmkcqn32.exe
        37⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\Bmkcqn32.exe
        
        C:\Windows\system32\Bmkcqn32.exe
        38⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Boipmj32.exe
        
        C:\Windows\system32\Boipmj32.exe
        39⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Bcelmhen.exe
        
        C:\Windows\system32\Bcelmhen.exe
        40⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Bgpgng32.exe
        
        C:\Windows\system32\Bgpgng32.exe
        41⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Biadeoce.exe
        
        C:\Windows\system32\Biadeoce.exe
        42⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Bqilgmdg.exe
        
        C:\Windows\system32\Bqilgmdg.exe
        43⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Bfedoc32.exe
        
        C:\Windows\system32\Bfedoc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1672
        
        C:\Windows\SysWOW64\Bmomlnjk.exe
        
        C:\Windows\system32\Bmomlnjk.exe
        45⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Bciehh32.exe
        
        C:\Windows\system32\Bciehh32.exe
        46⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Bgeaifia.exe
        
        C:\Windows\system32\Bgeaifia.exe
        47⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\Bmbiamhi.exe
        
        C:\Windows\system32\Bmbiamhi.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1820
        
        C:\Windows\SysWOW64\Bclang32.exe
        
        C:\Windows\system32\Bclang32.exe
        49⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Bihjfnmm.exe
        
        C:\Windows\system32\Bihjfnmm.exe
        50⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Cqpbglno.exe
        
        C:\Windows\system32\Cqpbglno.exe
        51⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Cflkpblf.exe
        
        C:\Windows\system32\Cflkpblf.exe
        52⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Cikglnkj.exe
        
        C:\Windows\system32\Cikglnkj.exe
        53⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\Cabomkll.exe
        
        C:\Windows\system32\Cabomkll.exe
        54⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Ccqkigkp.exe
        
        C:\Windows\system32\Ccqkigkp.exe
        55⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Cjjcfabm.exe
        
        C:\Windows\system32\Cjjcfabm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Cadlbk32.exe
        
        C:\Windows\system32\Cadlbk32.exe
        57⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\Cgndoeag.exe
        
        C:\Windows\system32\Cgndoeag.exe
        58⤵
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Cmklglpn.exe
        
        C:\Windows\system32\Cmklglpn.exe
        59⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\Cpihcgoa.exe
        
        C:\Windows\system32\Cpihcgoa.exe
        60⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Cgqqdeod.exe
        
        C:\Windows\system32\Cgqqdeod.exe
        61⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Cjomap32.exe
        
        C:\Windows\system32\Cjomap32.exe
        62⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Cpleig32.exe
        
        C:\Windows\system32\Cpleig32.exe
        63⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Cffmfadl.exe
        
        C:\Windows\system32\Cffmfadl.exe
        64⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Dmpfbk32.exe
        
        C:\Windows\system32\Dmpfbk32.exe
        65⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Dpnbog32.exe
        
        C:\Windows\system32\Dpnbog32.exe
        66⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Dcjnoece.exe
        
        C:\Windows\system32\Dcjnoece.exe
        67⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Djdflp32.exe
        
        C:\Windows\system32\Djdflp32.exe
        68⤵
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Dannij32.exe
        
        C:\Windows\system32\Dannij32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4816
        
        C:\Windows\SysWOW64\Dclkee32.exe
        
        C:\Windows\system32\Dclkee32.exe
        70⤵
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Djfcaohp.exe
        
        C:\Windows\system32\Djfcaohp.exe
        71⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Dmdonkgc.exe
        
        C:\Windows\system32\Dmdonkgc.exe
        72⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Dcogje32.exe
        
        C:\Windows\system32\Dcogje32.exe
        73⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\Dhjckcgi.exe
        
        C:\Windows\system32\Dhjckcgi.exe
        74⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Djhpgofm.exe
        
        C:\Windows\system32\Djhpgofm.exe
        75⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Dmglcj32.exe
        
        C:\Windows\system32\Dmglcj32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Ddadpdmn.exe
        
        C:\Windows\system32\Ddadpdmn.exe
        77⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Dfoplpla.exe
        
        C:\Windows\system32\Dfoplpla.exe
        78⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Dinmhkke.exe
        
        C:\Windows\system32\Dinmhkke.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3168
        
        C:\Windows\SysWOW64\Daediilg.exe
        
        C:\Windows\system32\Daediilg.exe
        80⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Ddcqedkk.exe
        
        C:\Windows\system32\Ddcqedkk.exe
        81⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Djmibn32.exe
        
        C:\Windows\system32\Djmibn32.exe
        82⤵
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\Eipinkib.exe
        
        C:\Windows\system32\Eipinkib.exe
        83⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\Eagaoh32.exe
        
        C:\Windows\system32\Eagaoh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2804
        
        C:\Windows\SysWOW64\Edemkd32.exe
        
        C:\Windows\system32\Edemkd32.exe
        85⤵
        
        PID:8
        
        C:\Windows\SysWOW64\Efdjgo32.exe
        
        C:\Windows\system32\Efdjgo32.exe
        86⤵
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Eibfck32.exe
        
        C:\Windows\system32\Eibfck32.exe
        87⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\Eaindh32.exe
        
        C:\Windows\system32\Eaindh32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Edhjqc32.exe
        
        C:\Windows\system32\Edhjqc32.exe
        89⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Empoiimf.exe
        
        C:\Windows\system32\Empoiimf.exe
        90⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Edjgfcec.exe
        
        C:\Windows\system32\Edjgfcec.exe
        91⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Efhcbodf.exe
        
        C:\Windows\system32\Efhcbodf.exe
        92⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Embkoi32.exe
        
        C:\Windows\system32\Embkoi32.exe
        93⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Edmclccp.exe
        
        C:\Windows\system32\Edmclccp.exe
        94⤵
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Efkphnbd.exe
        
        C:\Windows\system32\Efkphnbd.exe
        95⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Eiildjag.exe
        
        C:\Windows\system32\Eiildjag.exe
        96⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Eaqdegaj.exe
        
        C:\Windows\system32\Eaqdegaj.exe
        97⤵
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Edopabqn.exe
        
        C:\Windows\system32\Edopabqn.exe
        98⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Fkihnmhj.exe
        
        C:\Windows\system32\Fkihnmhj.exe
        99⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\Fmgejhgn.exe
        
        C:\Windows\system32\Fmgejhgn.exe
        100⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Fdamgb32.exe
        
        C:\Windows\system32\Fdamgb32.exe
        101⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Gpfjma32.exe
        
        C:\Windows\system32\Gpfjma32.exe
        102⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Ggpbjkpl.exe
        
        C:\Windows\system32\Ggpbjkpl.exe
        103⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Gphgbafl.exe
        
        C:\Windows\system32\Gphgbafl.exe
        104⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Gknkpjfb.exe
        
        C:\Windows\system32\Gknkpjfb.exe
        105⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\Gnlgleef.exe
        
        C:\Windows\system32\Gnlgleef.exe
        106⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Gahcmd32.exe
        
        C:\Windows\system32\Gahcmd32.exe
        107⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Hhbkinel.exe
        
        C:\Windows\system32\Hhbkinel.exe
        108⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Hjchaf32.exe
        
        C:\Windows\system32\Hjchaf32.exe
        109⤵
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Hdilnojp.exe
        
        C:\Windows\system32\Hdilnojp.exe
        110⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Hgghjjid.exe
        
        C:\Windows\system32\Hgghjjid.exe
        111⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Hpbiip32.exe
        
        C:\Windows\system32\Hpbiip32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Hglaej32.exe
        
        C:\Windows\system32\Hglaej32.exe
        113⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Hjjnae32.exe
        
        C:\Windows\system32\Hjjnae32.exe
        114⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Haafcb32.exe
        
        C:\Windows\system32\Haafcb32.exe
        115⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Hgnoki32.exe
        
        C:\Windows\system32\Hgnoki32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4056
        
        C:\Windows\SysWOW64\Hacbhb32.exe
        
        C:\Windows\system32\Hacbhb32.exe
        117⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        118⤵
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Ijogmdqm.exe
        
        C:\Windows\system32\Ijogmdqm.exe
        119⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Ikndgg32.exe
        
        C:\Windows\system32\Ikndgg32.exe
        120⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Iqklon32.exe
        
        C:\Windows\system32\Iqklon32.exe
        121⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Ihbdplfi.exe
        
        C:\Windows\system32\Ihbdplfi.exe
        122⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Ikqqlgem.exe
        
        C:\Windows\system32\Ikqqlgem.exe
        123⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Inomhbeq.exe
        
        C:\Windows\system32\Inomhbeq.exe
        124⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Idieem32.exe
        
        C:\Windows\system32\Idieem32.exe
        125⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Ikcmbfcj.exe
        
        C:\Windows\system32\Ikcmbfcj.exe
        126⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\Ihgnkkbd.exe
        
        C:\Windows\system32\Ihgnkkbd.exe
        127⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Ikejgf32.exe
        
        C:\Windows\system32\Ikejgf32.exe
        128⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Jkhgmf32.exe
        
        C:\Windows\system32\Jkhgmf32.exe
        129⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Jgogbgei.exe
        
        C:\Windows\system32\Jgogbgei.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Jkjcbe32.exe
        
        C:\Windows\system32\Jkjcbe32.exe
        131⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Jbdlop32.exe
        
        C:\Windows\system32\Jbdlop32.exe
        132⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Jdbhkk32.exe
        
        C:\Windows\system32\Jdbhkk32.exe
        133⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Jnkldqkc.exe
        
        C:\Windows\system32\Jnkldqkc.exe
        134⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Jdedak32.exe
        
        C:\Windows\system32\Jdedak32.exe
        135⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Jgcamf32.exe
        
        C:\Windows\system32\Jgcamf32.exe
        136⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Jkomneim.exe
        
        C:\Windows\system32\Jkomneim.exe
        137⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Jnmijq32.exe
        
        C:\Windows\system32\Jnmijq32.exe
        138⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Jdgafjpn.exe
        
        C:\Windows\system32\Jdgafjpn.exe
        139⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Jgenbfoa.exe
        
        C:\Windows\system32\Jgenbfoa.exe
        140⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Jjdjoane.exe
        
        C:\Windows\system32\Jjdjoane.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Jbkbpoog.exe
        
        C:\Windows\system32\Jbkbpoog.exe
        142⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Kqnbkl32.exe
        
        C:\Windows\system32\Kqnbkl32.exe
        143⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Kjffdalb.exe
        
        C:\Windows\system32\Kjffdalb.exe
        144⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Kqpoakco.exe
        
        C:\Windows\system32\Kqpoakco.exe
        145⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Kgjgne32.exe
        
        C:\Windows\system32\Kgjgne32.exe
        146⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Kqbkfkal.exe
        
        C:\Windows\system32\Kqbkfkal.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6620
        
        C:\Windows\SysWOW64\Kgmcce32.exe
        
        C:\Windows\system32\Kgmcce32.exe
        148⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Kaehljpj.exe
        
        C:\Windows\system32\Kaehljpj.exe
        149⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Ljbfpo32.exe
        
        C:\Windows\system32\Ljbfpo32.exe
        150⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Lghcocol.exe
        
        C:\Windows\system32\Lghcocol.exe
        151⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Lnbklm32.exe
        
        C:\Windows\system32\Lnbklm32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Lihpif32.exe
        
        C:\Windows\system32\Lihpif32.exe
        153⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Ljilqnlm.exe
        
        C:\Windows\system32\Ljilqnlm.exe
        154⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Lndham32.exe
        
        C:\Windows\system32\Lndham32.exe
        155⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Lacdmh32.exe
        
        C:\Windows\system32\Lacdmh32.exe
        156⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Leopnglc.exe
        
        C:\Windows\system32\Leopnglc.exe
        157⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Lijlof32.exe
        
        C:\Windows\system32\Lijlof32.exe
        158⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Llhikacp.exe
        
        C:\Windows\system32\Llhikacp.exe
        159⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Mngegmbc.exe
        
        C:\Windows\system32\Mngegmbc.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Maeachag.exe
        
        C:\Windows\system32\Maeachag.exe
        161⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Milidebi.exe
        
        C:\Windows\system32\Milidebi.exe
        162⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Mjneln32.exe
        
        C:\Windows\system32\Mjneln32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Mahnhhod.exe
        
        C:\Windows\system32\Mahnhhod.exe
        164⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Miofjepg.exe
        
        C:\Windows\system32\Miofjepg.exe
        165⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Mhafeb32.exe
        
        C:\Windows\system32\Mhafeb32.exe
        166⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Mnlnbl32.exe
        
        C:\Windows\system32\Mnlnbl32.exe
        167⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Mbgjbkfg.exe
        
        C:\Windows\system32\Mbgjbkfg.exe
        168⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Meefofek.exe
        
        C:\Windows\system32\Meefofek.exe
        169⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Mlpokp32.exe
        
        C:\Windows\system32\Mlpokp32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Mnnkgl32.exe
        
        C:\Windows\system32\Mnnkgl32.exe
        171⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Malgcg32.exe
        
        C:\Windows\system32\Malgcg32.exe
        172⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Micoed32.exe
        
        C:\Windows\system32\Micoed32.exe
        173⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Mblcnj32.exe
        
        C:\Windows\system32\Mblcnj32.exe
        174⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Njghbl32.exe
        
        C:\Windows\system32\Njghbl32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7152
        
        C:\Windows\SysWOW64\Nbnpcj32.exe
        
        C:\Windows\system32\Nbnpcj32.exe
        176⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Njiegl32.exe
        
        C:\Windows\system32\Njiegl32.exe
        177⤵
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Nijeec32.exe
        
        C:\Windows\system32\Nijeec32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5096
        
        C:\Windows\SysWOW64\Nafjjf32.exe
        
        C:\Windows\system32\Nafjjf32.exe
        179⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Nimbkc32.exe
        
        C:\Windows\system32\Nimbkc32.exe
        180⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Nknobkje.exe
        
        C:\Windows\system32\Nknobkje.exe
        181⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Nahgoe32.exe
        
        C:\Windows\system32\Nahgoe32.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Niooqcad.exe
        
        C:\Windows\system32\Niooqcad.exe
        183⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Nkqkhk32.exe
        
        C:\Windows\system32\Nkqkhk32.exe
        184⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Najceeoo.exe
        
        C:\Windows\system32\Najceeoo.exe
        185⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Nlphbnoe.exe
        
        C:\Windows\system32\Nlphbnoe.exe
        186⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Oondnini.exe
        
        C:\Windows\system32\Oondnini.exe
        187⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Oehlkc32.exe
        
        C:\Windows\system32\Oehlkc32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7184
        
        C:\Windows\SysWOW64\Ohghgodi.exe
        
        C:\Windows\system32\Ohghgodi.exe
        189⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Olbdhn32.exe
        
        C:\Windows\system32\Olbdhn32.exe
        190⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Ooqqdi32.exe
        
        C:\Windows\system32\Ooqqdi32.exe
        191⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Oekiqccc.exe
        
        C:\Windows\system32\Oekiqccc.exe
        192⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Ohiemobf.exe
        
        C:\Windows\system32\Ohiemobf.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7308
        
        C:\Windows\SysWOW64\Okgaijaj.exe
        
        C:\Windows\system32\Okgaijaj.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7336
        
        C:\Windows\SysWOW64\Oboijgbl.exe
        
        C:\Windows\system32\Oboijgbl.exe
        195⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Oemefcap.exe
        
        C:\Windows\system32\Oemefcap.exe
        196⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        197⤵
        Drops file in System32 directory
        
        PID:7476
        
        C:\Windows\SysWOW64\Fipkjb32.exe
        
        C:\Windows\system32\Fipkjb32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7496
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7516
        
        C:\Windows\SysWOW64\Odjeljhd.exe
        
        C:\Windows\system32\Odjeljhd.exe
        200⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Oogpjbbb.exe
        
        C:\Windows\system32\Oogpjbbb.exe
        201⤵
        Drops file in System32 directory
        
        PID:7556
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7644
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        203⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Hepgkohh.exe
        
        C:\Windows\system32\Hepgkohh.exe
        204⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        205⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        206⤵
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        207⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        208⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        209⤵
        Drops file in System32 directory
        
        PID:7788
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        210⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        211⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        212⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        213⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        214⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        215⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        216⤵
        Drops file in System32 directory
        
        PID:7956
        
        C:\Windows\SysWOW64\Lkcccn32.exe
        
        C:\Windows\system32\Lkcccn32.exe
        217⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        218⤵
        Modifies registry class
        
        PID:7988
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        219⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        220⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        221⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        222⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        223⤵
        Drops file in System32 directory
        
        PID:8088
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        224⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        225⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        226⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        227⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        228⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        229⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        230⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        231⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        232⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        233⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        234⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        235⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        237⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        238⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        239⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        240⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        241⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        242⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        243⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        244⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        245⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        246⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        248⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        249⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        250⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        253⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Dcmedk32.exe
        
        C:\Windows\system32\Dcmedk32.exe
        254⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Dekapfke.exe
        
        C:\Windows\system32\Dekapfke.exe
        255⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Eiijfd32.exe
        
        C:\Windows\system32\Eiijfd32.exe
        256⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Elhfbp32.exe
        
        C:\Windows\system32\Elhfbp32.exe
        257⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Edoncm32.exe
        
        C:\Windows\system32\Edoncm32.exe
        258⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Emgblc32.exe
        
        C:\Windows\system32\Emgblc32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Epeohn32.exe
        
        C:\Windows\system32\Epeohn32.exe
        260⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Fdjnolfd.exe
        
        C:\Windows\system32\Fdjnolfd.exe
        261⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Fcmnkh32.exe
        
        C:\Windows\system32\Fcmnkh32.exe
        262⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Flhoinbl.exe
        
        C:\Windows\system32\Flhoinbl.exe
        263⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Fdadpk32.exe
        
        C:\Windows\system32\Fdadpk32.exe
        264⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Fgpplf32.exe
        
        C:\Windows\system32\Fgpplf32.exe
        265⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Gjnlha32.exe
        
        C:\Windows\system32\Gjnlha32.exe
        266⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Gnjhhpgl.exe
        
        C:\Windows\system32\Gnjhhpgl.exe
        267⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Gddqejni.exe
        
        C:\Windows\system32\Gddqejni.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3676
        
        C:\Windows\SysWOW64\Gfemmb32.exe
        
        C:\Windows\system32\Gfemmb32.exe
        269⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Gqkajk32.exe
        
        C:\Windows\system32\Gqkajk32.exe
        270⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Gnoacp32.exe
        
        C:\Windows\system32\Gnoacp32.exe
        271⤵
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\Gdhjpjjd.exe
        
        C:\Windows\system32\Gdhjpjjd.exe
        272⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Gggfme32.exe
        
        C:\Windows\system32\Gggfme32.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1576
        
        C:\Windows\SysWOW64\Gnanioad.exe
        
        C:\Windows\system32\Gnanioad.exe
        274⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\Gqokekph.exe
        
        C:\Windows\system32\Gqokekph.exe
        275⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Gcngafol.exe
        
        C:\Windows\system32\Gcngafol.exe
        276⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Gflcnanp.exe
        
        C:\Windows\system32\Gflcnanp.exe
        277⤵
        
        PID:884
        
        C:\Windows\SysWOW64\Gmfkjl32.exe
        
        C:\Windows\system32\Gmfkjl32.exe
        278⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Gdmcki32.exe
        
        C:\Windows\system32\Gdmcki32.exe
        279⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Hfnpca32.exe
        
        C:\Windows\system32\Hfnpca32.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3940
        
        C:\Windows\SysWOW64\Hmhhpkcj.exe
        
        C:\Windows\system32\Hmhhpkcj.exe
        281⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Hcbpme32.exe
        
        C:\Windows\system32\Hcbpme32.exe
        282⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Hjlhipbc.exe
        
        C:\Windows\system32\Hjlhipbc.exe
        283⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Hmkeekag.exe
        
        C:\Windows\system32\Hmkeekag.exe
        284⤵
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Hcembe32.exe
        
        C:\Windows\system32\Hcembe32.exe
        285⤵
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Hnjaonij.exe
        
        C:\Windows\system32\Hnjaonij.exe
        286⤵
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Hqimlihn.exe
        
        C:\Windows\system32\Hqimlihn.exe
        287⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Hcgjhega.exe
        
        C:\Windows\system32\Hcgjhega.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3664
        
        C:\Windows\SysWOW64\Hnmnengg.exe
        
        C:\Windows\system32\Hnmnengg.exe
        289⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Jgjeppkp.exe
        
        C:\Windows\system32\Jgjeppkp.exe
        290⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Jjhalkjc.exe
        
        C:\Windows\system32\Jjhalkjc.exe
        291⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Jglaepim.exe
        
        C:\Windows\system32\Jglaepim.exe
        292⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Jjknakhq.exe
        
        C:\Windows\system32\Jjknakhq.exe
        293⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Jnfjbj32.exe
        
        C:\Windows\system32\Jnfjbj32.exe
        294⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Kccbjq32.exe
        
        C:\Windows\system32\Kccbjq32.exe
        295⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\Kfanflne.exe
        
        C:\Windows\system32\Kfanflne.exe
        296⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\Nifnao32.exe
        
        C:\Windows\system32\Nifnao32.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1848
        
        C:\Windows\SysWOW64\Oeahap32.exe
        
        C:\Windows\system32\Oeahap32.exe
        298⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Ofcaab32.exe
        
        C:\Windows\system32\Ofcaab32.exe
        299⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\Oianmm32.exe
        
        C:\Windows\system32\Oianmm32.exe
        300⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Pmpfcl32.exe
        
        C:\Windows\system32\Pmpfcl32.exe
        301⤵
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\Poqckdap.exe
        
        C:\Windows\system32\Poqckdap.exe
        302⤵
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Peaahmcd.exe
        
        C:\Windows\system32\Peaahmcd.exe
        303⤵
        
        PID:332
        
        C:\Windows\SysWOW64\Qpibke32.exe
        
        C:\Windows\system32\Qpibke32.exe
        304⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Aploae32.exe
        
        C:\Windows\system32\Aploae32.exe
        305⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Abjkmqni.exe
        
        C:\Windows\system32\Abjkmqni.exe
        306⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Albpff32.exe
        
        C:\Windows\system32\Albpff32.exe
        307⤵
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Aoalba32.exe
        
        C:\Windows\system32\Aoalba32.exe
        308⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\Agkqiobl.exe
        
        C:\Windows\system32\Agkqiobl.exe
        309⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Aiimejap.exe
        
        C:\Windows\system32\Aiimejap.exe
        310⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Algiaepd.exe
        
        C:\Windows\system32\Algiaepd.exe
        311⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Apeagd32.exe
        
        C:\Windows\system32\Apeagd32.exe
        312⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Agojdnng.exe
        
        C:\Windows\system32\Agojdnng.exe
        313⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Bcfkiock.exe
        
        C:\Windows\system32\Bcfkiock.exe
        314⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Bibpkiie.exe
        
        C:\Windows\system32\Bibpkiie.exe
        315⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Bplhhc32.exe
        
        C:\Windows\system32\Bplhhc32.exe
        316⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Bckddn32.exe
        
        C:\Windows\system32\Bckddn32.exe
        317⤵
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Bnbeggmi.exe
        
        C:\Windows\system32\Bnbeggmi.exe
        318⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4216
        
        C:\Windows\SysWOW64\Bleebc32.exe
        
        C:\Windows\system32\Bleebc32.exe
        319⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\Bjielh32.exe
        
        C:\Windows\system32\Bjielh32.exe
        320⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Clhbhc32.exe
        
        C:\Windows\system32\Clhbhc32.exe
        321⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\Cofndo32.exe
        
        C:\Windows\system32\Cofndo32.exe
        322⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\Cljomc32.exe
        
        C:\Windows\system32\Cljomc32.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3228
        
        C:\Windows\SysWOW64\Cohkinob.exe
        
        C:\Windows\system32\Cohkinob.exe
        324⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Cgpcklpd.exe
        
        C:\Windows\system32\Cgpcklpd.exe
        325⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Ccfcpm32.exe
        
        C:\Windows\system32\Ccfcpm32.exe
        326⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Cnlhme32.exe
        
        C:\Windows\system32\Cnlhme32.exe
        327⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Cpjdiadb.exe
        
        C:\Windows\system32\Cpjdiadb.exe
        328⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Ccipelcf.exe
        
        C:\Windows\system32\Ccipelcf.exe
        329⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Cggikk32.exe
        
        C:\Windows\system32\Cggikk32.exe
        330⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Dnqaheai.exe
        
        C:\Windows\system32\Dnqaheai.exe
        331⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Djgbmffn.exe
        
        C:\Windows\system32\Djgbmffn.exe
        332⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Dlfniafa.exe
        
        C:\Windows\system32\Dlfniafa.exe
        333⤵
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Dnekcd32.exe
        
        C:\Windows\system32\Dnekcd32.exe
        334⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\Dmhkoaco.exe
        
        C:\Windows\system32\Dmhkoaco.exe
        335⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:316
        
        C:\Windows\SysWOW64\Djlkhe32.exe
        
        C:\Windows\system32\Djlkhe32.exe
        336⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Dqfceoje.exe
        
        C:\Windows\system32\Dqfceoje.exe
        337⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\Dfclmfhl.exe
        
        C:\Windows\system32\Dfclmfhl.exe
        338⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\Fmmmqnaf.exe
        
        C:\Windows\system32\Fmmmqnaf.exe
        339⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Ffeaichg.exe
        
        C:\Windows\system32\Ffeaichg.exe
        340⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\Fmpjfn32.exe
        
        C:\Windows\system32\Fmpjfn32.exe
        341⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Fpnfbi32.exe
        
        C:\Windows\system32\Fpnfbi32.exe
        342⤵
        
        PID:444
        
        C:\Windows\SysWOW64\Fcibchgq.exe
        
        C:\Windows\system32\Fcibchgq.exe
        343⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Ffhnocfd.exe
        
        C:\Windows\system32\Ffhnocfd.exe
        344⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Fmbflm32.exe
        
        C:\Windows\system32\Fmbflm32.exe
        345⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Fclohg32.exe
        
        C:\Windows\system32\Fclohg32.exe
        346⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\Ffjkdc32.exe
        
        C:\Windows\system32\Ffjkdc32.exe
        347⤵
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Fmdcamko.exe
        
        C:\Windows\system32\Fmdcamko.exe
        348⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Ggjgofkd.exe
        
        C:\Windows\system32\Ggjgofkd.exe
        349⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Gjhdkajh.exe
        
        C:\Windows\system32\Gjhdkajh.exe
        350⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\Gmfpgmil.exe
        
        C:\Windows\system32\Gmfpgmil.exe
        351⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Gcqhcgqi.exe
        
        C:\Windows\system32\Gcqhcgqi.exe
        352⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2568
        
        C:\Windows\SysWOW64\Gfodpbpl.exe
        
        C:\Windows\system32\Gfodpbpl.exe
        353⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Gnfmapqo.exe
        
        C:\Windows\system32\Gnfmapqo.exe
        354⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Gadimkpb.exe
        
        C:\Windows\system32\Gadimkpb.exe
        355⤵
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Gpgihh32.exe
        
        C:\Windows\system32\Gpgihh32.exe
        356⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Gcceifof.exe
        
        C:\Windows\system32\Gcceifof.exe
        357⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Gjmmfq32.exe
        
        C:\Windows\system32\Gjmmfq32.exe
        358⤵
        
        PID:2800

C:\Windows\SysWOW64\Gjmmfq32.exe
C:\Windows\system32\Gjmmfq32.exe
1⤵
PID:4108
- C:\Windows\SysWOW64\Gnhifonl.exe
  C:\Windows\system32\Gnhifonl.exe
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\Gmkibl32.exe
    C:\Windows\system32\Gmkibl32.exe
    3⤵
    PID:4172
  - - C:\Windows\SysWOW64\Gpjfng32.exe
      C:\Windows\system32\Gpjfng32.exe
      4⤵
      Drops file in System32 directory
      PID:3324
    - - C:\Windows\SysWOW64\Gfcnka32.exe
        
        C:\Windows\system32\Gfcnka32.exe
        5⤵
        
        PID:4472
      - C:\Windows\SysWOW64\Gcgndf32.exe
        
        C:\Windows\system32\Gcgndf32.exe
        6⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Gjagapbn.exe
        
        C:\Windows\system32\Gjagapbn.exe
        7⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Gmpcmkaa.exe
        
        C:\Windows\system32\Gmpcmkaa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6172
        
        C:\Windows\SysWOW64\Gpnoigpe.exe
        
        C:\Windows\system32\Gpnoigpe.exe
        9⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Hjdcfp32.exe
        
        C:\Windows\system32\Hjdcfp32.exe
        10⤵
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Hmbpbk32.exe
        
        C:\Windows\system32\Hmbpbk32.exe
        11⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Hhhdpd32.exe
        
        C:\Windows\system32\Hhhdpd32.exe
        12⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Hjfplo32.exe
        
        C:\Windows\system32\Hjfplo32.exe
        13⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Hmdlhk32.exe
        
        C:\Windows\system32\Hmdlhk32.exe
        14⤵
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Hpchdf32.exe
        
        C:\Windows\system32\Hpchdf32.exe
        15⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Hhjqec32.exe
        
        C:\Windows\system32\Hhjqec32.exe
        16⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\Hndibn32.exe
        
        C:\Windows\system32\Hndibn32.exe
        17⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Habeni32.exe
        
        C:\Windows\system32\Habeni32.exe
        18⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Hhmmkcko.exe
        
        C:\Windows\system32\Hhmmkcko.exe
        19⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Hfajlp32.exe
        
        C:\Windows\system32\Hfajlp32.exe
        20⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Hoibmmpi.exe
        
        C:\Windows\system32\Hoibmmpi.exe
        21⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Hmlbij32.exe
        
        C:\Windows\system32\Hmlbij32.exe
        22⤵
        Drops file in System32 directory
        
        PID:6600
        
        C:\Windows\SysWOW64\Ipjoee32.exe
        
        C:\Windows\system32\Ipjoee32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Ihagfb32.exe
        
        C:\Windows\system32\Ihagfb32.exe
        24⤵
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Iokocmnf.exe
        
        C:\Windows\system32\Iokocmnf.exe
        25⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Impldi32.exe
        
        C:\Windows\system32\Impldi32.exe
        26⤵
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Ipohpdbb.exe
        
        C:\Windows\system32\Ipohpdbb.exe
        27⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Ifipmo32.exe
        
        C:\Windows\system32\Ifipmo32.exe
        28⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Idmafc32.exe
        
        C:\Windows\system32\Idmafc32.exe
        29⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Ikgicmpe.exe
        
        C:\Windows\system32\Ikgicmpe.exe
        30⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Ipcakd32.exe
        
        C:\Windows\system32\Ipcakd32.exe
        31⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Idonlbff.exe
        
        C:\Windows\system32\Idonlbff.exe
        32⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Jgpfmncg.exe
        
        C:\Windows\system32\Jgpfmncg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Jmjojh32.exe
        
        C:\Windows\system32\Jmjojh32.exe
        34⤵
        Drops file in System32 directory
        
        PID:7024
        
        C:\Windows\SysWOW64\Jddggb32.exe
        
        C:\Windows\system32\Jddggb32.exe
        35⤵
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Jknocljn.exe
        
        C:\Windows\system32\Jknocljn.exe
        36⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Jhapmphg.exe
        
        C:\Windows\system32\Jhapmphg.exe
        37⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Jolhjj32.exe
        
        C:\Windows\system32\Jolhjj32.exe
        38⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Jggmnmmo.exe
        
        C:\Windows\system32\Jggmnmmo.exe
        39⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Jondojna.exe
        
        C:\Windows\system32\Jondojna.exe
        40⤵
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Jgiiclkl.exe
        
        C:\Windows\system32\Jgiiclkl.exe
        41⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Jopaejlo.exe
        
        C:\Windows\system32\Jopaejlo.exe
        42⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Kaonaekb.exe
        
        C:\Windows\system32\Kaonaekb.exe
        43⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Kdmjmqjf.exe
        
        C:\Windows\system32\Kdmjmqjf.exe
        44⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Kaajfe32.exe
        
        C:\Windows\system32\Kaajfe32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7000
        
        C:\Windows\SysWOW64\Kpdjbapj.exe
        
        C:\Windows\system32\Kpdjbapj.exe
        46⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Kgnbol32.exe
        
        C:\Windows\system32\Kgnbol32.exe
        47⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Koekpi32.exe
        
        C:\Windows\system32\Koekpi32.exe
        48⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Kpfggang.exe
        
        C:\Windows\system32\Kpfggang.exe
        49⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Khmoionj.exe
        
        C:\Windows\system32\Khmoionj.exe
        50⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Knjhae32.exe
        
        C:\Windows\system32\Knjhae32.exe
        51⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Kddpnpdn.exe
        
        C:\Windows\system32\Kddpnpdn.exe
        52⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Kojdkhdd.exe
        
        C:\Windows\system32\Kojdkhdd.exe
        53⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Kahpgcch.exe
        
        C:\Windows\system32\Kahpgcch.exe
        54⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Kdfmcobk.exe
        
        C:\Windows\system32\Kdfmcobk.exe
        55⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Kkqepi32.exe
        
        C:\Windows\system32\Kkqepi32.exe
        56⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Kolaqh32.exe
        
        C:\Windows\system32\Kolaqh32.exe
        57⤵
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Lpmmhpgp.exe
        
        C:\Windows\system32\Lpmmhpgp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5096
        
        C:\Windows\SysWOW64\Lggeej32.exe
        
        C:\Windows\system32\Lggeej32.exe
        59⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Ldpoinjq.exe
        
        C:\Windows\system32\Ldpoinjq.exe
        60⤵
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Ladpcb32.exe
        
        C:\Windows\system32\Ladpcb32.exe
        61⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Lqfpoope.exe
        
        C:\Windows\system32\Lqfpoope.exe
        62⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Lhnhplpg.exe
        
        C:\Windows\system32\Lhnhplpg.exe
        63⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Lgqhki32.exe
        
        C:\Windows\system32\Lgqhki32.exe
        64⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Lkldlgok.exe
        
        C:\Windows\system32\Lkldlgok.exe
        65⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Mbfmha32.exe
        
        C:\Windows\system32\Mbfmha32.exe
        66⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Mqimdomb.exe
        
        C:\Windows\system32\Mqimdomb.exe
        67⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Mojmbf32.exe
        
        C:\Windows\system32\Mojmbf32.exe
        68⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Nqdlpmce.exe
        
        C:\Windows\system32\Nqdlpmce.exe
        69⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Nkjqme32.exe
        
        C:\Windows\system32\Nkjqme32.exe
        70⤵
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Nnimia32.exe
        
        C:\Windows\system32\Nnimia32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2856
        
        C:\Windows\SysWOW64\Ndbefkjk.exe
        
        C:\Windows\system32\Ndbefkjk.exe
        72⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Ngaabfio.exe
        
        C:\Windows\system32\Ngaabfio.exe
        73⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Nohicdia.exe
        
        C:\Windows\system32\Nohicdia.exe
        74⤵
        
        PID:8024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lfelpq32.exe

Filesize
50KB

MD5
b8bc91a1ade745b005c5825ca788d212

SHA1
b0acfde2a4a207836f813108437ab6b15986a120

SHA256
6d2378dcc91380f52bc487facd676b1dd42e8450d8e2fec8f875fd4420a2815b

SHA512
12c4ba784d9323a9d470bea04abd79c2a57b4d5522445bed65f9726c7a5140635faa7374cb3b4d6f3c52679105f01d6bc976b876339851204e18a06a5ba9d081

Download Submit
C:\Windows\SysWOW64\Lfelpq32.exe

Filesize
50KB

MD5
b8bc91a1ade745b005c5825ca788d212

SHA1
b0acfde2a4a207836f813108437ab6b15986a120

SHA256
6d2378dcc91380f52bc487facd676b1dd42e8450d8e2fec8f875fd4420a2815b

SHA512
12c4ba784d9323a9d470bea04abd79c2a57b4d5522445bed65f9726c7a5140635faa7374cb3b4d6f3c52679105f01d6bc976b876339851204e18a06a5ba9d081

Download Submit
C:\Windows\SysWOW64\Lfpcdaob.exe

Filesize
50KB

MD5
23f1641442ff1bc4cdd71f02f81692de

SHA1
019adc2bb4e9b1bd6de62df86043032231c5c56f

SHA256
daeb2dd9e907c0fabd54fba03499a2a5a97d57ecdc02fdb592e3f028323fe185

SHA512
56f783411ed730dfb8d5c4bdc5e68d3c5475b541bf1f881c86e34456cea8ce37978827072cd697bf4b74ac59ed2216f98f0d0fbc1733fe184d14496cf7546dd1

Download Submit
C:\Windows\SysWOW64\Lfpcdaob.exe

Filesize
50KB

MD5
23f1641442ff1bc4cdd71f02f81692de

SHA1
019adc2bb4e9b1bd6de62df86043032231c5c56f

SHA256
daeb2dd9e907c0fabd54fba03499a2a5a97d57ecdc02fdb592e3f028323fe185

SHA512
56f783411ed730dfb8d5c4bdc5e68d3c5475b541bf1f881c86e34456cea8ce37978827072cd697bf4b74ac59ed2216f98f0d0fbc1733fe184d14496cf7546dd1

Download Submit
C:\Windows\SysWOW64\Lialfl32.exe

Filesize
50KB

MD5
73726fe5f50e9282725d538045b94d05

SHA1
3a24a469dac32342342760e459842e125669023b

SHA256
4220103f8589cb2e5652c3cb2521ad48af87393cf6e34fbccf70b3c866f8b89f

SHA512
b0f09fd769f036e218f006acced8da0af07af4f9228deed666cd0ec45287e6c41176ec9f843b6aeaae0902909ae08ebc51ff94049a661e7b63b87a642d607f71

Download Submit
C:\Windows\SysWOW64\Lialfl32.exe

Filesize
50KB

MD5
73726fe5f50e9282725d538045b94d05

SHA1
3a24a469dac32342342760e459842e125669023b

SHA256
4220103f8589cb2e5652c3cb2521ad48af87393cf6e34fbccf70b3c866f8b89f

SHA512
b0f09fd769f036e218f006acced8da0af07af4f9228deed666cd0ec45287e6c41176ec9f843b6aeaae0902909ae08ebc51ff94049a661e7b63b87a642d607f71

Download Submit
C:\Windows\SysWOW64\Lmodlkbi.exe

Filesize
50KB

MD5
f81f45bb7b2c43dfd2db43caa0b9f170

SHA1
03dac805e06eb423b28726261be3718166c5fbaf

SHA256
b6f763be12eb2418c9ccb6e86108cd4e34ed557ab0d88bc4804ccfdb50ad9851

SHA512
6f7dff88b634269862e2b719f373befa5d5341a2ac23f8912aab68f956413811e71bf4a087a5a4d0429f79cd9e0aa9c4f2ea8493fae6765f5998a717a7e7595a

Download Submit
C:\Windows\SysWOW64\Lmodlkbi.exe

Filesize
50KB

MD5
f81f45bb7b2c43dfd2db43caa0b9f170

SHA1
03dac805e06eb423b28726261be3718166c5fbaf

SHA256
b6f763be12eb2418c9ccb6e86108cd4e34ed557ab0d88bc4804ccfdb50ad9851

SHA512
6f7dff88b634269862e2b719f373befa5d5341a2ac23f8912aab68f956413811e71bf4a087a5a4d0429f79cd9e0aa9c4f2ea8493fae6765f5998a717a7e7595a

Download Submit
C:\Windows\SysWOW64\Mblmdaqq.exe

Filesize
50KB

MD5
5fd6b5e390d5a81c6e4463e62ff375a5

SHA1
d9c5245fddd6ad32fe2f4686f89ad856d3c480e5

SHA256
0d9d9cc9193301ba28a940e5f51c12ca3b9907ca79dcd13836a0f78cf2389a80

SHA512
94ed941f2d60489982cb1cc60768513760470877e38872c589a484fe81d239881b127571ab3229e15e6f380a6b2c5b0114bb6e1604e277245648fe78466e0227

Download Submit
C:\Windows\SysWOW64\Mblmdaqq.exe

Filesize
50KB

MD5
5fd6b5e390d5a81c6e4463e62ff375a5

SHA1
d9c5245fddd6ad32fe2f4686f89ad856d3c480e5

SHA256
0d9d9cc9193301ba28a940e5f51c12ca3b9907ca79dcd13836a0f78cf2389a80

SHA512
94ed941f2d60489982cb1cc60768513760470877e38872c589a484fe81d239881b127571ab3229e15e6f380a6b2c5b0114bb6e1604e277245648fe78466e0227

Download Submit
C:\Windows\SysWOW64\Melffm32.exe

Filesize
50KB

MD5
86b366cdea151f58341c5ecabf6e9a92

SHA1
6e04d6d9f533c652bd3395e5fe539d3e874258bb

SHA256
b9207c2527873de41fe0661a7e6080a45296664cecea790b9fc7a2e8cc2bdda8

SHA512
f0fcd1e044939074b8b60b87687f7cb7b94d592374d333bd95525b3abe81d2b2939be3e32520dc4793c5b0df6aefea8ab66cef0f7360a4636147fbf8988b83c0

Download Submit
C:\Windows\SysWOW64\Melffm32.exe

Filesize
50KB

MD5
86b366cdea151f58341c5ecabf6e9a92

SHA1
6e04d6d9f533c652bd3395e5fe539d3e874258bb

SHA256
b9207c2527873de41fe0661a7e6080a45296664cecea790b9fc7a2e8cc2bdda8

SHA512
f0fcd1e044939074b8b60b87687f7cb7b94d592374d333bd95525b3abe81d2b2939be3e32520dc4793c5b0df6aefea8ab66cef0f7360a4636147fbf8988b83c0

Download Submit
C:\Windows\SysWOW64\Mflbpp32.exe

Filesize
50KB

MD5
8e30d4eb1df1a5990067e88bdd1e6f7f

SHA1
6b76a17ab7b5f0f7536196ed08fd15f487f22a1f

SHA256
fbb20a45cfdac068ac22a6476e3d5691ea249746a2a6d7e775b694f46b73579b

SHA512
de198258a65dd5f73824e7718447363e14bf98528bfa97f5601aa475797a2933cf167dcd0b5d6b18e73ce16d5d58476e193dbd0fedf03fb8349f9a625a6de14b

Download Submit
C:\Windows\SysWOW64\Mflbpp32.exe

Filesize
50KB

MD5
8e30d4eb1df1a5990067e88bdd1e6f7f

SHA1
6b76a17ab7b5f0f7536196ed08fd15f487f22a1f

SHA256
fbb20a45cfdac068ac22a6476e3d5691ea249746a2a6d7e775b694f46b73579b

SHA512
de198258a65dd5f73824e7718447363e14bf98528bfa97f5601aa475797a2933cf167dcd0b5d6b18e73ce16d5d58476e193dbd0fedf03fb8349f9a625a6de14b

Download Submit
C:\Windows\SysWOW64\Mkfncgeo.exe

Filesize
50KB

MD5
829a0eb3e665ed5b9bf67a5a5b7e9332

SHA1
bfcd86c6f677c59f4d19f0eef1e0aca3c4f1b759

SHA256
d471b4c5e2da55ee3be4dcfe7beca68ad72986eec1537d0f8dd0ed5b722dfd04

SHA512
4e296bcf4a1a83d3e17e1081e68a73f816e7cd7feee1c570c6e64b4762bb49df3eefbfdec8af9eb2f5dca75c4d39cf7eaa0c9c185ebbaa206f499e9f6bbe54e2

Download Submit
C:\Windows\SysWOW64\Mkfncgeo.exe

Filesize
50KB

MD5
829a0eb3e665ed5b9bf67a5a5b7e9332

SHA1
bfcd86c6f677c59f4d19f0eef1e0aca3c4f1b759

SHA256
d471b4c5e2da55ee3be4dcfe7beca68ad72986eec1537d0f8dd0ed5b722dfd04

SHA512
4e296bcf4a1a83d3e17e1081e68a73f816e7cd7feee1c570c6e64b4762bb49df3eefbfdec8af9eb2f5dca75c4d39cf7eaa0c9c185ebbaa206f499e9f6bbe54e2

Download Submit
C:\Windows\SysWOW64\Mopmnf32.exe

Filesize
50KB

MD5
896f14f39ca034e4fa444612502f522d

SHA1
5ff884c472a48e85eb8bcfb3569df45c87950973

SHA256
7c9d093d68e0ef2eed6514e42777336e0a78c628a2f448d132eb79f1691b9025

SHA512
cee74f17be94b2e63209216679f7f5c40b7ef1d8ce497f1986be93dfb067cb87e3b02a3596dc9c4a92bf13d4e1dc0bdce5f6f19f32713cc82ecc1b7b6619446b

Download Submit
C:\Windows\SysWOW64\Mopmnf32.exe

Filesize
50KB

MD5
896f14f39ca034e4fa444612502f522d

SHA1
5ff884c472a48e85eb8bcfb3569df45c87950973

SHA256
7c9d093d68e0ef2eed6514e42777336e0a78c628a2f448d132eb79f1691b9025

SHA512
cee74f17be94b2e63209216679f7f5c40b7ef1d8ce497f1986be93dfb067cb87e3b02a3596dc9c4a92bf13d4e1dc0bdce5f6f19f32713cc82ecc1b7b6619446b

Download Submit
C:\Windows\SysWOW64\Nbjifp32.exe

Filesize
50KB

MD5
0f3f381c759077de232501213fca654d

SHA1
8bfd626da35745f6504d363a7cde50f472023caf

SHA256
fce9d302667027e5334cd3e73e8c88d69c964bb1ac0b11cf6994e30137de3f17

SHA512
8d602f9228e41989e4f31edc02cf11daba9076edffd21f6f562db2056f93073a2162fede52f42819b46059e980d9e3a2242e6c95ea9a4c5fd83a6569e7af5578

Download Submit
C:\Windows\SysWOW64\Nbjifp32.exe

Filesize
50KB

MD5
0f3f381c759077de232501213fca654d

SHA1
8bfd626da35745f6504d363a7cde50f472023caf

SHA256
fce9d302667027e5334cd3e73e8c88d69c964bb1ac0b11cf6994e30137de3f17

SHA512
8d602f9228e41989e4f31edc02cf11daba9076edffd21f6f562db2056f93073a2162fede52f42819b46059e980d9e3a2242e6c95ea9a4c5fd83a6569e7af5578

Download Submit
C:\Windows\SysWOW64\Nblfkobn.exe

Filesize
50KB

MD5
d01571de4eb20b46b28e39e0d9a89550

SHA1
a573c1a3f07bd25a55fa1a938b8fb01dd3b77858

SHA256
f18d4986dccb78804338420e55b90d329b5e9183049d34728ad34c6fbdfc4aaf

SHA512
213df7199399a989415b831b03665ef8f92ee85f76e70c8fb416379e0105bb7b19a1fec6020f757aa683d021e621a9390d7f7105f7102bd2a6b4511ab5587f51

Download Submit
C:\Windows\SysWOW64\Nblfkobn.exe

Filesize
50KB

MD5
d01571de4eb20b46b28e39e0d9a89550

SHA1
a573c1a3f07bd25a55fa1a938b8fb01dd3b77858

SHA256
f18d4986dccb78804338420e55b90d329b5e9183049d34728ad34c6fbdfc4aaf

SHA512
213df7199399a989415b831b03665ef8f92ee85f76e70c8fb416379e0105bb7b19a1fec6020f757aa683d021e621a9390d7f7105f7102bd2a6b4511ab5587f51

Download Submit
C:\Windows\SysWOW64\Neokbj32.exe

Filesize
50KB

MD5
a791e56d4c1e06424281240c2ff08281

SHA1
9d1fd6c54e0a7b327a17902a9b306c1b8e2968f5

SHA256
2410cf3bfd36dbe314ac4536550cf1669cb3e8a7bd41c15786e441c65f52393e

SHA512
eab4a0f961dce3e57873f9baa615ad9d97003724f66d249ddc21c79e6f61999bbfdb0d6e473691ada0aafb80e29844511d97c914f2767d2b508a84c82c19c219

Download Submit
C:\Windows\SysWOW64\Neokbj32.exe

Filesize
50KB

MD5
a791e56d4c1e06424281240c2ff08281

SHA1
9d1fd6c54e0a7b327a17902a9b306c1b8e2968f5

SHA256
2410cf3bfd36dbe314ac4536550cf1669cb3e8a7bd41c15786e441c65f52393e

SHA512
eab4a0f961dce3e57873f9baa615ad9d97003724f66d249ddc21c79e6f61999bbfdb0d6e473691ada0aafb80e29844511d97c914f2767d2b508a84c82c19c219

Download Submit
C:\Windows\SysWOW64\Nfjoan32.exe

Filesize
50KB

MD5
370126b4d817ff3d006e753653a974f1

SHA1
6d6f59c5482dfa47b0e6ed923417de7836cb91fb

SHA256
30c0e3eb92a2cca40894487a318cad20fd482b454778b3a4af9201c51aa8f621

SHA512
d70e67d9f597a733418307a2ff3ef43042fec8dd96c822d1e0a94bf6942465c5fd71202084140b9e6ee2b873432d3735faabac279d1af0d6893c1b7253ca3eb5

Download Submit
C:\Windows\SysWOW64\Nfjoan32.exe

Filesize
50KB

MD5
370126b4d817ff3d006e753653a974f1

SHA1
6d6f59c5482dfa47b0e6ed923417de7836cb91fb

SHA256
30c0e3eb92a2cca40894487a318cad20fd482b454778b3a4af9201c51aa8f621

SHA512
d70e67d9f597a733418307a2ff3ef43042fec8dd96c822d1e0a94bf6942465c5fd71202084140b9e6ee2b873432d3735faabac279d1af0d6893c1b7253ca3eb5

Download Submit
C:\Windows\SysWOW64\Nlpaiemd.exe

Filesize
50KB

MD5
b07e9496a96aac29cbf000e32a797e51

SHA1
0d554914e244fb658e33fe7718b6e674d17a1107

SHA256
a6a67263fe7011650573002c0a176998f563f6f1570ebe6015a791aed5b49c85

SHA512
289144a0a06afaf21753c5395a2a6a7042673f122ce5c379b06c8e19b0e9d9a6d6d2b342a8aa4f298093a01ce0f369a45f9e4b3271e60bbf875f22212b59137c

Download Submit
C:\Windows\SysWOW64\Nlpaiemd.exe

Filesize
50KB

MD5
b07e9496a96aac29cbf000e32a797e51

SHA1
0d554914e244fb658e33fe7718b6e674d17a1107

SHA256
a6a67263fe7011650573002c0a176998f563f6f1570ebe6015a791aed5b49c85

SHA512
289144a0a06afaf21753c5395a2a6a7042673f122ce5c379b06c8e19b0e9d9a6d6d2b342a8aa4f298093a01ce0f369a45f9e4b3271e60bbf875f22212b59137c

Download Submit
C:\Windows\SysWOW64\Nmajihbd.exe

Filesize
50KB

MD5
615c3b75d688b7d4c86ccbc924865f2f

SHA1
05664e42e37d237c79cd7819f8d703edf3b12075

SHA256
a3dba072dfdeac7488576ee320b5019eba16c26da949e533cce65bf66e2224c4

SHA512
ffc87194cc75f8b8457536216e987b044660d2672d89a902fe64fa1403ad4a213cd0748fb32479701a36297def60fa86aed6d46f36b905f714bc1842ccb7cf7f

Download Submit
C:\Windows\SysWOW64\Nmajihbd.exe

Filesize
50KB

MD5
615c3b75d688b7d4c86ccbc924865f2f

SHA1
05664e42e37d237c79cd7819f8d703edf3b12075

SHA256
a3dba072dfdeac7488576ee320b5019eba16c26da949e533cce65bf66e2224c4

SHA512
ffc87194cc75f8b8457536216e987b044660d2672d89a902fe64fa1403ad4a213cd0748fb32479701a36297def60fa86aed6d46f36b905f714bc1842ccb7cf7f

Download Submit
C:\Windows\SysWOW64\Nmjdhi32.exe

Filesize
50KB

MD5
7d82e85450134c31f368abefea982751

SHA1
3781042586098ae5f30b1f0feebdeb6e57b04554

SHA256
9b87cd0e32adb835d702733b59b321b2a50b5fe5eb56835e6e19e19c10dbaa6b

SHA512
0130961b88ceb895b7620593c32da31237aa3841aab1ff3e1095515f8ba660ccd425166a812a000ad165a22d411a358c17f7be462c059461f036539fc5e71c72

Download Submit
C:\Windows\SysWOW64\Nmjdhi32.exe

Filesize
50KB

MD5
7d82e85450134c31f368abefea982751

SHA1
3781042586098ae5f30b1f0feebdeb6e57b04554

SHA256
9b87cd0e32adb835d702733b59b321b2a50b5fe5eb56835e6e19e19c10dbaa6b

SHA512
0130961b88ceb895b7620593c32da31237aa3841aab1ff3e1095515f8ba660ccd425166a812a000ad165a22d411a358c17f7be462c059461f036539fc5e71c72

Download Submit
C:\Windows\SysWOW64\Nmomchdg.exe

Filesize
50KB

MD5
916948a92c8df06fc02e5a247f20f496

SHA1
212eed12667b5b533eeed7ca7178a6acabc84e8d

SHA256
c1c077902c78a1a14d62fd50c1e1d824d156b0ab55a25c3c645f17f63e22c42f

SHA512
76f1fc1f6266a43fff3a24a6c7763d547e36dbb204e407efa464ddd334e05a0e2ac3a73de372db8c0fd20cfdca2b88e0c02afa37b35cff0e1dd9000794a802de

Download Submit
C:\Windows\SysWOW64\Nmomchdg.exe

Filesize
50KB

MD5
916948a92c8df06fc02e5a247f20f496

SHA1
212eed12667b5b533eeed7ca7178a6acabc84e8d

SHA256
c1c077902c78a1a14d62fd50c1e1d824d156b0ab55a25c3c645f17f63e22c42f

SHA512
76f1fc1f6266a43fff3a24a6c7763d547e36dbb204e407efa464ddd334e05a0e2ac3a73de372db8c0fd20cfdca2b88e0c02afa37b35cff0e1dd9000794a802de

Download Submit
C:\Windows\SysWOW64\Nnlqpanj.exe

Filesize
50KB

MD5
9a3b077ec9a9c62f8b01cb5fd58e322c

SHA1
ec6a6a94d8bec48f5dfb054f966c11b4b9db7025

SHA256
f3298bc486f5cf1d23283c3206bf7b82125aba4d21064c75000a86dce4818d22

SHA512
d40a49799ebbd56e86dd3d43b85b76fe757ef96504b9613f7940b7671d6890de4e93a711da9de8d4f2caa0a5f5c5ed0a9ea91d6e9220ca2a02123671139d6417

Download Submit
C:\Windows\SysWOW64\Nnlqpanj.exe

Filesize
50KB

MD5
9a3b077ec9a9c62f8b01cb5fd58e322c

SHA1
ec6a6a94d8bec48f5dfb054f966c11b4b9db7025

SHA256
f3298bc486f5cf1d23283c3206bf7b82125aba4d21064c75000a86dce4818d22

SHA512
d40a49799ebbd56e86dd3d43b85b76fe757ef96504b9613f7940b7671d6890de4e93a711da9de8d4f2caa0a5f5c5ed0a9ea91d6e9220ca2a02123671139d6417

Download Submit
C:\Windows\SysWOW64\Npbcjc32.exe

Filesize
50KB

MD5
096c845f3989eb51aa8e554d63430799

SHA1
6b66f8baa74371dc4de4edd4446f047459c0c7c1

SHA256
a96660a79c092406a70d5f8befa0ee892211123aec5f47b0c49c04a2214ff4d5

SHA512
bbe9ea5858bcf75ca55c1aa9cfec8641d77e85cd15cf7fd26aadd3c147a58444104e0283cf1e7b7a5cf6d50115acc046bdc9b569bbd379636557fb3f36499d8a

Download Submit
C:\Windows\SysWOW64\Npbcjc32.exe

Filesize
50KB

MD5
096c845f3989eb51aa8e554d63430799

SHA1
6b66f8baa74371dc4de4edd4446f047459c0c7c1

SHA256
a96660a79c092406a70d5f8befa0ee892211123aec5f47b0c49c04a2214ff4d5

SHA512
bbe9ea5858bcf75ca55c1aa9cfec8641d77e85cd15cf7fd26aadd3c147a58444104e0283cf1e7b7a5cf6d50115acc046bdc9b569bbd379636557fb3f36499d8a

Download Submit
C:\Windows\SysWOW64\Oedeniig.exe

Filesize
50KB

MD5
b1be3c722ddc6b2bec04a6e57b59ad7b

SHA1
2bd1d18ff8cc0bdc92552b71c651e07c1096d57a

SHA256
9d98b034974b7b4fac429c2188902338e2fa3a9e306f027fed107caa38dfa1d5

SHA512
5b1d83b60566bf8d1318ebe0c5ab0f725003eafd56a14cd96bd287dbd7b4d16ac079809c56b6c8f34b720b8a8c4493e5d2a6bea1052eb7b57fdaf9c2b8b2777e

Download Submit
C:\Windows\SysWOW64\Oedeniig.exe

Filesize
50KB

MD5
b1be3c722ddc6b2bec04a6e57b59ad7b

SHA1
2bd1d18ff8cc0bdc92552b71c651e07c1096d57a

SHA256
9d98b034974b7b4fac429c2188902338e2fa3a9e306f027fed107caa38dfa1d5

SHA512
5b1d83b60566bf8d1318ebe0c5ab0f725003eafd56a14cd96bd287dbd7b4d16ac079809c56b6c8f34b720b8a8c4493e5d2a6bea1052eb7b57fdaf9c2b8b2777e

Download Submit
C:\Windows\SysWOW64\Oimdihdc.exe

Filesize
50KB

MD5
26647d6c44a13d7b34a01935be299416

SHA1
821583a0cb7482bfd14aef457714420fa4e93c6f

SHA256
a772302109c5db7418f4ebbb2a5b6d9886947e7375fd0eae700944047213988b

SHA512
b7692abac1b61c74bfa03e0ac94830f2ec42dd289ea4fa000928a84def65eaa08878d36be1ed538e48e26557466dd7d3a80bbca8d37df03f365ae86f2ed76660

Download Submit
C:\Windows\SysWOW64\Oimdihdc.exe

Filesize
50KB

MD5
26647d6c44a13d7b34a01935be299416

SHA1
821583a0cb7482bfd14aef457714420fa4e93c6f

SHA256
a772302109c5db7418f4ebbb2a5b6d9886947e7375fd0eae700944047213988b

SHA512
b7692abac1b61c74bfa03e0ac94830f2ec42dd289ea4fa000928a84def65eaa08878d36be1ed538e48e26557466dd7d3a80bbca8d37df03f365ae86f2ed76660

Download Submit
C:\Windows\SysWOW64\Ommjdfhg.exe

Filesize
50KB

MD5
feeb33807e5d525fe6987b8053c9eae9

SHA1
a46803caf81984fb8d6e2e3c962da32179ff5900

SHA256
4b751bf899e6ac022bfd53175f43be107319f8494b17674cf866602829c918d8

SHA512
823e47d0467b62cfc6b702ce9b2c3e8c772ac6ac5946519716b904a3b20bb186426fcd04df9b70754e03a40067d462ef0c00126b77344938ad0518aee5fe056d

Download Submit
C:\Windows\SysWOW64\Ommjdfhg.exe

Filesize
50KB

MD5
feeb33807e5d525fe6987b8053c9eae9

SHA1
a46803caf81984fb8d6e2e3c962da32179ff5900

SHA256
4b751bf899e6ac022bfd53175f43be107319f8494b17674cf866602829c918d8

SHA512
823e47d0467b62cfc6b702ce9b2c3e8c772ac6ac5946519716b904a3b20bb186426fcd04df9b70754e03a40067d462ef0c00126b77344938ad0518aee5fe056d

Download Submit
C:\Windows\SysWOW64\Ompfjf32.exe

Filesize
50KB

MD5
873f70fc0eb18d63f981bc0088c822c2

SHA1
943ebd5c232a39a2da5a520e1d61b7d4141729da

SHA256
98cdf7d663ce61d67b923e55da2e5bf0d6ab7dd7dfc8df42b972b6622b2dea3e

SHA512
b251b72126c7ab2ed26cfd681dcece58a3e70a4aa806cd3fc0d9c62edc30b46eb29bb3c36486b6ffce78f79bb017794ecc38b5d7221873fdc3d0d228fe11901b

Download Submit
C:\Windows\SysWOW64\Ompfjf32.exe

Filesize
50KB

MD5
873f70fc0eb18d63f981bc0088c822c2

SHA1
943ebd5c232a39a2da5a520e1d61b7d4141729da

SHA256
98cdf7d663ce61d67b923e55da2e5bf0d6ab7dd7dfc8df42b972b6622b2dea3e

SHA512
b251b72126c7ab2ed26cfd681dcece58a3e70a4aa806cd3fc0d9c62edc30b46eb29bb3c36486b6ffce78f79bb017794ecc38b5d7221873fdc3d0d228fe11901b

Download Submit
C:\Windows\SysWOW64\Ongpkpdm.exe

Filesize
50KB

MD5
62f70887f1ada942802c957afb4b3e15

SHA1
bfad0b1cf71baea641df7c919f68204830a22420

SHA256
41bfa1f76ad237fdde0da057ad58eb21896904433dbe1ab30e6fe0ba858f362d

SHA512
023467985ca213fc52686f361236e424f4be05cb2af0ec3cad9243e1d8283c4e28be7c253433b3b0cd6112824f75820c27c041eed00a66deae32eb6a166c56bb

Download Submit
C:\Windows\SysWOW64\Ongpkpdm.exe

Filesize
50KB

MD5
62f70887f1ada942802c957afb4b3e15

SHA1
bfad0b1cf71baea641df7c919f68204830a22420

SHA256
41bfa1f76ad237fdde0da057ad58eb21896904433dbe1ab30e6fe0ba858f362d

SHA512
023467985ca213fc52686f361236e424f4be05cb2af0ec3cad9243e1d8283c4e28be7c253433b3b0cd6112824f75820c27c041eed00a66deae32eb6a166c56bb

Download Submit
C:\Windows\SysWOW64\Onjmao32.exe

Filesize
50KB

MD5
a6afb38fddd4ceb0ed8dc7e8eb5dc94c

SHA1
d7a19a75facc96cd9e79da4fcad2b69cafb11e97

SHA256
8528a7b0450c6033137ab87f25208089be1262aeca8d631934ca4438152cb1ab

SHA512
c1057b2273c16d4e261e5fc328321c6e8f6179c4264f69ccd2f5d0d7a23af566f7725e7e44183181933a3b7ef69d60abcb41777c3dc82bfd5f2e6269610b23c9

Download Submit
C:\Windows\SysWOW64\Onjmao32.exe

Filesize
50KB

MD5
a6afb38fddd4ceb0ed8dc7e8eb5dc94c

SHA1
d7a19a75facc96cd9e79da4fcad2b69cafb11e97

SHA256
8528a7b0450c6033137ab87f25208089be1262aeca8d631934ca4438152cb1ab

SHA512
c1057b2273c16d4e261e5fc328321c6e8f6179c4264f69ccd2f5d0d7a23af566f7725e7e44183181933a3b7ef69d60abcb41777c3dc82bfd5f2e6269610b23c9

Download Submit
C:\Windows\SysWOW64\Opiikbim.exe

Filesize
50KB

MD5
747152af0e4e9550e8a06150d34fe9f2

SHA1
664cf4829b15d6c30e83cb3fa60915a536bd6c78

SHA256
d762a0c64505dcebe4b61b389e1a51ca8d838532d1158373db55a6ae46c55dbb

SHA512
ba6e05f2486e6de72739e768ae8b86acf3ca24bb1968f7cbbd5f10cf6c706c156b4ab312b9f38195b6743c0eb57dc468685f692680742bfa62fc8179cfd1870c

Download Submit
C:\Windows\SysWOW64\Opiikbim.exe

Filesize
50KB

MD5
747152af0e4e9550e8a06150d34fe9f2

SHA1
664cf4829b15d6c30e83cb3fa60915a536bd6c78

SHA256
d762a0c64505dcebe4b61b389e1a51ca8d838532d1158373db55a6ae46c55dbb

SHA512
ba6e05f2486e6de72739e768ae8b86acf3ca24bb1968f7cbbd5f10cf6c706c156b4ab312b9f38195b6743c0eb57dc468685f692680742bfa62fc8179cfd1870c

Download Submit
C:\Windows\SysWOW64\Pepdihoj.exe

Filesize
50KB

MD5
62198a304d33b651e85618d447ac2a60

SHA1
bf9838fe873199dc49781431a35b841d90aeb1b0

SHA256
2ad0252124bdee59b75bd7b71ae5234e679bb7769642ad752892fe1efb3c1ebc

SHA512
bf47f8299ec79e589a649c3a89b41a3ba11116521976c8843e8eb4f04b5ab30dbdcb70686864dc09878ff094e40a0201896d192de65783110031526ede934d98

Download Submit
C:\Windows\SysWOW64\Pepdihoj.exe

Filesize
50KB

MD5
62198a304d33b651e85618d447ac2a60

SHA1
bf9838fe873199dc49781431a35b841d90aeb1b0

SHA256
2ad0252124bdee59b75bd7b71ae5234e679bb7769642ad752892fe1efb3c1ebc

SHA512
bf47f8299ec79e589a649c3a89b41a3ba11116521976c8843e8eb4f04b5ab30dbdcb70686864dc09878ff094e40a0201896d192de65783110031526ede934d98

Download Submit
C:\Windows\SysWOW64\Pfoackfl.exe

Filesize
50KB

MD5
f6b16d7cc74a49993cdb0e8a3b20451a

SHA1
b8a19d2f97b63271d1f8ce12d811cf41a9705ae6

SHA256
ecd53c9393526a706c8376ae1a618741732ac5d3eef6783eedfdf5c6d3311c3a

SHA512
491a66322c383d817ba5314037bd05d8fd0b5221d56d8b337a44f842ac442bbd9115ac9c98faec4632a8c81c3eb34900680e7fe1389961f7be41cd977514e6a6

Download Submit
C:\Windows\SysWOW64\Pfoackfl.exe

Filesize
50KB

MD5
f6b16d7cc74a49993cdb0e8a3b20451a

SHA1
b8a19d2f97b63271d1f8ce12d811cf41a9705ae6

SHA256
ecd53c9393526a706c8376ae1a618741732ac5d3eef6783eedfdf5c6d3311c3a

SHA512
491a66322c383d817ba5314037bd05d8fd0b5221d56d8b337a44f842ac442bbd9115ac9c98faec4632a8c81c3eb34900680e7fe1389961f7be41cd977514e6a6

Download Submit
C:\Windows\SysWOW64\Pifgoglh.exe

Filesize
50KB

MD5
e81319222b690f4414b0d922960492c3

SHA1
fec589360ad7c78fc7e50cac5bb336ee70f7183e

SHA256
764b8a02eddfe24e04b847ab88be610eb789a02eaf03c97a5f152251ab81b0fd

SHA512
7e773a6a5a7e75a593532511be0e2e7c8fff51c50f155675cfd0fcfcbd046836401b41f75839e78572b5dd7318fe0859b16271c92a8501acce8cbb8dde569a7d

Download Submit
C:\Windows\SysWOW64\Pifgoglh.exe

Filesize
50KB

MD5
e81319222b690f4414b0d922960492c3

SHA1
fec589360ad7c78fc7e50cac5bb336ee70f7183e

SHA256
764b8a02eddfe24e04b847ab88be610eb789a02eaf03c97a5f152251ab81b0fd

SHA512
7e773a6a5a7e75a593532511be0e2e7c8fff51c50f155675cfd0fcfcbd046836401b41f75839e78572b5dd7318fe0859b16271c92a8501acce8cbb8dde569a7d

Download Submit
C:\Windows\SysWOW64\Plimfb32.exe

Filesize
50KB

MD5
64739a54ee075daebce9432e8de31916

SHA1
204125155541504bd39fc01cbd49f0dcc82579c7

SHA256
f43bd559a14b5367a668dcfa65433098572fa349df24ecb2d0493a8544cd61fd

SHA512
5949f3ebaf91b1f6937580ce0fc31100b12e74fa68cc41f69530fef5717e2fc2c7c4bb35d4309cbb46a594d718d2dd92652aeaf3944b9a2e21962ed1beafebcd

Download Submit
C:\Windows\SysWOW64\Plimfb32.exe

Filesize
50KB

MD5
64739a54ee075daebce9432e8de31916

SHA1
204125155541504bd39fc01cbd49f0dcc82579c7

SHA256
f43bd559a14b5367a668dcfa65433098572fa349df24ecb2d0493a8544cd61fd

SHA512
5949f3ebaf91b1f6937580ce0fc31100b12e74fa68cc41f69530fef5717e2fc2c7c4bb35d4309cbb46a594d718d2dd92652aeaf3944b9a2e21962ed1beafebcd

Download Submit
C:\Windows\SysWOW64\Pllilaed.exe

Filesize
50KB

MD5
feebffa11fb4b872ca447eb11d8290cf

SHA1
9813ca93f183f7ecb2cd26c6fa77d9fe26c62f80

SHA256
f38e69203fc69748a6bc2d8f518403e60cd3812b20c388d9d2018a95b3242f4f

SHA512
933c2d8bc3a2307f88ff760725abd3a5bdba6d4cd5e99d6fe9efeded820e3c916d1eee790667ee19eb49a6e86026d5de996a03db55a89b38c4c69135539918d8

Download Submit
C:\Windows\SysWOW64\Pllilaed.exe

Filesize
50KB

MD5
feebffa11fb4b872ca447eb11d8290cf

SHA1
9813ca93f183f7ecb2cd26c6fa77d9fe26c62f80

SHA256
f38e69203fc69748a6bc2d8f518403e60cd3812b20c388d9d2018a95b3242f4f

SHA512
933c2d8bc3a2307f88ff760725abd3a5bdba6d4cd5e99d6fe9efeded820e3c916d1eee790667ee19eb49a6e86026d5de996a03db55a89b38c4c69135539918d8

Download Submit
C:\Windows\SysWOW64\Ppblaaab.exe

Filesize
50KB

MD5
c95af1ecf6f8ab11f0b002ec12383637

SHA1
e3015298867eb86bd815df96694d27d18a0f603b

SHA256
7f0a6945ba331607091d47bf4e5928115abfd5c0687c112be30d906d91d69ad3

SHA512
72cc5842b18e7068b55d799c77b85db83bc5fa66c15757e2b169eb7a0ed7d31e0785c396e31060df328ead2bf3213b8afcb43249a847390512f399fd48e4cfe9

Download Submit
C:\Windows\SysWOW64\Ppblaaab.exe

Filesize
50KB

MD5
c95af1ecf6f8ab11f0b002ec12383637

SHA1
e3015298867eb86bd815df96694d27d18a0f603b

SHA256
7f0a6945ba331607091d47bf4e5928115abfd5c0687c112be30d906d91d69ad3

SHA512
72cc5842b18e7068b55d799c77b85db83bc5fa66c15757e2b169eb7a0ed7d31e0785c396e31060df328ead2bf3213b8afcb43249a847390512f399fd48e4cfe9

Download Submit
memory/204-192-0x0000000000000000-mapping.dmp

Download
memory/204-225-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/444-254-0x0000000000000000-mapping.dmp

Download
memory/444-278-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/544-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/544-174-0x0000000000000000-mapping.dmp

Download
memory/740-284-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/740-258-0x0000000000000000-mapping.dmp

Download
memory/880-308-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/880-279-0x0000000000000000-mapping.dmp

Download
memory/1088-269-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1088-237-0x0000000000000000-mapping.dmp

Download
memory/1172-310-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1172-286-0x0000000000000000-mapping.dmp

Download
memory/1372-303-0x0000000000000000-mapping.dmp

Download
memory/1372-323-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1376-177-0x0000000000000000-mapping.dmp

Download
memory/1376-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1388-189-0x0000000000000000-mapping.dmp

Download
memory/1388-224-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1404-292-0x0000000000000000-mapping.dmp

Download
memory/1404-312-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1408-309-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1408-282-0x0000000000000000-mapping.dmp

Download
memory/1548-316-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1548-296-0x0000000000000000-mapping.dmp

Download
memory/1552-299-0x0000000000000000-mapping.dmp

Download
memory/1552-319-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1740-288-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1740-261-0x0000000000000000-mapping.dmp

Download
memory/1768-317-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1768-297-0x0000000000000000-mapping.dmp

Download
memory/2200-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2208-301-0x0000000000000000-mapping.dmp

Download
memory/2208-321-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2212-277-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2212-253-0x0000000000000000-mapping.dmp

Download
memory/2248-273-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2248-246-0x0000000000000000-mapping.dmp

Download
memory/2260-274-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2260-249-0x0000000000000000-mapping.dmp

Download
memory/2308-151-0x0000000000000000-mapping.dmp

Download
memory/2308-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2460-275-0x0000000000000000-mapping.dmp

Download
memory/2460-307-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2600-287-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2600-260-0x0000000000000000-mapping.dmp

Download
memory/2616-276-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2616-252-0x0000000000000000-mapping.dmp

Download
memory/2636-223-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2636-186-0x0000000000000000-mapping.dmp

Download
memory/2652-232-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2652-204-0x0000000000000000-mapping.dmp

Download
memory/2808-219-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2808-180-0x0000000000000000-mapping.dmp

Download
memory/2828-322-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2828-302-0x0000000000000000-mapping.dmp

Download
memory/3192-298-0x0000000000000000-mapping.dmp

Download
memory/3192-318-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3224-283-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3224-257-0x0000000000000000-mapping.dmp

Download
memory/3360-133-0x0000000000000000-mapping.dmp

Download
memory/3360-157-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3364-229-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3364-198-0x0000000000000000-mapping.dmp

Download
memory/3672-234-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3672-207-0x0000000000000000-mapping.dmp

Download
memory/3708-266-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3708-217-0x0000000000000000-mapping.dmp

Download
memory/3712-295-0x0000000000000000-mapping.dmp

Download
memory/3712-315-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3740-306-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3740-272-0x0000000000000000-mapping.dmp

Download
memory/3756-255-0x0000000000000000-mapping.dmp

Download
memory/3756-280-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3912-243-0x0000000000000000-mapping.dmp

Download
memory/3912-271-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3980-183-0x0000000000000000-mapping.dmp

Download
memory/3980-220-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4028-262-0x0000000000000000-mapping.dmp

Download
memory/4028-289-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4048-240-0x0000000000000000-mapping.dmp

Download
memory/4048-270-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4152-304-0x0000000000000000-mapping.dmp

Download
memory/4228-267-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4228-226-0x0000000000000000-mapping.dmp

Download
memory/4268-212-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4268-171-0x0000000000000000-mapping.dmp

Download
memory/4300-293-0x0000000000000000-mapping.dmp

Download
memory/4300-313-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4344-300-0x0000000000000000-mapping.dmp

Download
memory/4344-320-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4460-281-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4460-256-0x0000000000000000-mapping.dmp

Download
memory/4476-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4476-154-0x0000000000000000-mapping.dmp

Download
memory/4624-158-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4624-136-0x0000000000000000-mapping.dmp

Download
memory/4672-165-0x0000000000000000-mapping.dmp

Download
memory/4672-210-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4688-162-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4688-148-0x0000000000000000-mapping.dmp

Download
memory/4788-142-0x0000000000000000-mapping.dmp

Download
memory/4788-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4796-305-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4796-265-0x0000000000000000-mapping.dmp

Download
memory/4808-161-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4808-145-0x0000000000000000-mapping.dmp

Download
memory/4840-159-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4840-139-0x0000000000000000-mapping.dmp

Download
memory/4880-263-0x0000000000000000-mapping.dmp

Download
memory/4880-290-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4892-195-0x0000000000000000-mapping.dmp

Download
memory/4892-227-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4908-213-0x0000000000000000-mapping.dmp

Download
memory/4908-264-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4928-168-0x0000000000000000-mapping.dmp

Download
memory/4928-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4940-285-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4940-259-0x0000000000000000-mapping.dmp

Download
memory/4964-233-0x0000000000000000-mapping.dmp

Download
memory/4964-268-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5052-231-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5052-201-0x0000000000000000-mapping.dmp

Download
memory/5084-314-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5084-294-0x0000000000000000-mapping.dmp

Download
memory/5104-291-0x0000000000000000-mapping.dmp

Download
memory/5104-311-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download