9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7

Analysis

max time kernel
146s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7.exe
Size

50KB
MD5

b1c5e4d0db32fda52d42d3af3dc87440
SHA1

70d26345090880f94432d1948a7f2c5fff30068d
SHA256

9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7
SHA512

848ff40befa9a0619ca0a77a3f315bbb38dc0045ce1bd34463b03e3501e50b538e64cf8690cf4fb7ff560d14a8d9d6ab904ca61bcd9b665f2c36b3e832005114
SSDEEP

768:8BDoXYZFTiz0LhSNtYewXrP299FbNyCYu4v9Kmzvr6WZC88R/1H5V:YDoXYZRMtYB299FhyCkvf4b

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Gkfgml32.exeNplijg32.exeLfnpao32.exeQaknapag.exeLnabqf32.exeApgbql32.exeEhlofoca.exeBkaaji32.exeNgngdp32.exeNbegiaio.exeAbhiibgm.exeHkndja32.exeKjnmfo32.exeKoiecaqb.exeFalnad32.exeKjinonhk.exeAehbkndn.exeCoolkl32.exeAfdldg32.exeInljjk32.exeAkabdi32.exeBhokbnqf.exeEmccgbfk.exeKmjfqi32.exeAamfko32.exeNkpmihmd.exePlilnj32.exeIifpgi32.exeMbccfphn.exeCabnkngn.exeCplehihq.exeOkooihne.exeDoacdj32.exeDhldcp32.exeMihjelgc.exeAldobnnf.exePdphcaoq.exeNopgec32.exeMjabemaq.exeQmmelbka.exeLbcdqphp.exeLcqkoj32.exeFjlofkce.exeLmhiaifl.exePbfgpf32.exePfdpedqg.exeAabjaaip.exeEdeamp32.exeKmcalo32.exeImgpbkkp.exeOaajkm32.exeCmlbmdqd.exeNeoipm32.exeCjmpjcll.exeFfbidf32.exeEmepmbdh.exeJoifna32.exeKfbkiokl.exeKhmpngma.exeBdlhdp32.exeFgamco32.exeQgioneod.exeAlkdgiac.exePpnbnjff.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkfgml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplijg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfnpao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaknapag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnabqf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgbql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlofoca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkaaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngngdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbegiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abhiibgm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkndja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjnmfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koiecaqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Falnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjinonhk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aehbkndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coolkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afdldg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inljjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akabdi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhokbnqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emccgbfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjfqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aamfko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpmihmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plilnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iifpgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbccfphn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabnkngn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cplehihq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okooihne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doacdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhldcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mihjelgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aldobnnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdphcaoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nopgec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjabemaq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmelbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbcdqphp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcqkoj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlofkce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmhiaifl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbfgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdpedqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabjaaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edeamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmcalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgpbkkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaajkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlbmdqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neoipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmpjcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbidf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emepmbdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joifna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfbkiokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khmpngma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdlhdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgamco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgioneod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alkdgiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnbnjff.exe

Executes dropped EXE 64 IoCs

Processes:

Ildghc32.exeJaclej32.exeJlipcb32.exeJafhkiom.exeJhpahc32.exeJdfamdln.exeJicjekje.exeJdinbd32.exeKiegkk32.exeKcnkcqoc.exeKpblme32.exeKlilbfca.exeKeaakk32.exeKoiecaqb.exeKkpfhbff.exeLkbbnadc.exeLhfcgf32.exeLbohpkjn.exeLdmdlgia.exeLmhiaifl.exeLgnmnb32.exeLnheklmo.exeLqfagglc.exeLfcjonkj.exeLiafkjjn.exeMcgjib32.exeMjabemaq.exeMcignb32.exeMifpfi32.exeMbaqen32.exeMikiahac.exeMjleiq32.exeMbcmjn32.exeNgpfbefk.exeNnjnoo32.exeNahjkj32.exeNgbbhddh.exeNnlkeo32.exeNakgaj32.exeNgeond32.exeNiflelhd.exeNclpbehj.exeNjehpo32.exeNlgdggee.exeNeoipm32.exeOfoejp32.exeOojjnb32.exeOjqkcc32.exeOefoql32.exeOmaden32.exeOdklahje.exeOaomkm32.exePaaiql32.exePmhjem32.exePiokknbe.exePgckdbao.exePonphe32.exePoqmnd32.exeQlemgi32.exeQemapn32.exeApgbql32.exeAklgne32.exeAkoccdlc.exeAnmpppkg.exe

pid	process
240	Ildghc32.exe
940	Jaclej32.exe
1340	Jlipcb32.exe
1232	Jafhkiom.exe
1704	Jhpahc32.exe
1920	Jdfamdln.exe
1756	Jicjekje.exe
468	Jdinbd32.exe
1072	Kiegkk32.exe
272	Kcnkcqoc.exe
820	Kpblme32.exe
1780	Klilbfca.exe
828	Keaakk32.exe
108	Koiecaqb.exe
568	Kkpfhbff.exe
1120	Lkbbnadc.exe
1356	Lhfcgf32.exe
1492	Lbohpkjn.exe
540	Ldmdlgia.exe
952	Lmhiaifl.exe
836	Lgnmnb32.exe
948	Lnheklmo.exe
1724	Lqfagglc.exe
1696	Lfcjonkj.exe
1992	Liafkjjn.exe
1360	Mcgjib32.exe
608	Mjabemaq.exe
1304	Mcignb32.exe
1716	Mifpfi32.exe
2036	Mbaqen32.exe
1912	Mikiahac.exe
1172	Mjleiq32.exe
1012	Mbcmjn32.exe
268	Ngpfbefk.exe
652	Nnjnoo32.exe
1504	Nahjkj32.exe
1564	Ngbbhddh.exe
1412	Nnlkeo32.exe
1460	Nakgaj32.exe
1644	Ngeond32.exe
296	Niflelhd.exe
1168	Nclpbehj.exe
556	Njehpo32.exe
1744	Nlgdggee.exe
1956	Neoipm32.exe
1636	Ofoejp32.exe
1640	Oojjnb32.exe
1676	Ojqkcc32.exe
1028	Oefoql32.exe
1616	Omaden32.exe
1584	Odklahje.exe
996	Oaomkm32.exe
520	Paaiql32.exe
1864	Pmhjem32.exe
1892	Piokknbe.exe
920	Pgckdbao.exe
1480	Ponphe32.exe
1612	Poqmnd32.exe
1988	Qlemgi32.exe
2028	Qemapn32.exe
1084	Apgbql32.exe
1176	Aklgne32.exe
1180	Akoccdlc.exe
2012	Anmpppkg.exe

Loads dropped DLL 64 IoCs

Processes:

9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7.exeIldghc32.exeJaclej32.exeJlipcb32.exeJafhkiom.exeJhpahc32.exeJdfamdln.exeJicjekje.exeJdinbd32.exeKiegkk32.exeKcnkcqoc.exeKpblme32.exeKlilbfca.exeKeaakk32.exeKoiecaqb.exeKkpfhbff.exeLkbbnadc.exeLhfcgf32.exeLbohpkjn.exeLdmdlgia.exeLmhiaifl.exeLgnmnb32.exeLnheklmo.exeLqfagglc.exeLfcjonkj.exeLiafkjjn.exeMcgjib32.exeMjabemaq.exeMcignb32.exeMifpfi32.exeMbaqen32.exeMikiahac.exe

pid	process
1900	9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7.exe
1900	9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7.exe
240	Ildghc32.exe
240	Ildghc32.exe
940	Jaclej32.exe
940	Jaclej32.exe
1340	Jlipcb32.exe
1340	Jlipcb32.exe
1232	Jafhkiom.exe
1232	Jafhkiom.exe
1704	Jhpahc32.exe
1704	Jhpahc32.exe
1920	Jdfamdln.exe
1920	Jdfamdln.exe
1756	Jicjekje.exe
1756	Jicjekje.exe
468	Jdinbd32.exe
468	Jdinbd32.exe
1072	Kiegkk32.exe
1072	Kiegkk32.exe
272	Kcnkcqoc.exe
272	Kcnkcqoc.exe
820	Kpblme32.exe
820	Kpblme32.exe
1780	Klilbfca.exe
1780	Klilbfca.exe
828	Keaakk32.exe
828	Keaakk32.exe
108	Koiecaqb.exe
108	Koiecaqb.exe
568	Kkpfhbff.exe
568	Kkpfhbff.exe
1120	Lkbbnadc.exe
1120	Lkbbnadc.exe
1356	Lhfcgf32.exe
1356	Lhfcgf32.exe
1492	Lbohpkjn.exe
1492	Lbohpkjn.exe
540	Ldmdlgia.exe
540	Ldmdlgia.exe
952	Lmhiaifl.exe
952	Lmhiaifl.exe
836	Lgnmnb32.exe
836	Lgnmnb32.exe
948	Lnheklmo.exe
948	Lnheklmo.exe
1724	Lqfagglc.exe
1724	Lqfagglc.exe
1696	Lfcjonkj.exe
1696	Lfcjonkj.exe
1992	Liafkjjn.exe
1992	Liafkjjn.exe
1360	Mcgjib32.exe
1360	Mcgjib32.exe
608	Mjabemaq.exe
608	Mjabemaq.exe
1304	Mcignb32.exe
1304	Mcignb32.exe
1716	Mifpfi32.exe
1716	Mifpfi32.exe
2036	Mbaqen32.exe
2036	Mbaqen32.exe
1912	Mikiahac.exe
1912	Mikiahac.exe

Drops file in System32 directory 64 IoCs

Processes:

Bdgdkmeo.exeBkmhojpi.exeLkgndfbc.exeNafjbncc.exeBjfiidad.exeFkcnhhkk.exeAaipbp32.exeEbbheibp.exeLnheklmo.exePipolpam.exeBbacjgbn.exeBhjqjnfb.exeDdcjcb32.exeKcindd32.exeLqfagglc.exeCepkefdn.exeDoacdj32.exeEfnjaijc.exeNnlkeo32.exeMeakqjhi.exeFakjpc32.exeIcpmdmkg.exeKqcflhog.exeJlibnhck.exeMdgmol32.exeOgaefiif.exeHdkeob32.exeNnjnoo32.exeEiggfc32.exeFnnbei32.exeBhcjio32.exeFfbokl32.exeKiegkk32.exeMjabemaq.exePepdap32.exePhnpnkol.exeAakjqcdc.exeEgfljqji.exeKcnkcqoc.exeEofgch32.exeLicdkj32.exeLlmhhjaa.exeOfcapd32.exeChjmia32.exeAnmpppkg.exePpjgij32.exeMmcefk32.exePdfigj32.exeMmpahahe.exeHbplii32.exeKihagf32.exeNgngdp32.exeAjjhpp32.exeAlkdgiac.exeHkndja32.exeDpnami32.exeImpcjfkb.exeAmbnla32.exeAimiga32.exeLfadae32.exePocpkj32.exeNadblogl.exeKmcalo32.exeBaphmd32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Bibpll32.exe	Bdgdkmeo.exe
File created	C:\Windows\SysWOW64\Bbdppgql.exe	Bkmhojpi.exe
File opened for modification	C:\Windows\SysWOW64\Moegjd32.exe	Lkgndfbc.exe
File created	C:\Windows\SysWOW64\Nddfnicg.exe	Nafjbncc.exe
File opened for modification	C:\Windows\SysWOW64\Bmdfeoqg.exe	Bjfiidad.exe
File created	C:\Windows\SysWOW64\Fppgqpib.exe	Fkcnhhkk.exe
File opened for modification	C:\Windows\SysWOW64\Adhmnl32.exe	Aaipbp32.exe
File created	C:\Windows\SysWOW64\Lmijhn32.dll	Ebbheibp.exe
File created	C:\Windows\SysWOW64\Lqfagglc.exe	Lnheklmo.exe
File created	C:\Windows\SysWOW64\Bnfcfbpi.dll	Pipolpam.exe
File opened for modification	C:\Windows\SysWOW64\Bepofcab.exe	Bbacjgbn.exe
File created	C:\Windows\SysWOW64\Bilmaflq.exe	Bhjqjnfb.exe
File opened for modification	C:\Windows\SysWOW64\Dgafpn32.exe	Ddcjcb32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdjecpf.exe	Kcindd32.exe
File opened for modification	C:\Windows\SysWOW64\Lfcjonkj.exe	Lqfagglc.exe
File created	C:\Windows\SysWOW64\Fleffd32.dll	Cepkefdn.exe
File opened for modification	C:\Windows\SysWOW64\Dndcpgin.exe	Doacdj32.exe
File created	C:\Windows\SysWOW64\Dcfdoi32.dll	Efnjaijc.exe
File created	C:\Windows\SysWOW64\Nakgaj32.exe	Nnlkeo32.exe
File created	C:\Windows\SysWOW64\Mimgah32.exe	Meakqjhi.exe
File opened for modification	C:\Windows\SysWOW64\Fheblmkg.exe	Fakjpc32.exe
File created	C:\Windows\SysWOW64\Icbijm32.exe	Icpmdmkg.exe
File created	C:\Windows\SysWOW64\Lcmdkjfn.dll	Kqcflhog.exe
File opened for modification	C:\Windows\SysWOW64\Jmhohjjn.exe	Jlibnhck.exe
File created	C:\Windows\SysWOW64\Pjphcb32.dll	Mdgmol32.exe
File created	C:\Windows\SysWOW64\Pchfkj32.exe	Ogaefiif.exe
File created	C:\Windows\SysWOW64\Hfiakn32.exe	Hdkeob32.exe
File created	C:\Windows\SysWOW64\Nahjkj32.exe	Nnjnoo32.exe
File created	C:\Windows\SysWOW64\Alignmjh.dll	Eiggfc32.exe
File opened for modification	C:\Windows\SysWOW64\Falnad32.exe	Fnnbei32.exe
File created	C:\Windows\SysWOW64\Mofhfa32.dll	Bhcjio32.exe
File opened for modification	C:\Windows\SysWOW64\Fiqlhg32.exe	Ffbokl32.exe
File created	C:\Windows\SysWOW64\Kcnkcqoc.exe	Kiegkk32.exe
File created	C:\Windows\SysWOW64\Ealdnc32.dll	Mjabemaq.exe
File opened for modification	C:\Windows\SysWOW64\Phnpnkol.exe	Pepdap32.exe
File opened for modification	C:\Windows\SysWOW64\Plilnj32.exe	Phnpnkol.exe
File opened for modification	C:\Windows\SysWOW64\Bhebmn32.exe	Aakjqcdc.exe
File created	C:\Windows\SysWOW64\Aockbq32.dll	Egfljqji.exe
File created	C:\Windows\SysWOW64\Incnif32.dll	Kcnkcqoc.exe
File created	C:\Windows\SysWOW64\Nchqho32.dll	Eofgch32.exe
File opened for modification	C:\Windows\SysWOW64\Lpmlhdpj.exe	Licdkj32.exe
File created	C:\Windows\SysWOW64\Lpkpni32.exe	Llmhhjaa.exe
File created	C:\Windows\SysWOW64\Pldcbh32.dll	Ofcapd32.exe
File created	C:\Windows\SysWOW64\Lqdgie32.dll	Chjmia32.exe
File opened for modification	C:\Windows\SysWOW64\Bhkjkm32.exe	Anmpppkg.exe
File created	C:\Windows\SysWOW64\Pfdpedqg.exe	Ppjgij32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnbefi.exe	Mmcefk32.exe
File created	C:\Windows\SysWOW64\Ndjplpnh.dll	Pdfigj32.exe
File created	C:\Windows\SysWOW64\Hmmepc32.dll	Mmpahahe.exe
File created	C:\Windows\SysWOW64\Henhed32.exe	Hbplii32.exe
File opened for modification	C:\Windows\SysWOW64\Kjinonhk.exe	Kihagf32.exe
File created	C:\Windows\SysWOW64\Nilcpl32.exe	Ngngdp32.exe
File opened for modification	C:\Windows\SysWOW64\Aimhkmbp.exe	Ajjhpp32.exe
File created	C:\Windows\SysWOW64\Pcgddklg.dll	Alkdgiac.exe
File created	C:\Windows\SysWOW64\Hoipkpob.exe	Hkndja32.exe
File opened for modification	C:\Windows\SysWOW64\Dbmnid32.exe	Dpnami32.exe
File created	C:\Windows\SysWOW64\Icjkfpcp.exe	Impcjfkb.exe
File opened for modification	C:\Windows\SysWOW64\Bodjdilh.exe	Ambnla32.exe
File created	C:\Windows\SysWOW64\Allecmhn.exe	Aimiga32.exe
File created	C:\Windows\SysWOW64\Abjghn32.dll	Lfadae32.exe
File opened for modification	C:\Windows\SysWOW64\Pbblgf32.exe	Pocpkj32.exe
File created	C:\Windows\SysWOW64\Lehjpp32.dll	Nadblogl.exe
File created	C:\Windows\SysWOW64\Kekiml32.exe	Kmcalo32.exe
File created	C:\Windows\SysWOW64\Bhjqjnfb.exe	Baphmd32.exe

Modifies registry class 64 IoCs

Processes:

Ojiifqll.exeQghicldb.exeQclkih32.exeLcgapioi.exeBhjqjnfb.exeBdgdkmeo.exeGdlopacg.exeMdpabk32.exeGfbljoke.exeKmcobj32.exeImgpbkkp.exeGllaap32.exeApomcm32.exeOnfdgdeh.exeAphfem32.exeCeggbgnp.exeNopgec32.exeGkfgml32.exeNjofpadg.exeAjhkjqng.exePjbngdfg.exeOaomkm32.exeKelqefjk.exePdfigj32.exeBilmaflq.exeGgkbdchp.exeKihcbkdb.exeNlppbmah.exeFgamco32.exeMmolklcb.exeQeimgqeo.exeKqcflhog.exeOkfkfi32.exeNldhoh32.exeKeaakk32.exeNgpfbefk.exeAnmpppkg.exeNcgdoa32.exeAimiga32.exeMcgjib32.exeHbplii32.exeNchkig32.exeEdhpnekf.exeNkidpd32.exeFakjpc32.exeIilqkcjf.exeJajhbj32.exeJcpicq32.exeNinhma32.exePhgkiqko.exeHpoindnp.exeLnheklmo.exeOkcidg32.exeLihmfidh.exeApimmg32.exeAbbhfibh.exeFnmaid32.exeJkddonpg.exeLfjelodl.exeAldobnnf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlfbhdng.dll"	Ojiifqll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keenjg32.dll"	Qghicldb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qclkih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgapioi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhbmclh.dll"	Bhjqjnfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdgdkmeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdlopacg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmqefpof.dll"	Mdpabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfbljoke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmcobj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgpbkkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gllaap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihnlmp32.dll"	Apomcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mojcha32.dll"	Onfdgdeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aphfem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlijngoo.dll"	Ceggbgnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nopgec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkfgml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fellcgcc.dll"	Njofpadg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhkjqng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbngdfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qinlfboo.dll"	Oaomkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kelqefjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjplpnh.dll"	Pdfigj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bilmaflq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggkbdchp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kihcbkdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlppbmah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgamco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmolklcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logdfcjj.dll"	Qeimgqeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kqcflhog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidnanq.dll"	Okfkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipbcd32.dll"	Nldhoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keaakk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpfbefk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmpppkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aimiga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbbhf32.dll"	Nopgec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcgjib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdepghl.dll"	Hbplii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nchkig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edhpnekf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkidpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fakjpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohighb32.dll"	Iilqkcjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jajhbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geaopq32.dll"	Jcpicq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejbon32.dll"	Ninhma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phgkiqko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpoindnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnheklmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okcidg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgamco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lihmfidh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apimmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfiljm32.dll"	Abbhfibh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcgjib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnmaid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncjoffd.dll"	Jkddonpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekcplfib.dll"	Lfjelodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddfkkbg.dll"	Aldobnnf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1900 wrote to memory of 240	1900	9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7.exe	Ildghc32.exe
PID 1900 wrote to memory of 240	1900	9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7.exe	Ildghc32.exe
PID 1900 wrote to memory of 240	1900	9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7.exe	Ildghc32.exe
PID 1900 wrote to memory of 240	1900	9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7.exe	Ildghc32.exe
PID 240 wrote to memory of 940	240	Ildghc32.exe	Jaclej32.exe
PID 240 wrote to memory of 940	240	Ildghc32.exe	Jaclej32.exe
PID 240 wrote to memory of 940	240	Ildghc32.exe	Jaclej32.exe
PID 240 wrote to memory of 940	240	Ildghc32.exe	Jaclej32.exe
PID 940 wrote to memory of 1340	940	Jaclej32.exe	Jlipcb32.exe
PID 940 wrote to memory of 1340	940	Jaclej32.exe	Jlipcb32.exe
PID 940 wrote to memory of 1340	940	Jaclej32.exe	Jlipcb32.exe
PID 940 wrote to memory of 1340	940	Jaclej32.exe	Jlipcb32.exe
PID 1340 wrote to memory of 1232	1340	Jlipcb32.exe	Jafhkiom.exe
PID 1340 wrote to memory of 1232	1340	Jlipcb32.exe	Jafhkiom.exe
PID 1340 wrote to memory of 1232	1340	Jlipcb32.exe	Jafhkiom.exe
PID 1340 wrote to memory of 1232	1340	Jlipcb32.exe	Jafhkiom.exe
PID 1232 wrote to memory of 1704	1232	Jafhkiom.exe	Jhpahc32.exe
PID 1232 wrote to memory of 1704	1232	Jafhkiom.exe	Jhpahc32.exe
PID 1232 wrote to memory of 1704	1232	Jafhkiom.exe	Jhpahc32.exe
PID 1232 wrote to memory of 1704	1232	Jafhkiom.exe	Jhpahc32.exe
PID 1704 wrote to memory of 1920	1704	Jhpahc32.exe	Jdfamdln.exe
PID 1704 wrote to memory of 1920	1704	Jhpahc32.exe	Jdfamdln.exe
PID 1704 wrote to memory of 1920	1704	Jhpahc32.exe	Jdfamdln.exe
PID 1704 wrote to memory of 1920	1704	Jhpahc32.exe	Jdfamdln.exe
PID 1920 wrote to memory of 1756	1920	Jdfamdln.exe	Jicjekje.exe
PID 1920 wrote to memory of 1756	1920	Jdfamdln.exe	Jicjekje.exe
PID 1920 wrote to memory of 1756	1920	Jdfamdln.exe	Jicjekje.exe
PID 1920 wrote to memory of 1756	1920	Jdfamdln.exe	Jicjekje.exe
PID 1756 wrote to memory of 468	1756	Jicjekje.exe	Jdinbd32.exe
PID 1756 wrote to memory of 468	1756	Jicjekje.exe	Jdinbd32.exe
PID 1756 wrote to memory of 468	1756	Jicjekje.exe	Jdinbd32.exe
PID 1756 wrote to memory of 468	1756	Jicjekje.exe	Jdinbd32.exe
PID 468 wrote to memory of 1072	468	Jdinbd32.exe	Kiegkk32.exe
PID 468 wrote to memory of 1072	468	Jdinbd32.exe	Kiegkk32.exe
PID 468 wrote to memory of 1072	468	Jdinbd32.exe	Kiegkk32.exe
PID 468 wrote to memory of 1072	468	Jdinbd32.exe	Kiegkk32.exe
PID 1072 wrote to memory of 272	1072	Kiegkk32.exe	Kcnkcqoc.exe
PID 1072 wrote to memory of 272	1072	Kiegkk32.exe	Kcnkcqoc.exe
PID 1072 wrote to memory of 272	1072	Kiegkk32.exe	Kcnkcqoc.exe
PID 1072 wrote to memory of 272	1072	Kiegkk32.exe	Kcnkcqoc.exe
PID 272 wrote to memory of 820	272	Kcnkcqoc.exe	Kpblme32.exe
PID 272 wrote to memory of 820	272	Kcnkcqoc.exe	Kpblme32.exe
PID 272 wrote to memory of 820	272	Kcnkcqoc.exe	Kpblme32.exe
PID 272 wrote to memory of 820	272	Kcnkcqoc.exe	Kpblme32.exe
PID 820 wrote to memory of 1780	820	Kpblme32.exe	Klilbfca.exe
PID 820 wrote to memory of 1780	820	Kpblme32.exe	Klilbfca.exe
PID 820 wrote to memory of 1780	820	Kpblme32.exe	Klilbfca.exe
PID 820 wrote to memory of 1780	820	Kpblme32.exe	Klilbfca.exe
PID 1780 wrote to memory of 828	1780	Klilbfca.exe	Keaakk32.exe
PID 1780 wrote to memory of 828	1780	Klilbfca.exe	Keaakk32.exe
PID 1780 wrote to memory of 828	1780	Klilbfca.exe	Keaakk32.exe
PID 1780 wrote to memory of 828	1780	Klilbfca.exe	Keaakk32.exe
PID 828 wrote to memory of 108	828	Keaakk32.exe	Koiecaqb.exe
PID 828 wrote to memory of 108	828	Keaakk32.exe	Koiecaqb.exe
PID 828 wrote to memory of 108	828	Keaakk32.exe	Koiecaqb.exe
PID 828 wrote to memory of 108	828	Keaakk32.exe	Koiecaqb.exe
PID 108 wrote to memory of 568	108	Koiecaqb.exe	Kkpfhbff.exe
PID 108 wrote to memory of 568	108	Koiecaqb.exe	Kkpfhbff.exe
PID 108 wrote to memory of 568	108	Koiecaqb.exe	Kkpfhbff.exe
PID 108 wrote to memory of 568	108	Koiecaqb.exe	Kkpfhbff.exe
PID 568 wrote to memory of 1120	568	Kkpfhbff.exe	Lkbbnadc.exe
PID 568 wrote to memory of 1120	568	Kkpfhbff.exe	Lkbbnadc.exe
PID 568 wrote to memory of 1120	568	Kkpfhbff.exe	Lkbbnadc.exe
PID 568 wrote to memory of 1120	568	Kkpfhbff.exe	Lkbbnadc.exe

C:\Users\Admin\AppData\Local\Temp\9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7.exe
"C:\Users\Admin\AppData\Local\Temp\9c47a2941094306423eecfd9b356e80f5911ad93324086f9ad60c8133b8738b7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\Ildghc32.exe
  C:\Windows\system32\Ildghc32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\SysWOW64\Jaclej32.exe
    C:\Windows\system32\Jaclej32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\Jlipcb32.exe
      C:\Windows\system32\Jlipcb32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Windows\SysWOW64\Jafhkiom.exe
        
        C:\Windows\system32\Jafhkiom.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\SysWOW64\Jhpahc32.exe
        
        C:\Windows\system32\Jhpahc32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Jdfamdln.exe
        
        C:\Windows\system32\Jdfamdln.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Jicjekje.exe
        
        C:\Windows\system32\Jicjekje.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Jdinbd32.exe
        
        C:\Windows\system32\Jdinbd32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Kiegkk32.exe
        
        C:\Windows\system32\Kiegkk32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Kcnkcqoc.exe
        
        C:\Windows\system32\Kcnkcqoc.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Windows\SysWOW64\Kpblme32.exe
        
        C:\Windows\system32\Kpblme32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Klilbfca.exe
        
        C:\Windows\system32\Klilbfca.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1780

C:\Windows\SysWOW64\Keaakk32.exe
C:\Windows\system32\Keaakk32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\Koiecaqb.exe
  C:\Windows\system32\Koiecaqb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\SysWOW64\Kkpfhbff.exe
    C:\Windows\system32\Kkpfhbff.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\Lkbbnadc.exe
      C:\Windows\system32\Lkbbnadc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1120
    - - C:\Windows\SysWOW64\Lhfcgf32.exe
        
        C:\Windows\system32\Lhfcgf32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1356
      - C:\Windows\SysWOW64\Lbohpkjn.exe
        
        C:\Windows\system32\Lbohpkjn.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1492
        
        C:\Windows\SysWOW64\Ldmdlgia.exe
        
        C:\Windows\system32\Ldmdlgia.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:540
        
        C:\Windows\SysWOW64\Lmhiaifl.exe
        
        C:\Windows\system32\Lmhiaifl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:952
        
        C:\Windows\SysWOW64\Lgnmnb32.exe
        
        C:\Windows\system32\Lgnmnb32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:836
        
        C:\Windows\SysWOW64\Lnheklmo.exe
        
        C:\Windows\system32\Lnheklmo.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Lqfagglc.exe
        
        C:\Windows\system32\Lqfagglc.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Lfcjonkj.exe
        
        C:\Windows\system32\Lfcjonkj.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1696
        
        C:\Windows\SysWOW64\Liafkjjn.exe
        
        C:\Windows\system32\Liafkjjn.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1992
        
        C:\Windows\SysWOW64\Mcgjib32.exe
        
        C:\Windows\system32\Mcgjib32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Mjabemaq.exe
        
        C:\Windows\system32\Mjabemaq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:608
        
        C:\Windows\SysWOW64\Mcignb32.exe
        
        C:\Windows\system32\Mcignb32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1304
        
        C:\Windows\SysWOW64\Mifpfi32.exe
        
        C:\Windows\system32\Mifpfi32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1716
        
        C:\Windows\SysWOW64\Mbaqen32.exe
        
        C:\Windows\system32\Mbaqen32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2036
        
        C:\Windows\SysWOW64\Mikiahac.exe
        
        C:\Windows\system32\Mikiahac.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1912
        
        C:\Windows\SysWOW64\Mjleiq32.exe
        
        C:\Windows\system32\Mjleiq32.exe
        20⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Mbcmjn32.exe
        
        C:\Windows\system32\Mbcmjn32.exe
        21⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Ngpfbefk.exe
        
        C:\Windows\system32\Ngpfbefk.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\Nnjnoo32.exe
        
        C:\Windows\system32\Nnjnoo32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:652
        
        C:\Windows\SysWOW64\Nahjkj32.exe
        
        C:\Windows\system32\Nahjkj32.exe
        24⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Ngbbhddh.exe
        
        C:\Windows\system32\Ngbbhddh.exe
        25⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Nnlkeo32.exe
        
        C:\Windows\system32\Nnlkeo32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\Nakgaj32.exe
        
        C:\Windows\system32\Nakgaj32.exe
        27⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Windows\SysWOW64\Ngeond32.exe
        
        C:\Windows\system32\Ngeond32.exe
        28⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Niflelhd.exe
        
        C:\Windows\system32\Niflelhd.exe
        29⤵
        Executes dropped EXE
        
        PID:296
        
        C:\Windows\SysWOW64\Nclpbehj.exe
        
        C:\Windows\system32\Nclpbehj.exe
        30⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\Njehpo32.exe
        
        C:\Windows\system32\Njehpo32.exe
        31⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Nlgdggee.exe
        
        C:\Windows\system32\Nlgdggee.exe
        32⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Neoipm32.exe
        
        C:\Windows\system32\Neoipm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Ofoejp32.exe
        
        C:\Windows\system32\Ofoejp32.exe
        34⤵
        Executes dropped EXE
        
        PID:1636

C:\Windows\SysWOW64\Oojjnb32.exe
C:\Windows\system32\Oojjnb32.exe
1⤵
- Executes dropped EXE
PID:1640
- C:\Windows\SysWOW64\Ojqkcc32.exe
  C:\Windows\system32\Ojqkcc32.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- - C:\Windows\SysWOW64\Oefoql32.exe
    C:\Windows\system32\Oefoql32.exe
    3⤵
    - Executes dropped EXE
    PID:1028
  - - C:\Windows\SysWOW64\Omaden32.exe
      C:\Windows\system32\Omaden32.exe
      4⤵
      Executes dropped EXE
      PID:1616
    - - C:\Windows\SysWOW64\Odklahje.exe
        
        C:\Windows\system32\Odklahje.exe
        5⤵
        Executes dropped EXE
        
        PID:1584
      - C:\Windows\SysWOW64\Oaomkm32.exe
        
        C:\Windows\system32\Oaomkm32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Oglecc32.exe
        
        C:\Windows\system32\Oglecc32.exe
        7⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Paaiql32.exe
        
        C:\Windows\system32\Paaiql32.exe
        8⤵
        Executes dropped EXE
        
        PID:520
        
        C:\Windows\SysWOW64\Pmhjem32.exe
        
        C:\Windows\system32\Pmhjem32.exe
        9⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Piokknbe.exe
        
        C:\Windows\system32\Piokknbe.exe
        10⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Pgckdbao.exe
        
        C:\Windows\system32\Pgckdbao.exe
        11⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\Ponphe32.exe
        
        C:\Windows\system32\Ponphe32.exe
        12⤵
        Executes dropped EXE
        
        PID:1480

C:\Windows\SysWOW64\Poqmnd32.exe
C:\Windows\system32\Poqmnd32.exe
1⤵
- Executes dropped EXE
PID:1612
- C:\Windows\SysWOW64\Qlemgi32.exe
  C:\Windows\system32\Qlemgi32.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- - C:\Windows\SysWOW64\Qemapn32.exe
    C:\Windows\system32\Qemapn32.exe
    3⤵
    - Executes dropped EXE
    PID:2028
  - - C:\Windows\SysWOW64\Apgbql32.exe
      C:\Windows\system32\Apgbql32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      PID:1084
    - - C:\Windows\SysWOW64\Aklgne32.exe
        
        C:\Windows\system32\Aklgne32.exe
        5⤵
        Executes dropped EXE
        
        PID:1176
      - C:\Windows\SysWOW64\Akoccdlc.exe
        
        C:\Windows\system32\Akoccdlc.exe
        6⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\SysWOW64\Anmpppkg.exe
        
        C:\Windows\system32\Anmpppkg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Bhkjkm32.exe
        
        C:\Windows\system32\Bhkjkm32.exe
        8⤵
        
        PID:696
        
        C:\Windows\SysWOW64\Bbcodb32.exe
        
        C:\Windows\system32\Bbcodb32.exe
        9⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Bhngambn.exe
        
        C:\Windows\system32\Bhngambn.exe
        10⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Bklcmhaa.exe
        
        C:\Windows\system32\Bklcmhaa.exe
        11⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Bnjoicpe.exe
        
        C:\Windows\system32\Bnjoicpe.exe
        12⤵
        
        PID:592
        
        C:\Windows\SysWOW64\Bddgfn32.exe
        
        C:\Windows\system32\Bddgfn32.exe
        13⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Bgcdbi32.exe
        
        C:\Windows\system32\Bgcdbi32.exe
        14⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Bnmlocnb.exe
        
        C:\Windows\system32\Bnmlocnb.exe
        15⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Bdgdkmeo.exe
        
        C:\Windows\system32\Bdgdkmeo.exe
        16⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Bibpll32.exe
        
        C:\Windows\system32\Bibpll32.exe
        17⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Bjcmcdcf.exe
        
        C:\Windows\system32\Bjcmcdcf.exe
        18⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Bqnepn32.exe
        
        C:\Windows\system32\Bqnepn32.exe
        19⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Bclamj32.exe
        
        C:\Windows\system32\Bclamj32.exe
        20⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Bjfiidad.exe
        
        C:\Windows\system32\Bjfiidad.exe
        21⤵
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Bmdfeoqg.exe
        
        C:\Windows\system32\Bmdfeoqg.exe
        22⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Ccnnbihd.exe
        
        C:\Windows\system32\Ccnnbihd.exe
        23⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Cfmjnegh.exe
        
        C:\Windows\system32\Cfmjnegh.exe
        24⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Cabnkngn.exe
        
        C:\Windows\system32\Cabnkngn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2104
        
        C:\Windows\SysWOW64\Ccqkgifa.exe
        
        C:\Windows\system32\Ccqkgifa.exe
        26⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Cjkcdc32.exe
        
        C:\Windows\system32\Cjkcdc32.exe
        27⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Cadkamek.exe
        
        C:\Windows\system32\Cadkamek.exe
        28⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Cjmpjcll.exe
        
        C:\Windows\system32\Cjmpjcll.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2136
        
        C:\Windows\SysWOW64\Clnlak32.exe
        
        C:\Windows\system32\Clnlak32.exe
        30⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Cfdpod32.exe
        
        C:\Windows\system32\Cfdpod32.exe
        31⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Clqigk32.exe
        
        C:\Windows\system32\Clqigk32.exe
        32⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Cplehihq.exe
        
        C:\Windows\system32\Cplehihq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2168
        
        C:\Windows\SysWOW64\Cffmdcom.exe
        
        C:\Windows\system32\Cffmdcom.exe
        34⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Cidiqona.exe
        
        C:\Windows\system32\Cidiqona.exe
        35⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Dpnami32.exe
        
        C:\Windows\system32\Dpnami32.exe
        36⤵
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Dbmnid32.exe
        
        C:\Windows\system32\Dbmnid32.exe
        37⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Digffoln.exe
        
        C:\Windows\system32\Digffoln.exe
        38⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Dlebbjkb.exe
        
        C:\Windows\system32\Dlebbjkb.exe
        39⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Dbojod32.exe
        
        C:\Windows\system32\Dbojod32.exe
        40⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Dabkjaji.exe
        
        C:\Windows\system32\Dabkjaji.exe
        41⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Ddqgfl32.exe
        
        C:\Windows\system32\Ddqgfl32.exe
        42⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Djjocfpj.exe
        
        C:\Windows\system32\Djjocfpj.exe
        43⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Dmikpbon.exe
        
        C:\Windows\system32\Dmikpbon.exe
        44⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Ddccll32.exe
        
        C:\Windows\system32\Ddccll32.exe
        45⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Dohhie32.exe
        
        C:\Windows\system32\Dohhie32.exe
        46⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Dpidamlo.exe
        
        C:\Windows\system32\Dpidamlo.exe
        47⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Ddepal32.exe
        
        C:\Windows\system32\Ddepal32.exe
        48⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Djoinf32.exe
        
        C:\Windows\system32\Djoinf32.exe
        49⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Ebogngej.exe
        
        C:\Windows\system32\Ebogngej.exe
        50⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\Ehlofoca.exe
        
        C:\Windows\system32\Ehlofoca.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2788
        
        C:\Windows\SysWOW64\Eofgch32.exe
        
        C:\Windows\system32\Eofgch32.exe
        52⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Eadcod32.exe
        
        C:\Windows\system32\Eadcod32.exe
        53⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Ehnlln32.exe
        
        C:\Windows\system32\Ehnlln32.exe
        54⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Ekmhhj32.exe
        
        C:\Windows\system32\Ekmhhj32.exe
        55⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Eohdhhil.exe
        
        C:\Windows\system32\Eohdhhil.exe
        56⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Eebleb32.exe
        
        C:\Windows\system32\Eebleb32.exe
        57⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Ekoemi32.exe
        
        C:\Windows\system32\Ekoemi32.exe
        58⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Fnmaid32.exe
        
        C:\Windows\system32\Fnmaid32.exe
        59⤵
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Fedikb32.exe
        
        C:\Windows\system32\Fedikb32.exe
        60⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Fgeebjdd.exe
        
        C:\Windows\system32\Fgeebjdd.exe
        61⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Fakjpc32.exe
        
        C:\Windows\system32\Fakjpc32.exe
        62⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Fheblmkg.exe
        
        C:\Windows\system32\Fheblmkg.exe
        63⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Fkcnhhkk.exe
        
        C:\Windows\system32\Fkcnhhkk.exe
        64⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Fppgqpib.exe
        
        C:\Windows\system32\Fppgqpib.exe
        65⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\Fgmlcinl.exe
        
        C:\Windows\system32\Fgmlcinl.exe
        66⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Fngdpc32.exe
        
        C:\Windows\system32\Fngdpc32.exe
        67⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Fohqglkg.exe
        
        C:\Windows\system32\Fohqglkg.exe
        68⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Ffbidf32.exe
        
        C:\Windows\system32\Ffbidf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2932
        
        C:\Windows\SysWOW64\Gllaap32.exe
        
        C:\Windows\system32\Gllaap32.exe
        70⤵
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Gbiiig32.exe
        
        C:\Windows\system32\Gbiiig32.exe
        71⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\Gjpajd32.exe
        
        C:\Windows\system32\Gjpajd32.exe
        72⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Ghbafqpe.exe
        
        C:\Windows\system32\Ghbafqpe.exe
        73⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Gkanbloi.exe
        
        C:\Windows\system32\Gkanbloi.exe
        74⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Gbkfof32.exe
        
        C:\Windows\system32\Gbkfof32.exe
        75⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Gdibkb32.exe
        
        C:\Windows\system32\Gdibkb32.exe
        76⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Gkckglmf.exe
        
        C:\Windows\system32\Gkckglmf.exe
        77⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Gbmcdfdc.exe
        
        C:\Windows\system32\Gbmcdfdc.exe
        78⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Gdlopacg.exe
        
        C:\Windows\system32\Gdlopacg.exe
        79⤵
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Gkfgml32.exe
        
        C:\Windows\system32\Gkfgml32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Hiekjd32.exe
        
        C:\Windows\system32\Hiekjd32.exe
        81⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\Hfikdh32.exe
        
        C:\Windows\system32\Hfikdh32.exe
        82⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\Higgpc32.exe
        
        C:\Windows\system32\Higgpc32.exe
        83⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Hpapmn32.exe
        
        C:\Windows\system32\Hpapmn32.exe
        84⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Hbplii32.exe
        
        C:\Windows\system32\Hbplii32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Henhed32.exe
        
        C:\Windows\system32\Henhed32.exe
        86⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Iepejd32.exe
        
        C:\Windows\system32\Iepejd32.exe
        87⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Iilqkcjf.exe
        
        C:\Windows\system32\Iilqkcjf.exe
        88⤵
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Ipfihm32.exe
        
        C:\Windows\system32\Ipfihm32.exe
        89⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\Iebapdpj.exe
        
        C:\Windows\system32\Iebapdpj.exe
        90⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\Ihanloon.exe
        
        C:\Windows\system32\Ihanloon.exe
        91⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Inkfii32.exe
        
        C:\Windows\system32\Inkfii32.exe
        92⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Ichnap32.exe
        
        C:\Windows\system32\Ichnap32.exe
        93⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Ilofbn32.exe
        
        C:\Windows\system32\Ilofbn32.exe
        94⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Impcjfkb.exe
        
        C:\Windows\system32\Impcjfkb.exe
        95⤵
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Icjkfpcp.exe
        
        C:\Windows\system32\Icjkfpcp.exe
        96⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\Ifhgbkbc.exe
        
        C:\Windows\system32\Ifhgbkbc.exe
        97⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Inpodibe.exe
        
        C:\Windows\system32\Inpodibe.exe
        98⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Kkflhmke.exe
        
        C:\Windows\system32\Kkflhmke.exe
        99⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Kelqefjk.exe
        
        C:\Windows\system32\Kelqefjk.exe
        100⤵
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Kgmmmn32.exe
        
        C:\Windows\system32\Kgmmmn32.exe
        101⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\Kkhimmib.exe
        
        C:\Windows\system32\Kkhimmib.exe
        102⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\Kmgeihhf.exe
        
        C:\Windows\system32\Kmgeihhf.exe
        103⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\Khliga32.exe
        
        C:\Windows\system32\Khliga32.exe
        104⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Kepigm32.exe
        
        C:\Windows\system32\Kepigm32.exe
        105⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Mhegbk32.exe
        
        C:\Windows\system32\Mhegbk32.exe
        106⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\Mkhmjeab.exe
        
        C:\Windows\system32\Mkhmjeab.exe
        107⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Mocijd32.exe
        
        C:\Windows\system32\Mocijd32.exe
        108⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\Mabefp32.exe
        
        C:\Windows\system32\Mabefp32.exe
        109⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Mdpabk32.exe
        
        C:\Windows\system32\Mdpabk32.exe
        110⤵
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Mgonof32.exe
        
        C:\Windows\system32\Mgonof32.exe
        111⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Nofepd32.exe
        
        C:\Windows\system32\Nofepd32.exe
        112⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Nadblogl.exe
        
        C:\Windows\system32\Nadblogl.exe
        113⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Ndbnhkfp.exe
        
        C:\Windows\system32\Ndbnhkfp.exe
        114⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Nkmfee32.exe
        
        C:\Windows\system32\Nkmfee32.exe
        115⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Njofpadg.exe
        
        C:\Windows\system32\Njofpadg.exe
        116⤵
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Nafoaoei.exe
        
        C:\Windows\system32\Nafoaoei.exe
        117⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Npioml32.exe
        
        C:\Windows\system32\Npioml32.exe
        118⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Nchkig32.exe
        
        C:\Windows\system32\Nchkig32.exe
        119⤵
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Nkocjd32.exe
        
        C:\Windows\system32\Nkocjd32.exe
        120⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Njbcfabd.exe
        
        C:\Windows\system32\Njbcfabd.exe
        121⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\Nlppbmah.exe
        
        C:\Windows\system32\Nlppbmah.exe
        122⤵
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Ndggcj32.exe
        
        C:\Windows\system32\Ndggcj32.exe
        123⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Ngfdoe32.exe
        
        C:\Windows\system32\Ngfdoe32.exe
        124⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Njdpka32.exe
        
        C:\Windows\system32\Njdpka32.exe
        125⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Npnhhkho.exe
        
        C:\Windows\system32\Npnhhkho.exe
        126⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Nghqee32.exe
        
        C:\Windows\system32\Nghqee32.exe
        127⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Nhimmnei.exe
        
        C:\Windows\system32\Nhimmnei.exe
        128⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Noceig32.exe
        
        C:\Windows\system32\Noceig32.exe
        129⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Ncoajf32.exe
        
        C:\Windows\system32\Ncoajf32.exe
        130⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Ojiifqll.exe
        
        C:\Windows\system32\Ojiifqll.exe
        131⤵
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Okjfni32.exe
        
        C:\Windows\system32\Okjfni32.exe
        132⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Ocanof32.exe
        
        C:\Windows\system32\Ocanof32.exe
        133⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Odbjgnik.exe
        
        C:\Windows\system32\Odbjgnik.exe
        134⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Olibhkim.exe
        
        C:\Windows\system32\Olibhkim.exe
        135⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\Oohodgha.exe
        
        C:\Windows\system32\Oohodgha.exe
        136⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Onkopd32.exe
        
        C:\Windows\system32\Onkopd32.exe
        137⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\Ofbgaapn.exe
        
        C:\Windows\system32\Ofbgaapn.exe
        138⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Ohpcmmoa.exe
        
        C:\Windows\system32\Ohpcmmoa.exe
        139⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Okooihne.exe
        
        C:\Windows\system32\Okooihne.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2448
        
        C:\Windows\SysWOW64\Onmlecmi.exe
        
        C:\Windows\system32\Onmlecmi.exe
        141⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\Oqlhaolm.exe
        
        C:\Windows\system32\Oqlhaolm.exe
        142⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Ogepni32.exe
        
        C:\Windows\system32\Ogepni32.exe
        143⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Ojdljd32.exe
        
        C:\Windows\system32\Ojdljd32.exe
        144⤵
        
        PID:240
        
        C:\Windows\SysWOW64\Oqndgojj.exe
        
        C:\Windows\system32\Oqndgojj.exe
        145⤵
        
        PID:940
        
        C:\Windows\SysWOW64\Oclqcj32.exe
        
        C:\Windows\system32\Oclqcj32.exe
        146⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\Okcidg32.exe
        
        C:\Windows\system32\Okcidg32.exe
        147⤵
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Pmdelppn.exe
        
        C:\Windows\system32\Pmdelppn.exe
        148⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Pdlmmmqq.exe
        
        C:\Windows\system32\Pdlmmmqq.exe
        149⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Pgjiihpd.exe
        
        C:\Windows\system32\Pgjiihpd.exe
        150⤵
        
        PID:272
        
        C:\Windows\SysWOW64\Pfmjee32.exe
        
        C:\Windows\system32\Pfmjee32.exe
        151⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Pndafb32.exe
        
        C:\Windows\system32\Pndafb32.exe
        152⤵
        
        PID:108
        
        C:\Windows\SysWOW64\Pmgbaonk.exe
        
        C:\Windows\system32\Pmgbaonk.exe
        153⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Poennkmo.exe
        
        C:\Windows\system32\Poennkmo.exe
        154⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Pgmfoh32.exe
        
        C:\Windows\system32\Pgmfoh32.exe
        155⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Pinbfpcp.exe
        
        C:\Windows\system32\Pinbfpcp.exe
        156⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\Pqekhndb.exe
        
        C:\Windows\system32\Pqekhndb.exe
        157⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Pbfgpf32.exe
        
        C:\Windows\system32\Pbfgpf32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:608
        
        C:\Windows\SysWOW64\Pipolpam.exe
        
        C:\Windows\system32\Pipolpam.exe
        159⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Ppjgij32.exe
        
        C:\Windows\system32\Ppjgij32.exe
        160⤵
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\Pfdpedqg.exe
        
        C:\Windows\system32\Pfdpedqg.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1564
        
        C:\Windows\SysWOW64\Piblap32.exe
        
        C:\Windows\system32\Piblap32.exe
        162⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Pmnhbnhc.exe
        
        C:\Windows\system32\Pmnhbnhc.exe
        163⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\Pnodjf32.exe
        
        C:\Windows\system32\Pnodjf32.exe
        164⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Pffmkc32.exe
        
        C:\Windows\system32\Pffmkc32.exe
        165⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\Qeimgqeo.exe
        
        C:\Windows\system32\Qeimgqeo.exe
        166⤵
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Qghicldb.exe
        
        C:\Windows\system32\Qghicldb.exe
        167⤵
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Qlceck32.exe
        
        C:\Windows\system32\Qlceck32.exe
        168⤵
        
        PID:996
        
        C:\Windows\SysWOW64\Qbmmpedh.exe
        
        C:\Windows\system32\Qbmmpedh.exe
        169⤵
        
        PID:520
        
        C:\Windows\SysWOW64\Qelilpcl.exe
        
        C:\Windows\system32\Qelilpcl.exe
        170⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Qjhbdg32.exe
        
        C:\Windows\system32\Qjhbdg32.exe
        171⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Qbpjfd32.exe
        
        C:\Windows\system32\Qbpjfd32.exe
        172⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\Aabjaaip.exe
        
        C:\Windows\system32\Aabjaaip.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1552
        
        C:\Windows\SysWOW64\Acqfmmhd.exe
        
        C:\Windows\system32\Acqfmmhd.exe
        174⤵
        
        PID:696
        
        C:\Windows\SysWOW64\Ahlbnk32.exe
        
        C:\Windows\system32\Ahlbnk32.exe
        175⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Anfkkehj.exe
        
        C:\Windows\system32\Anfkkehj.exe
        176⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Aepcgp32.exe
        
        C:\Windows\system32\Aepcgp32.exe
        177⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Ahoock32.exe
        
        C:\Windows\system32\Ahoock32.exe
        178⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Ajmkpfmn.exe
        
        C:\Windows\system32\Ajmkpfmn.exe
        179⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Amkglbla.exe
        
        C:\Windows\system32\Amkglbla.exe
        180⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Adephl32.exe
        
        C:\Windows\system32\Adephl32.exe
        181⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Afdldg32.exe
        
        C:\Windows\system32\Afdldg32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2112
        
        C:\Windows\SysWOW64\Aibhqc32.exe
        
        C:\Windows\system32\Aibhqc32.exe
        183⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Aaipbp32.exe
        
        C:\Windows\system32\Aaipbp32.exe
        184⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Adhmnl32.exe
        
        C:\Windows\system32\Adhmnl32.exe
        185⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Ajbekf32.exe
        
        C:\Windows\system32\Ajbekf32.exe
        186⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Apomcm32.exe
        
        C:\Windows\system32\Apomcm32.exe
        187⤵
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Afhepgom.exe
        
        C:\Windows\system32\Afhepgom.exe
        188⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Ambnla32.exe
        
        C:\Windows\system32\Ambnla32.exe
        189⤵
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Bodjdilh.exe
        
        C:\Windows\system32\Bodjdilh.exe
        190⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Bfkbefmj.exe
        
        C:\Windows\system32\Bfkbefmj.exe
        191⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Biinabln.exe
        
        C:\Windows\system32\Biinabln.exe
        192⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Bpcgnlck.exe
        
        C:\Windows\system32\Bpcgnlck.exe
        193⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Bbacjgbn.exe
        
        C:\Windows\system32\Bbacjgbn.exe
        194⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Bepofcab.exe
        
        C:\Windows\system32\Bepofcab.exe
        195⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Bhokbnqf.exe
        
        C:\Windows\system32\Bhokbnqf.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2780
        
        C:\Windows\SysWOW64\Bkmhojpi.exe
        
        C:\Windows\system32\Bkmhojpi.exe
        197⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Bbdppgql.exe
        
        C:\Windows\system32\Bbdppgql.exe
        198⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Bagpkd32.exe
        
        C:\Windows\system32\Bagpkd32.exe
        199⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Bdelgo32.exe
        
        C:\Windows\system32\Bdelgo32.exe
        200⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Blldhm32.exe
        
        C:\Windows\system32\Blldhm32.exe
        201⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Bokpehfp.exe
        
        C:\Windows\system32\Bokpehfp.exe
        202⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Beehab32.exe
        
        C:\Windows\system32\Beehab32.exe
        203⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Bgfeijck.exe
        
        C:\Windows\system32\Bgfeijck.exe
        204⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Bkaaji32.exe
        
        C:\Windows\system32\Bkaaji32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2852
        
        C:\Windows\SysWOW64\Bmpmfd32.exe
        
        C:\Windows\system32\Bmpmfd32.exe
        206⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Bpnibp32.exe
        
        C:\Windows\system32\Bpnibp32.exe
        207⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Cheacm32.exe
        
        C:\Windows\system32\Cheacm32.exe
        208⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Cghbojah.exe
        
        C:\Windows\system32\Cghbojah.exe
        209⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Cignkeql.exe
        
        C:\Windows\system32\Cignkeql.exe
        210⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Canflc32.exe
        
        C:\Windows\system32\Canflc32.exe
        211⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\Ccobckgl.exe
        
        C:\Windows\system32\Ccobckgl.exe
        212⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Ckfjehho.exe
        
        C:\Windows\system32\Ckfjehho.exe
        213⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Clgglq32.exe
        
        C:\Windows\system32\Clgglq32.exe
        214⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Cdoonn32.exe
        
        C:\Windows\system32\Cdoonn32.exe
        215⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Cepkefdn.exe
        
        C:\Windows\system32\Cepkefdn.exe
        216⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Cljcbp32.exe
        
        C:\Windows\system32\Cljcbp32.exe
        217⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\Cohpnlkn.exe
        
        C:\Windows\system32\Cohpnlkn.exe
        218⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Cgohoikp.exe
        
        C:\Windows\system32\Cgohoikp.exe
        219⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Chqdga32.exe
        
        C:\Windows\system32\Chqdga32.exe
        220⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Cjpaadha.exe
        
        C:\Windows\system32\Cjpaadha.exe
        221⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Clommpge.exe
        
        C:\Windows\system32\Clommpge.exe
        222⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Dchejjob.exe
        
        C:\Windows\system32\Dchejjob.exe
        223⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Degafene.exe
        
        C:\Windows\system32\Degafene.exe
        224⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Dhenbqmi.exe
        
        C:\Windows\system32\Dhenbqmi.exe
        225⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\Doofok32.exe
        
        C:\Windows\system32\Doofok32.exe
        226⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Dfinkelc.exe
        
        C:\Windows\system32\Dfinkelc.exe
        227⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Dlcfho32.exe
        
        C:\Windows\system32\Dlcfho32.exe
        228⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\Doacdj32.exe
        
        C:\Windows\system32\Doacdj32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\Dndcpgin.exe
        
        C:\Windows\system32\Dndcpgin.exe
        230⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Dflkad32.exe
        
        C:\Windows\system32\Dflkad32.exe
        231⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Ddnkmaak.exe
        
        C:\Windows\system32\Ddnkmaak.exe
        232⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Dkhcik32.exe
        
        C:\Windows\system32\Dkhcik32.exe
        233⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Dbblfepd.exe
        
        C:\Windows\system32\Dbblfepd.exe
        234⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Dhldcp32.exe
        
        C:\Windows\system32\Dhldcp32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2512
        
        C:\Windows\SysWOW64\Dnilkf32.exe
        
        C:\Windows\system32\Dnilkf32.exe
        236⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Ekmmdkdb.exe
        
        C:\Windows\system32\Ekmmdkdb.exe
        237⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Ejpmpg32.exe
        
        C:\Windows\system32\Ejpmpg32.exe
        238⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Edeamp32.exe
        
        C:\Windows\system32\Edeamp32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:572
        
        C:\Windows\SysWOW64\Efgnehqa.exe
        
        C:\Windows\system32\Efgnehqa.exe
        240⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Ennfffac.exe
        
        C:\Windows\system32\Ennfffac.exe
        241⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\Efijjh32.exe
        
        C:\Windows\system32\Efijjh32.exe
        242⤵
        
        PID:876
        
        C:\Windows\SysWOW64\Eiggfc32.exe
        
        C:\Windows\system32\Eiggfc32.exe
        243⤵
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Emccgbfk.exe
        
        C:\Windows\system32\Emccgbfk.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:972
        
        C:\Windows\SysWOW64\Ecmkdl32.exe
        
        C:\Windows\system32\Ecmkdl32.exe
        245⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Ebpkpidb.exe
        
        C:\Windows\system32\Ebpkpidb.exe
        246⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\Ejgcqfee.exe
        
        C:\Windows\system32\Ejgcqfee.exe
        247⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Emepmbdh.exe
        
        C:\Windows\system32\Emepmbdh.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:880
        
        C:\Windows\SysWOW64\Eodlimcl.exe
        
        C:\Windows\system32\Eodlimcl.exe
        249⤵
        
        PID:708
        
        C:\Windows\SysWOW64\Ebbheibp.exe
        
        C:\Windows\system32\Ebbheibp.exe
        250⤵
        Drops file in System32 directory
        
        PID:652
        
        C:\Windows\SysWOW64\Eeqdad32.exe
        
        C:\Windows\system32\Eeqdad32.exe
        251⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\Emhlba32.exe
        
        C:\Windows\system32\Emhlba32.exe
        252⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Eofhnm32.exe
        
        C:\Windows\system32\Eofhnm32.exe
        253⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Ebddkh32.exe
        
        C:\Windows\system32\Ebddkh32.exe
        254⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\Fgamco32.exe
        
        C:\Windows\system32\Fgamco32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Fgcjholb.exe
        
        C:\Windows\system32\Fgcjholb.exe
        256⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Fjbfdjle.exe
        
        C:\Windows\system32\Fjbfdjle.exe
        257⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Fnnbei32.exe
        
        C:\Windows\system32\Fnnbei32.exe
        258⤵
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\Falnad32.exe
        
        C:\Windows\system32\Falnad32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1620
        
        C:\Windows\SysWOW64\Fgffnojo.exe
        
        C:\Windows\system32\Fgffnojo.exe
        260⤵
        
        PID:980
        
        C:\Windows\SysWOW64\Fjdcjjic.exe
        
        C:\Windows\system32\Fjdcjjic.exe
        261⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Fankgd32.exe
        
        C:\Windows\system32\Fankgd32.exe
        262⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\Heipei32.exe
        
        C:\Windows\system32\Heipei32.exe
        263⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Ipaqhblc.exe
        
        C:\Windows\system32\Ipaqhblc.exe
        264⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Icpmdmkg.exe
        
        C:\Windows\system32\Icpmdmkg.exe
        265⤵
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Icbijm32.exe
        
        C:\Windows\system32\Icbijm32.exe
        266⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\Idcfaeob.exe
        
        C:\Windows\system32\Idcfaeob.exe
        267⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Ikmnno32.exe
        
        C:\Windows\system32\Ikmnno32.exe
        268⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Inljjk32.exe
        
        C:\Windows\system32\Inljjk32.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1512
        
        C:\Windows\SysWOW64\Iagfkinl.exe
        
        C:\Windows\system32\Iagfkinl.exe
        270⤵
        
        PID:592
        
        C:\Windows\SysWOW64\Ihaohc32.exe
        
        C:\Windows\system32\Ihaohc32.exe
        271⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Igdocplc.exe
        
        C:\Windows\system32\Igdocplc.exe
        272⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\Inngpjcp.exe
        
        C:\Windows\system32\Inngpjcp.exe
        273⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Iajcqi32.exe
        
        C:\Windows\system32\Iajcqi32.exe
        274⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Idhomd32.exe
        
        C:\Windows\system32\Idhomd32.exe
        275⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Ihckmccf.exe
        
        C:\Windows\system32\Ihckmccf.exe
        276⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Jjehek32.exe
        
        C:\Windows\system32\Jjehek32.exe
        277⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Jnqdejan.exe
        
        C:\Windows\system32\Jnqdejan.exe
        278⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Jalpfi32.exe
        
        C:\Windows\system32\Jalpfi32.exe
        279⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Jcmlnape.exe
        
        C:\Windows\system32\Jcmlnape.exe
        280⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\Jkddonpg.exe
        
        C:\Windows\system32\Jkddonpg.exe
        281⤵
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Jleqff32.exe
        
        C:\Windows\system32\Jleqff32.exe
        282⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Jdmihdgh.exe
        
        C:\Windows\system32\Jdmihdgh.exe
        283⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Jcpicq32.exe
        
        C:\Windows\system32\Jcpicq32.exe
        284⤵
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Jfneol32.exe
        
        C:\Windows\system32\Jfneol32.exe
        285⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Jjjapkeo.exe
        
        C:\Windows\system32\Jjjapkeo.exe
        286⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Jqcime32.exe
        
        C:\Windows\system32\Jqcime32.exe
        287⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Jcbfip32.exe
        
        C:\Windows\system32\Jcbfip32.exe
        288⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Jfpbel32.exe
        
        C:\Windows\system32\Jfpbel32.exe
        289⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\Jmjjafbp.exe
        
        C:\Windows\system32\Jmjjafbp.exe
        290⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\Joifna32.exe
        
        C:\Windows\system32\Joifna32.exe
        291⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2696
        
        C:\Windows\SysWOW64\Jbgbjm32.exe
        
        C:\Windows\system32\Jbgbjm32.exe
        292⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Jjnkkj32.exe
        
        C:\Windows\system32\Jjnkkj32.exe
        293⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Jmmgge32.exe
        
        C:\Windows\system32\Jmmgge32.exe
        294⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Jokcca32.exe
        
        C:\Windows\system32\Jokcca32.exe
        295⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Kbiopl32.exe
        
        C:\Windows\system32\Kbiopl32.exe
        296⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\Kdhllh32.exe
        
        C:\Windows\system32\Kdhllh32.exe
        297⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Kmocme32.exe
        
        C:\Windows\system32\Kmocme32.exe
        298⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Kompiq32.exe
        
        C:\Windows\system32\Kompiq32.exe
        299⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Kbllellb.exe
        
        C:\Windows\system32\Kbllellb.exe
        300⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\Kejhagkf.exe
        
        C:\Windows\system32\Kejhagkf.exe
        301⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\Kifdaf32.exe
        
        C:\Windows\system32\Kifdaf32.exe
        302⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Kkdqna32.exe
        
        C:\Windows\system32\Kkdqna32.exe
        303⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Knbmjm32.exe
        
        C:\Windows\system32\Knbmjm32.exe
        304⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\Kbnikljp.exe
        
        C:\Windows\system32\Kbnikljp.exe
        305⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Kemeggic.exe
        
        C:\Windows\system32\Kemeggic.exe
        306⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\Kihagf32.exe
        
        C:\Windows\system32\Kihagf32.exe
        307⤵
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Kjinonhk.exe
        
        C:\Windows\system32\Kjinonhk.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3096
        
        C:\Windows\SysWOW64\Kqcflhog.exe
        
        C:\Windows\system32\Kqcflhog.exe
        309⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Keoalg32.exe
        
        C:\Windows\system32\Keoalg32.exe
        310⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\Kgmnhb32.exe
        
        C:\Windows\system32\Kgmnhb32.exe
        311⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Kjljdn32.exe
        
        C:\Windows\system32\Kjljdn32.exe
        312⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Kmjfqi32.exe
        
        C:\Windows\system32\Kmjfqi32.exe
        313⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3136
        
        C:\Windows\SysWOW64\Keaobf32.exe
        
        C:\Windows\system32\Keaobf32.exe
        314⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\Kcdomclh.exe
        
        C:\Windows\system32\Kcdomclh.exe
        315⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Kfbkiokl.exe
        
        C:\Windows\system32\Kfbkiokl.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3160
        
        C:\Windows\SysWOW64\Lnjcklln.exe
        
        C:\Windows\system32\Lnjcklln.exe
        317⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\Lahoggkb.exe
        
        C:\Windows\system32\Lahoggkb.exe
        318⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\Ljpcpmab.exe
        
        C:\Windows\system32\Ljpcpmab.exe
        319⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Licdkj32.exe
        
        C:\Windows\system32\Licdkj32.exe
        320⤵
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Lpmlhdpj.exe
        
        C:\Windows\system32\Lpmlhdpj.exe
        321⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Lblhdoon.exe
        
        C:\Windows\system32\Lblhdoon.exe
        322⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Ljcpempp.exe
        
        C:\Windows\system32\Ljcpempp.exe
        323⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Lmamahoc.exe
        
        C:\Windows\system32\Lmamahoc.exe
        324⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\Lppimcng.exe
        
        C:\Windows\system32\Lppimcng.exe
        325⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Lckenb32.exe
        
        C:\Windows\system32\Lckenb32.exe
        326⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Lihmfidh.exe
        
        C:\Windows\system32\Lihmfidh.exe
        327⤵
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Llfibdck.exe
        
        C:\Windows\system32\Llfibdck.exe
        328⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\Lnefopbo.exe
        
        C:\Windows\system32\Lnefopbo.exe
        329⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Lflnpmca.exe
        
        C:\Windows\system32\Lflnpmca.exe
        330⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Lhmjge32.exe
        
        C:\Windows\system32\Lhmjge32.exe
        331⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Lbbodn32.exe
        
        C:\Windows\system32\Lbbodn32.exe
        332⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Meakqjhi.exe
        
        C:\Windows\system32\Meakqjhi.exe
        333⤵
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Mimgah32.exe
        
        C:\Windows\system32\Mimgah32.exe
        334⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Mjnciqfq.exe
        
        C:\Windows\system32\Mjnciqfq.exe
        335⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Mahkfk32.exe
        
        C:\Windows\system32\Mahkfk32.exe
        336⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\Mecgfifg.exe
        
        C:\Windows\system32\Mecgfifg.exe
        337⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\Mlmpcc32.exe
        
        C:\Windows\system32\Mlmpcc32.exe
        338⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\Mmolklcb.exe
        
        C:\Windows\system32\Mmolklcb.exe
        339⤵
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Majhkj32.exe
        
        C:\Windows\system32\Majhkj32.exe
        340⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Mmaipk32.exe
        
        C:\Windows\system32\Mmaipk32.exe
        341⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Mameajih.exe
        
        C:\Windows\system32\Mameajih.exe
        342⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Mdkameil.exe
        
        C:\Windows\system32\Mdkameil.exe
        343⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\Mihjelgc.exe
        
        C:\Windows\system32\Mihjelgc.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3384
        
        C:\Windows\SysWOW64\Mmcefk32.exe
        
        C:\Windows\system32\Mmcefk32.exe
        345⤵
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Mdmnbefi.exe
        
        C:\Windows\system32\Mdmnbefi.exe
        346⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Mfljoq32.exe
        
        C:\Windows\system32\Mfljoq32.exe
        347⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Mijfkl32.exe
        
        C:\Windows\system32\Mijfkl32.exe
        348⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\Mlhbgg32.exe
        
        C:\Windows\system32\Mlhbgg32.exe
        349⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Ndpjhe32.exe
        
        C:\Windows\system32\Ndpjhe32.exe
        350⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Ngngdp32.exe
        
        C:\Windows\system32\Ngngdp32.exe
        351⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Nilcpl32.exe
        
        C:\Windows\system32\Nilcpl32.exe
        352⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Nmhoajkg.exe
        
        C:\Windows\system32\Nmhoajkg.exe
        353⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Noikib32.exe
        
        C:\Windows\system32\Noikib32.exe
        354⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\Nbegiaio.exe
        
        C:\Windows\system32\Nbegiaio.exe
        355⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3472
        
        C:\Windows\SysWOW64\Neccemhb.exe
        
        C:\Windows\system32\Neccemhb.exe
        356⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Nhapah32.exe
        
        C:\Windows\system32\Nhapah32.exe
        357⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\Nlmlbgpo.exe
        
        C:\Windows\system32\Nlmlbgpo.exe
        358⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Nolhnbob.exe
        
        C:\Windows\system32\Nolhnbob.exe
        359⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Ncgdoa32.exe
        
        C:\Windows\system32\Ncgdoa32.exe
        360⤵
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Okgbnbqa.exe
        
        C:\Windows\system32\Okgbnbqa.exe
        361⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Oneojnpe.exe
        
        C:\Windows\system32\Oneojnpe.exe
        362⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Oaajkm32.exe
        
        C:\Windows\system32\Oaajkm32.exe
        363⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3536
        
        C:\Windows\SysWOW64\Odoggh32.exe
        
        C:\Windows\system32\Odoggh32.exe
        364⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\Ognccc32.exe
        
        C:\Windows\system32\Ognccc32.exe
        365⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Onhkpn32.exe
        
        C:\Windows\system32\Onhkpn32.exe
        366⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Oacgqlfl.exe
        
        C:\Windows\system32\Oacgqlfl.exe
        367⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Pjqeia32.exe
        
        C:\Windows\system32\Pjqeia32.exe
        368⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Pqkmflkl.exe
        
        C:\Windows\system32\Pqkmflkl.exe
        369⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Pdfigj32.exe
        
        C:\Windows\system32\Pdfigj32.exe
        370⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Pkpacdkb.exe
        
        C:\Windows\system32\Pkpacdkb.exe
        371⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Pjcaoa32.exe
        
        C:\Windows\system32\Pjcaoa32.exe
        372⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Qqmjlk32.exe
        
        C:\Windows\system32\Qqmjlk32.exe
        373⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Qgioneod.exe
        
        C:\Windows\system32\Qgioneod.exe
        374⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3624
        
        C:\Windows\SysWOW64\Ajhkjqng.exe
        
        C:\Windows\system32\Ajhkjqng.exe
        375⤵
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Aikken32.exe
        
        C:\Windows\system32\Aikken32.exe
        376⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\Apdcbg32.exe
        
        C:\Windows\system32\Apdcbg32.exe
        377⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Acppcfdh.exe
        
        C:\Windows\system32\Acppcfdh.exe
        378⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Ajjhpp32.exe
        
        C:\Windows\system32\Ajjhpp32.exe
        379⤵
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Aimhkmbp.exe
        
        C:\Windows\system32\Aimhkmbp.exe
        380⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Alkdgiac.exe
        
        C:\Windows\system32\Alkdgiac.exe
        381⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Acblhfbe.exe
        
        C:\Windows\system32\Acblhfbe.exe
        382⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Abeldb32.exe
        
        C:\Windows\system32\Abeldb32.exe
        383⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Aecipn32.exe
        
        C:\Windows\system32\Aecipn32.exe
        384⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Amkqak32.exe
        
        C:\Windows\system32\Amkqak32.exe
        385⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Apimmg32.exe
        
        C:\Windows\system32\Apimmg32.exe
        386⤵
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Abhiibgm.exe
        
        C:\Windows\system32\Abhiibgm.exe
        387⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3728
        
        C:\Windows\SysWOW64\Afceja32.exe
        
        C:\Windows\system32\Afceja32.exe
        388⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\Aefefnfa.exe
        
        C:\Windows\system32\Aefefnfa.exe
        389⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\Ahdabiee.exe
        
        C:\Windows\system32\Ahdabiee.exe
        390⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\Alpnbh32.exe
        
        C:\Windows\system32\Alpnbh32.exe
        391⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Annjoc32.exe
        
        C:\Windows\system32\Annjoc32.exe
        392⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Aamfko32.exe
        
        C:\Windows\system32\Aamfko32.exe
        393⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3776
        
        C:\Windows\SysWOW64\Aehbkndn.exe
        
        C:\Windows\system32\Aehbkndn.exe
        394⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3784
        
        C:\Windows\SysWOW64\Ahgngicb.exe
        
        C:\Windows\system32\Ahgngicb.exe
        395⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Albjhg32.exe
        
        C:\Windows\system32\Albjhg32.exe
        396⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Anqfdc32.exe
        
        C:\Windows\system32\Anqfdc32.exe
        397⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Baocpojb.exe
        
        C:\Windows\system32\Baocpojb.exe
        398⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Bekoqm32.exe
        
        C:\Windows\system32\Bekoqm32.exe
        399⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Bhikmh32.exe
        
        C:\Windows\system32\Bhikmh32.exe
        400⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Bldgngih.exe
        
        C:\Windows\system32\Bldgngih.exe
        401⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Bjggid32.exe
        
        C:\Windows\system32\Bjggid32.exe
        402⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Bmfcep32.exe
        
        C:\Windows\system32\Bmfcep32.exe
        403⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\Baapfnhp.exe
        
        C:\Windows\system32\Baapfnhp.exe
        404⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\Djihkm32.exe
        
        C:\Windows\system32\Djihkm32.exe
        405⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Fnaclj32.exe
        
        C:\Windows\system32\Fnaclj32.exe
        406⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\Iifpgi32.exe
        
        C:\Windows\system32\Iifpgi32.exe
        407⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3060
        
        C:\Windows\SysWOW64\Jmolalbh.exe
        
        C:\Windows\system32\Jmolalbh.exe
        408⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Jajhbj32.exe
        
        C:\Windows\system32\Jajhbj32.exe
        409⤵
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Jefcbick.exe
        
        C:\Windows\system32\Jefcbick.exe
        410⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Jhdpodbn.exe
        
        C:\Windows\system32\Jhdpodbn.exe
        411⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Jdkqde32.exe
        
        C:\Windows\system32\Jdkqde32.exe
        412⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Jfjmpa32.exe
        
        C:\Windows\system32\Jfjmpa32.exe
        413⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Jjgefo32.exe
        
        C:\Windows\system32\Jjgefo32.exe
        414⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\Jmfabk32.exe
        
        C:\Windows\system32\Jmfabk32.exe
        415⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Jlibnhck.exe
        
        C:\Windows\system32\Jlibnhck.exe
        416⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Jmhohjjn.exe
        
        C:\Windows\system32\Jmhohjjn.exe
        417⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Jpgkdfia.exe
        
        C:\Windows\system32\Jpgkdfia.exe
        418⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Kecclmhi.exe
        
        C:\Windows\system32\Kecclmhi.exe
        419⤵
        
        PID:240
        
        C:\Windows\SysWOW64\Khdlnhej.exe
        
        C:\Windows\system32\Khdlnhej.exe
        420⤵
        
        PID:940
        
        C:\Windows\SysWOW64\Kkbhjc32.exe
        
        C:\Windows\system32\Kkbhjc32.exe
        421⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\Kmcalo32.exe
        
        C:\Windows\system32\Kmcalo32.exe
        422⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\Kekiml32.exe
        
        C:\Windows\system32\Kekiml32.exe
        423⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Khieig32.exe
        
        C:\Windows\system32\Khieig32.exe
        424⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Kkgbeb32.exe
        
        C:\Windows\system32\Kkgbeb32.exe
        425⤵
        
        PID:272
        
        C:\Windows\SysWOW64\Lgqopc32.exe
        
        C:\Windows\system32\Lgqopc32.exe
        426⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Lnjglnkf.exe
        
        C:\Windows\system32\Lnjglnkf.exe
        427⤵
        
        PID:108
        
        C:\Windows\SysWOW64\Llmhhjaa.exe
        
        C:\Windows\system32\Llmhhjaa.exe
        428⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Lpkpni32.exe
        
        C:\Windows\system32\Lpkpni32.exe
        429⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Ljcegnoh.exe
        
        C:\Windows\system32\Ljcegnoh.exe
        430⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Lfjelodl.exe
        
        C:\Windows\system32\Lfjelodl.exe
        431⤵
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Ljfaln32.exe
        
        C:\Windows\system32\Ljfaln32.exe
        432⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Lldnhi32.exe
        
        C:\Windows\system32\Lldnhi32.exe
        433⤵
        
        PID:608
        
        C:\Windows\SysWOW64\Lkgndfbc.exe
        
        C:\Windows\system32\Lkgndfbc.exe
        434⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Moegjd32.exe
        
        C:\Windows\system32\Moegjd32.exe
        435⤵
        
        PID:564
        
        C:\Windows\SysWOW64\Mbccfphn.exe
        
        C:\Windows\system32\Mbccfphn.exe
        436⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1564
        
        C:\Windows\SysWOW64\Mdbobkga.exe
        
        C:\Windows\system32\Mdbobkga.exe
        437⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Mgbhdfdb.exe
        
        C:\Windows\system32\Mgbhdfdb.exe
        438⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\Mjadpbcf.exe
        
        C:\Windows\system32\Mjadpbcf.exe
        439⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Mnmqqq32.exe
        
        C:\Windows\system32\Mnmqqq32.exe
        440⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\Mkqajeji.exe
        
        C:\Windows\system32\Mkqajeji.exe
        441⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Mnomfpim.exe
        
        C:\Windows\system32\Mnomfpim.exe
        442⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Mqmiblhq.exe
        
        C:\Windows\system32\Mqmiblhq.exe
        443⤵
        
        PID:996
        
        C:\Windows\SysWOW64\Mnajlpgj.exe
        
        C:\Windows\system32\Mnajlpgj.exe
        444⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Mmdjgm32.exe
        
        C:\Windows\system32\Mmdjgm32.exe
        445⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\Ngjndenk.exe
        
        C:\Windows\system32\Ngjndenk.exe
        446⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\Njhkaamn.exe
        
        C:\Windows\system32\Njhkaamn.exe
        447⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Nikkln32.exe
        
        C:\Windows\system32\Nikkln32.exe
        448⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Noecihke.exe
        
        C:\Windows\system32\Noecihke.exe
        449⤵
        
        PID:696
        
        C:\Windows\SysWOW64\Nimgbm32.exe
        
        C:\Windows\system32\Nimgbm32.exe
        450⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Nkldni32.exe
        
        C:\Windows\system32\Nkldni32.exe
        451⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Nbelkc32.exe
        
        C:\Windows\system32\Nbelkc32.exe
        452⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Nedhgn32.exe
        
        C:\Windows\system32\Nedhgn32.exe
        453⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Nmkphl32.exe
        
        C:\Windows\system32\Nmkphl32.exe
        454⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Nefeln32.exe
        
        C:\Windows\system32\Nefeln32.exe
        455⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Nibammna.exe
        
        C:\Windows\system32\Nibammna.exe
        456⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Nkpmihmd.exe
        
        C:\Windows\system32\Nkpmihmd.exe
        457⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2100
        
        C:\Windows\SysWOW64\Nplijg32.exe
        
        C:\Windows\system32\Nplijg32.exe
        458⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3888
        
        C:\Windows\SysWOW64\Nbjefb32.exe
        
        C:\Windows\system32\Nbjefb32.exe
        459⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Nggnnibi.exe
        
        C:\Windows\system32\Nggnnibi.exe
        460⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Ojejjdal.exe
        
        C:\Windows\system32\Ojejjdal.exe
        461⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Ocnocj32.exe
        
        C:\Windows\system32\Ocnocj32.exe
        462⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Olefdg32.exe
        
        C:\Windows\system32\Olefdg32.exe
        463⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Ojhgpdpj.exe
        
        C:\Windows\system32\Ojhgpdpj.exe
        464⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Oemkmmop.exe
        
        C:\Windows\system32\Oemkmmop.exe
        465⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Ofogeeen.exe
        
        C:\Windows\system32\Ofogeeen.exe
        466⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Ojjced32.exe
        
        C:\Windows\system32\Ojjced32.exe
        467⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Opglnk32.exe
        
        C:\Windows\system32\Opglnk32.exe
        468⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Ohndoh32.exe
        
        C:\Windows\system32\Ohndoh32.exe
        469⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Opiicj32.exe
        
        C:\Windows\system32\Opiicj32.exe
        470⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Ofcapd32.exe
        
        C:\Windows\system32\Ofcapd32.exe
        471⤵
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ppnbnjff.exe
        
        C:\Windows\system32\Ppnbnjff.exe
        472⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2316
        
        C:\Windows\SysWOW64\Pblnjeej.exe
        
        C:\Windows\system32\Pblnjeej.exe
        473⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Phigbl32.exe
        
        C:\Windows\system32\Phigbl32.exe
        474⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Plecckkk.exe
        
        C:\Windows\system32\Plecckkk.exe
        475⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Piicmojd.exe
        
        C:\Windows\system32\Piicmojd.exe
        476⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Plgpijih.exe
        
        C:\Windows\system32\Plgpijih.exe
        477⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\Pepdap32.exe
        
        C:\Windows\system32\Pepdap32.exe
        478⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Phnpnkol.exe
        
        C:\Windows\system32\Phnpnkol.exe
        479⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Plilnj32.exe
        
        C:\Windows\system32\Plilnj32.exe
        480⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3924
        
        C:\Windows\SysWOW64\Pmkifbmc.exe
        
        C:\Windows\system32\Pmkifbmc.exe
        481⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Pdeabl32.exe
        
        C:\Windows\system32\Pdeabl32.exe
        482⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Phpmckmi.exe
        
        C:\Windows\system32\Phpmckmi.exe
        483⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Qmmelbka.exe
        
        C:\Windows\system32\Qmmelbka.exe
        484⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2812
        
        C:\Windows\SysWOW64\Qaialq32.exe
        
        C:\Windows\system32\Qaialq32.exe
        485⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Qdgnhl32.exe
        
        C:\Windows\system32\Qdgnhl32.exe
        486⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\Qgejdg32.exe
        
        C:\Windows\system32\Qgejdg32.exe
        487⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Qaknapag.exe
        
        C:\Windows\system32\Qaknapag.exe
        488⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3956
        
        C:\Windows\SysWOW64\Qdijnlqk.exe
        
        C:\Windows\system32\Qdijnlqk.exe
        489⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Qclkih32.exe
        
        C:\Windows\system32\Qclkih32.exe
        490⤵
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Amboga32.exe
        
        C:\Windows\system32\Amboga32.exe
        491⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Aldobnnf.exe
        
        C:\Windows\system32\Aldobnnf.exe
        492⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Acogoh32.exe
        
        C:\Windows\system32\Acogoh32.exe
        493⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Agjcpgnl.exe
        
        C:\Windows\system32\Agjcpgnl.exe
        494⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Aemckc32.exe
        
        C:\Windows\system32\Aemckc32.exe
        495⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Aoehdi32.exe
        
        C:\Windows\system32\Aoehdi32.exe
        496⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Agmpef32.exe
        
        C:\Windows\system32\Agmpef32.exe
        497⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Aeopqcbd.exe
        
        C:\Windows\system32\Aeopqcbd.exe
        498⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Aoheii32.exe
        
        C:\Windows\system32\Aoheii32.exe
        499⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\Aafaed32.exe
        
        C:\Windows\system32\Aafaed32.exe
        500⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Aimiga32.exe
        
        C:\Windows\system32\Aimiga32.exe
        501⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Allecmhn.exe
        
        C:\Windows\system32\Allecmhn.exe
        502⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Aojaohgb.exe
        
        C:\Windows\system32\Aojaohgb.exe
        503⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Acempg32.exe
        
        C:\Windows\system32\Acempg32.exe
        504⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Aedjlb32.exe
        
        C:\Windows\system32\Aedjlb32.exe
        505⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Ahbfhn32.exe
        
        C:\Windows\system32\Ahbfhn32.exe
        506⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Akabdi32.exe
        
        C:\Windows\system32\Akabdi32.exe
        507⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4008
        
        C:\Windows\SysWOW64\Aolndheo.exe
        
        C:\Windows\system32\Aolndheo.exe
        508⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Aakjqcdc.exe
        
        C:\Windows\system32\Aakjqcdc.exe
        509⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Bhebmn32.exe
        
        C:\Windows\system32\Bhebmn32.exe
        510⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Bnakedjg.exe
        
        C:\Windows\system32\Bnakedjg.exe
        511⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Iclifd32.exe
        
        C:\Windows\system32\Iclifd32.exe
        512⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Kjhffdoq.exe
        
        C:\Windows\system32\Kjhffdoq.exe
        513⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\Lcqkoj32.exe
        
        C:\Windows\system32\Lcqkoj32.exe
        514⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2560
        
        C:\Windows\SysWOW64\Lnfomb32.exe
        
        C:\Windows\system32\Lnfomb32.exe
        515⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Ladkin32.exe
        
        C:\Windows\system32\Ladkin32.exe
        516⤵
        
        PID:980
        
        C:\Windows\SysWOW64\Lpgkdkke.exe
        
        C:\Windows\system32\Lpgkdkke.exe
        517⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Lfadae32.exe
        
        C:\Windows\system32\Lfadae32.exe
        518⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Lmklno32.exe
        
        C:\Windows\system32\Lmklno32.exe
        519⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Lpjhjj32.exe
        
        C:\Windows\system32\Lpjhjj32.exe
        520⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Ljolgc32.exe
        
        C:\Windows\system32\Ljolgc32.exe
        521⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Llqiokog.exe
        
        C:\Windows\system32\Llqiokog.exe
        522⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Lcgapioi.exe
        
        C:\Windows\system32\Lcgapioi.exe
        523⤵
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Leimha32.exe
        
        C:\Windows\system32\Leimha32.exe
        524⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\Llcedk32.exe
        
        C:\Windows\system32\Llcedk32.exe
        525⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\Lnabqf32.exe
        
        C:\Windows\system32\Lnabqf32.exe
        526⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2028
        
        C:\Windows\SysWOW64\Lfhjad32.exe
        
        C:\Windows\system32\Lfhjad32.exe
        527⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Lhjfilbh.exe
        
        C:\Windows\system32\Lhjfilbh.exe
        528⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\Mdgmol32.exe
        
        C:\Windows\system32\Mdgmol32.exe
        529⤵
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Mffikg32.exe
        
        C:\Windows\system32\Mffikg32.exe
        530⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\Mmpahahe.exe
        
        C:\Windows\system32\Mmpahahe.exe
        531⤵
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Nifbmb32.exe
        
        C:\Windows\system32\Nifbmb32.exe
        532⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Nleoinmm.exe
        
        C:\Windows\system32\Nleoinmm.exe
        533⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Ndlfjkno.exe
        
        C:\Windows\system32\Ndlfjkno.exe
        534⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Nmdkca32.exe
        
        C:\Windows\system32\Nmdkca32.exe
        535⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Nofgkijn.exe
        
        C:\Windows\system32\Nofgkijn.exe
        536⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Nccpqgqd.exe
        
        C:\Windows\system32\Nccpqgqd.exe
        537⤵
        
        PID:592
        
        C:\Windows\SysWOW64\Ninhma32.exe
        
        C:\Windows\system32\Ninhma32.exe
        538⤵
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Nhqiinol.exe
        
        C:\Windows\system32\Nhqiinol.exe
        539⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Nojafh32.exe
        
        C:\Windows\system32\Nojafh32.exe
        540⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Naimbd32.exe
        
        C:\Windows\system32\Naimbd32.exe
        541⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Nomnkh32.exe
        
        C:\Windows\system32\Nomnkh32.exe
        542⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Oppghp32.exe
        
        C:\Windows\system32\Oppghp32.exe
        543⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Ohgojm32.exe
        
        C:\Windows\system32\Ohgojm32.exe
        544⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Okfkfi32.exe
        
        C:\Windows\system32\Okfkfi32.exe
        545⤵
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Ondgbd32.exe
        
        C:\Windows\system32\Ondgbd32.exe
        546⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Ojkhge32.exe
        
        C:\Windows\system32\Ojkhge32.exe
        547⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\Onfdgdeh.exe
        
        C:\Windows\system32\Onfdgdeh.exe
        548⤵
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Ollahp32.exe
        
        C:\Windows\system32\Ollahp32.exe
        549⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Oojmel32.exe
        
        C:\Windows\system32\Oojmel32.exe
        550⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Ogaefiif.exe
        
        C:\Windows\system32\Ogaefiif.exe
        551⤵
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Pchfkj32.exe
        
        C:\Windows\system32\Pchfkj32.exe
        552⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Pbkffgfe.exe
        
        C:\Windows\system32\Pbkffgfe.exe
        553⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Pjbngdfg.exe
        
        C:\Windows\system32\Pjbngdfg.exe
        554⤵
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Pfiomelk.exe
        
        C:\Windows\system32\Pfiomelk.exe
        555⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Phgkiqko.exe
        
        C:\Windows\system32\Phgkiqko.exe
        556⤵
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Pkfgeljc.exe
        
        C:\Windows\system32\Pkfgeljc.exe
        557⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Pglhjm32.exe
        
        C:\Windows\system32\Pglhjm32.exe
        558⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Pocpkj32.exe
        
        C:\Windows\system32\Pocpkj32.exe
        559⤵
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Pbblgf32.exe
        
        C:\Windows\system32\Pbblgf32.exe
        560⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Pdphcaoq.exe
        
        C:\Windows\system32\Pdphcaoq.exe
        561⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3204
        
        C:\Windows\SysWOW64\Pgoeomnd.exe
        
        C:\Windows\system32\Pgoeomnd.exe
        562⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Qgaaella.exe
        
        C:\Windows\system32\Qgaaella.exe
        563⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\Qjpnahke.exe
        
        C:\Windows\system32\Qjpnahke.exe
        564⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Qjbjfg32.exe
        
        C:\Windows\system32\Qjbjfg32.exe
        565⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Ambchb32.exe
        
        C:\Windows\system32\Ambchb32.exe
        566⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Aqnoianm.exe
        
        C:\Windows\system32\Aqnoianm.exe
        567⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\Abplqi32.exe
        
        C:\Windows\system32\Abplqi32.exe
        568⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Ajfdagem.exe
        
        C:\Windows\system32\Ajfdagem.exe
        569⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Amepnbda.exe
        
        C:\Windows\system32\Amepnbda.exe
        570⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\Alhpio32.exe
        
        C:\Windows\system32\Alhpio32.exe
        571⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\Abbhfibh.exe
        
        C:\Windows\system32\Abbhfibh.exe
        572⤵
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Afmdfh32.exe
        
        C:\Windows\system32\Afmdfh32.exe
        573⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Ailabc32.exe
        
        C:\Windows\system32\Ailabc32.exe
        574⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Apfipmab.exe
        
        C:\Windows\system32\Apfipmab.exe
        575⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Abdelipf.exe
        
        C:\Windows\system32\Abdelipf.exe
        576⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Afpalg32.exe
        
        C:\Windows\system32\Afpalg32.exe
        577⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Ahandp32.exe
        
        C:\Windows\system32\Ahandp32.exe
        578⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\Aphfem32.exe
        
        C:\Windows\system32\Aphfem32.exe
        579⤵
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Bhcjio32.exe
        
        C:\Windows\system32\Bhcjio32.exe
        580⤵
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Blofjnec.exe
        
        C:\Windows\system32\Blofjnec.exe
        581⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\Bbiogh32.exe
        
        C:\Windows\system32\Bbiogh32.exe
        582⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Begkcc32.exe
        
        C:\Windows\system32\Begkcc32.exe
        583⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Blacpn32.exe
        
        C:\Windows\system32\Blacpn32.exe
        584⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Bmbpgfho.exe
        
        C:\Windows\system32\Bmbpgfho.exe
        585⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\Banlhd32.exe
        
        C:\Windows\system32\Banlhd32.exe
        586⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Bdlhdp32.exe
        
        C:\Windows\system32\Bdlhdp32.exe
        587⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3440
        
        C:\Windows\SysWOW64\Bfkdpk32.exe
        
        C:\Windows\system32\Bfkdpk32.exe
        588⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Baphmd32.exe
        
        C:\Windows\system32\Baphmd32.exe
        589⤵
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Bhjqjnfb.exe
        
        C:\Windows\system32\Bhjqjnfb.exe
        590⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Bilmaflq.exe
        
        C:\Windows\system32\Bilmaflq.exe
        591⤵
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Bmgibe32.exe
        
        C:\Windows\system32\Bmgibe32.exe
        592⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Bpeenq32.exe
        
        C:\Windows\system32\Bpeenq32.exe
        593⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\Bfpnkkkj.exe
        
        C:\Windows\system32\Bfpnkkkj.exe
        594⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Bjkili32.exe
        
        C:\Windows\system32\Bjkili32.exe
        595⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Bmifhe32.exe
        
        C:\Windows\system32\Bmifhe32.exe
        596⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Cmlbmdqd.exe
        
        C:\Windows\system32\Cmlbmdqd.exe
        597⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3796
        
        C:\Windows\SysWOW64\Ceggbgnp.exe
        
        C:\Windows\system32\Ceggbgnp.exe
        598⤵
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Checnbmc.exe
        
        C:\Windows\system32\Checnbmc.exe
        599⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Clapoa32.exe
        
        C:\Windows\system32\Clapoa32.exe
        600⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\Coolkl32.exe
        
        C:\Windows\system32\Coolkl32.exe
        601⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3860
        
        C:\Windows\SysWOW64\Canhgh32.exe
        
        C:\Windows\system32\Canhgh32.exe
        602⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\Ciephe32.exe
        
        C:\Windows\system32\Ciephe32.exe
        603⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Clcldqcj.exe
        
        C:\Windows\system32\Clcldqcj.exe
        604⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Capdlgaa.exe
        
        C:\Windows\system32\Capdlgaa.exe
        605⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Celqmf32.exe
        
        C:\Windows\system32\Celqmf32.exe
        606⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Chjmia32.exe
        
        C:\Windows\system32\Chjmia32.exe
        607⤵
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Clfijpag.exe
        
        C:\Windows\system32\Clfijpag.exe
        608⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Codeflpk.exe
        
        C:\Windows\system32\Codeflpk.exe
        609⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Dkkfkm32.exe
        
        C:\Windows\system32\Dkkfkm32.exe
        610⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Dmibgheb.exe
        
        C:\Windows\system32\Dmibgheb.exe
        611⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Ddcjcb32.exe
        
        C:\Windows\system32\Ddcjcb32.exe
        612⤵
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Dgafpn32.exe
        
        C:\Windows\system32\Dgafpn32.exe
        613⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Dkmbpldl.exe
        
        C:\Windows\system32\Dkmbpldl.exe
        614⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Dibpai32.exe
        
        C:\Windows\system32\Dibpai32.exe
        615⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Dlqlndhh.exe
        
        C:\Windows\system32\Dlqlndhh.exe
        616⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Ddhcoahj.exe
        
        C:\Windows\system32\Ddhcoahj.exe
        617⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Dnphgg32.exe
        
        C:\Windows\system32\Dnphgg32.exe
        618⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\Dpodcb32.exe
        
        C:\Windows\system32\Dpodcb32.exe
        619⤵
        
        PID:940
        
        C:\Windows\SysWOW64\Efnjaijc.exe
        
        C:\Windows\system32\Efnjaijc.exe
        620⤵
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Ehlfndig.exe
        
        C:\Windows\system32\Ehlfndig.exe
        621⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Ekkbjphj.exe
        
        C:\Windows\system32\Ekkbjphj.exe
        622⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\Ecbjkmim.exe
        
        C:\Windows\system32\Ecbjkmim.exe
        623⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Efpfgihq.exe
        
        C:\Windows\system32\Efpfgihq.exe
        624⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Ehobcdgd.exe
        
        C:\Windows\system32\Ehobcdgd.exe
        625⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Efbcmh32.exe
        
        C:\Windows\system32\Efbcmh32.exe
        626⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Ehaoid32.exe
        
        C:\Windows\system32\Ehaoid32.exe
        627⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Ebidailb.exe
        
        C:\Windows\system32\Ebidailb.exe
        628⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Edhpnekf.exe
        
        C:\Windows\system32\Edhpnekf.exe
        629⤵
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Egfljqji.exe
        
        C:\Windows\system32\Egfljqji.exe
        630⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Ekahjo32.exe
        
        C:\Windows\system32\Ekahjo32.exe
        631⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Fjlofkce.exe
        
        C:\Windows\system32\Fjlofkce.exe
        632⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:836
        
        C:\Windows\SysWOW64\Ffbokl32.exe
        
        C:\Windows\system32\Ffbokl32.exe
        633⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Fiqlhg32.exe
        
        C:\Windows\system32\Fiqlhg32.exe
        634⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\Fmodne32.exe
        
        C:\Windows\system32\Fmodne32.exe
        635⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\Fpmqja32.exe
        
        C:\Windows\system32\Fpmqja32.exe
        636⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Fejibh32.exe
        
        C:\Windows\system32\Fejibh32.exe
        637⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Gghenc32.exe
        
        C:\Windows\system32\Gghenc32.exe
        638⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Gpompq32.exe
        
        C:\Windows\system32\Gpompq32.exe
        639⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Ggkbdchp.exe
        
        C:\Windows\system32\Ggkbdchp.exe
        640⤵
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Gjkkeneq.exe
        
        C:\Windows\system32\Gjkkeneq.exe
        641⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Ggokob32.exe
        
        C:\Windows\system32\Ggokob32.exe
        642⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\Gfbljoke.exe
        
        C:\Windows\system32\Gfbljoke.exe
        643⤵
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Gmldgi32.exe
        
        C:\Windows\system32\Gmldgi32.exe
        644⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Gahphhkk.exe
        
        C:\Windows\system32\Gahphhkk.exe
        645⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\Gcfldcjn.exe
        
        C:\Windows\system32\Gcfldcjn.exe
        646⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\Gajlmhih.exe
        
        C:\Windows\system32\Gajlmhih.exe
        647⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Hpmmid32.exe
        
        C:\Windows\system32\Hpmmid32.exe
        648⤵
        
        PID:888
        
        C:\Windows\SysWOW64\Hbkiep32.exe
        
        C:\Windows\system32\Hbkiep32.exe
        649⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Hjbafmph.exe
        
        C:\Windows\system32\Hjbafmph.exe
        650⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Hpoindnp.exe
        
        C:\Windows\system32\Hpoindnp.exe
        651⤵
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Hdkeob32.exe
        
        C:\Windows\system32\Hdkeob32.exe
        652⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Hfiakn32.exe
        
        C:\Windows\system32\Hfiakn32.exe
        653⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Higngj32.exe
        
        C:\Windows\system32\Higngj32.exe
        654⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Hlfjce32.exe
        
        C:\Windows\system32\Hlfjce32.exe
        655⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Hodfpq32.exe
        
        C:\Windows\system32\Hodfpq32.exe
        656⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Hbpbpoka.exe
        
        C:\Windows\system32\Hbpbpoka.exe
        657⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Henolkjd.exe
        
        C:\Windows\system32\Henolkjd.exe
        658⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Hijkmibn.exe
        
        C:\Windows\system32\Hijkmibn.exe
        659⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Hogcepqe.exe
        
        C:\Windows\system32\Hogcepqe.exe
        660⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Haeoalpi.exe
        
        C:\Windows\system32\Haeoalpi.exe
        661⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Heqkbj32.exe
        
        C:\Windows\system32\Heqkbj32.exe
        662⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Hhognf32.exe
        
        C:\Windows\system32\Hhognf32.exe
        663⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Hkndja32.exe
        
        C:\Windows\system32\Hkndja32.exe
        664⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\Hoipkpob.exe
        
        C:\Windows\system32\Hoipkpob.exe
        665⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\Hbdlko32.exe
        
        C:\Windows\system32\Hbdlko32.exe
        666⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Iginja32.exe
        
        C:\Windows\system32\Iginja32.exe
        667⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Iopfkohj.exe
        
        C:\Windows\system32\Iopfkohj.exe
        668⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Ipabcg32.exe
        
        C:\Windows\system32\Ipabcg32.exe
        669⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Idmncffb.exe
        
        C:\Windows\system32\Idmncffb.exe
        670⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Igkkpafe.exe
        
        C:\Windows\system32\Igkkpafe.exe
        671⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Iaaomjek.exe
        
        C:\Windows\system32\Iaaomjek.exe
        672⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Ipcohg32.exe
        
        C:\Windows\system32\Ipcohg32.exe
        673⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Icbkdb32.exe
        
        C:\Windows\system32\Icbkdb32.exe
        674⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Ikicfp32.exe
        
        C:\Windows\system32\Ikicfp32.exe
        675⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Imgpbkkp.exe
        
        C:\Windows\system32\Imgpbkkp.exe
        676⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Ipflnfjc.exe
        
        C:\Windows\system32\Ipflnfjc.exe
        677⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\Jaqklm32.exe
        
        C:\Windows\system32\Jaqklm32.exe
        678⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Jdoghi32.exe
        
        C:\Windows\system32\Jdoghi32.exe
        679⤵
        
        PID:876
        
        C:\Windows\SysWOW64\Jhkcigpd.exe
        
        C:\Windows\system32\Jhkcigpd.exe
        680⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Jkipecog.exe
        
        C:\Windows\system32\Jkipecog.exe
        681⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Kacham32.exe
        
        C:\Windows\system32\Kacham32.exe
        682⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Kdadnh32.exe
        
        C:\Windows\system32\Kdadnh32.exe
        683⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\Khmpngma.exe
        
        C:\Windows\system32\Khmpngma.exe
        684⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2256
        
        C:\Windows\SysWOW64\Kkkljbme.exe
        
        C:\Windows\system32\Kkkljbme.exe
        685⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Kjnmfo32.exe
        
        C:\Windows\system32\Kjnmfo32.exe
        686⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1808
        
        C:\Windows\SysWOW64\Kaedgmda.exe
        
        C:\Windows\system32\Kaedgmda.exe
        687⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Kddachce.exe
        
        C:\Windows\system32\Kddachce.exe
        688⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Kcfaoe32.exe
        
        C:\Windows\system32\Kcfaoe32.exe
        689⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\Kknipb32.exe
        
        C:\Windows\system32\Kknipb32.exe
        690⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Knleln32.exe
        
        C:\Windows\system32\Knleln32.exe
        691⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Kmoegjpq.exe
        
        C:\Windows\system32\Kmoegjpq.exe
        692⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Kdfnihab.exe
        
        C:\Windows\system32\Kdfnihab.exe
        693⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Kcindd32.exe
        
        C:\Windows\system32\Kcindd32.exe
        694⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Kgdjecpf.exe
        
        C:\Windows\system32\Kgdjecpf.exe
        695⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\Kmabmjnn.exe
        
        C:\Windows\system32\Kmabmjnn.exe
        696⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Kqmnnigg.exe
        
        C:\Windows\system32\Kqmnnigg.exe
        697⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Kckjjdfk.exe
        
        C:\Windows\system32\Kckjjdfk.exe
        698⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Kggfjc32.exe
        
        C:\Windows\system32\Kggfjc32.exe
        699⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Kjebfn32.exe
        
        C:\Windows\system32\Kjebfn32.exe
        481⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Kihcbkdb.exe
        
        C:\Windows\system32\Kihcbkdb.exe
        482⤵
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Kmcobj32.exe
        
        C:\Windows\system32\Kmcobj32.exe
        483⤵
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Kqokchdd.exe
        
        C:\Windows\system32\Kqokchdd.exe
        484⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Kcngoddh.exe
        
        C:\Windows\system32\Kcngoddh.exe
        485⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Kbqgkq32.exe
        
        C:\Windows\system32\Kbqgkq32.exe
        486⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Ljgoln32.exe
        
        C:\Windows\system32\Ljgoln32.exe
        487⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Lmflhi32.exe
        
        C:\Windows\system32\Lmflhi32.exe
        488⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Lodhdeil.exe
        
        C:\Windows\system32\Lodhdeil.exe
        489⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\Lbcdqphp.exe
        
        C:\Windows\system32\Lbcdqphp.exe
        490⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2844
        
        C:\Windows\SysWOW64\Lfnpao32.exe
        
        C:\Windows\system32\Lfnpao32.exe
        491⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3960
        
        C:\Windows\SysWOW64\Leapmlhc.exe
        
        C:\Windows\system32\Leapmlhc.exe
        492⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Limlmj32.exe
        
        C:\Windows\system32\Limlmj32.exe
        493⤵
        
        PID:972
        
        C:\Windows\SysWOW64\Lkkiif32.exe
        
        C:\Windows\system32\Lkkiif32.exe
        494⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Lnieea32.exe
        
        C:\Windows\system32\Lnieea32.exe
        495⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Lbeafpfm.exe
        
        C:\Windows\system32\Lbeafpfm.exe
        496⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Lioicj32.exe
        
        C:\Windows\system32\Lioicj32.exe
        497⤵
        
        PID:652
        
        C:\Windows\SysWOW64\Lgbinged.exe
        
        C:\Windows\system32\Lgbinged.exe
        498⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Lkneoe32.exe
        
        C:\Windows\system32\Lkneoe32.exe
        499⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Loiapdeg.exe
        
        C:\Windows\system32\Loiapdeg.exe
        500⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Lbgnlp32.exe
        
        C:\Windows\system32\Lbgnlp32.exe
        501⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Lajnglke.exe
        
        C:\Windows\system32\Lajnglke.exe
        502⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Lefjhk32.exe
        
        C:\Windows\system32\Lefjhk32.exe
        503⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Liafhjlg.exe
        
        C:\Windows\system32\Liafhjlg.exe
        504⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\Lkpbdekk.exe
        
        C:\Windows\system32\Lkpbdekk.exe
        505⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Ljbbpb32.exe
        
        C:\Windows\system32\Ljbbpb32.exe
        506⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Lbjjao32.exe
        
        C:\Windows\system32\Lbjjao32.exe
        507⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Lehfmk32.exe
        
        C:\Windows\system32\Lehfmk32.exe
        508⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Lckgighf.exe
        
        C:\Windows\system32\Lckgighf.exe
        509⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Mhfohick.exe
        
        C:\Windows\system32\Mhfohick.exe
        510⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\Nopgec32.exe
        
        C:\Windows\system32\Nopgec32.exe
        511⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Naocao32.exe
        
        C:\Windows\system32\Naocao32.exe
        512⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Nejpbnbd.exe
        
        C:\Windows\system32\Nejpbnbd.exe
        513⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\Nifkbl32.exe
        
        C:\Windows\system32\Nifkbl32.exe
        514⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Nldhoh32.exe
        
        C:\Windows\system32\Nldhoh32.exe
        515⤵
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Njghjdpl.exe
        
        C:\Windows\system32\Njghjdpl.exe
        516⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Nobdkc32.exe
        
        C:\Windows\system32\Nobdkc32.exe
        517⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Nbnpkban.exe
        
        C:\Windows\system32\Nbnpkban.exe
        518⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Nemlgm32.exe
        
        C:\Windows\system32\Nemlgm32.exe
        519⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Nhkhci32.exe
        
        C:\Windows\system32\Nhkhci32.exe
        520⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\Nkidpd32.exe
        
        C:\Windows\system32\Nkidpd32.exe
        521⤵
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Noeqpcfb.exe
        
        C:\Windows\system32\Noeqpcfb.exe
        522⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Neoimm32.exe
        
        C:\Windows\system32\Neoimm32.exe
        523⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Nhmeih32.exe
        
        C:\Windows\system32\Nhmeih32.exe
        524⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Nfpededm.exe
        
        C:\Windows\system32\Nfpededm.exe
        525⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\Nmjnao32.exe
        
        C:\Windows\system32\Nmjnao32.exe
        526⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Nafjbncc.exe
        
        C:\Windows\system32\Nafjbncc.exe
        527⤵
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Nddfnicg.exe
        
        C:\Windows\system32\Nddfnicg.exe
        528⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Nhpbohkp.exe
        
        C:\Windows\system32\Nhpbohkp.exe
        529⤵
        
        PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ildghc32.exe

Filesize
50KB

MD5
c5e3dba346903ad4562d087fc9aa96c2

SHA1
9cc931b517606b98607b21989898966e4f7f2e1e

SHA256
f6e9125902330244692fc99a6ce52885b3a60ffc33ed21937c6c9befa6c3a547

SHA512
b0ff1435e4607031e03f6c0a9991744373a41d794e5bf34eb5a2119201054d5b6e2a2935da6f6a13e3da85e04c9bcb3cc03da7aae152d2be59cefebdda8313bc

Download Submit
C:\Windows\SysWOW64\Ildghc32.exe

Filesize
50KB

MD5
c5e3dba346903ad4562d087fc9aa96c2

SHA1
9cc931b517606b98607b21989898966e4f7f2e1e

SHA256
f6e9125902330244692fc99a6ce52885b3a60ffc33ed21937c6c9befa6c3a547

SHA512
b0ff1435e4607031e03f6c0a9991744373a41d794e5bf34eb5a2119201054d5b6e2a2935da6f6a13e3da85e04c9bcb3cc03da7aae152d2be59cefebdda8313bc

Download Submit
C:\Windows\SysWOW64\Jaclej32.exe

Filesize
50KB

MD5
24b92c9feb0853aaa66aa59179ca7bac

SHA1
b72422259173a383be203a607b5617f95953c11f

SHA256
dbe7bd0aa3a44a0114c1d83d36cfeae4790edb1a0c1226beab9b586e9e8e13f0

SHA512
8280f2e9b15b5780b539e0fa62b967505c4a2a5a81c447397e71f2d5f7b401b2d353d0bbe044d1f284095ff54b7d91c3deed838d09546ecc4adc51e22fcac3e3

Download Submit
C:\Windows\SysWOW64\Jaclej32.exe

Filesize
50KB

MD5
24b92c9feb0853aaa66aa59179ca7bac

SHA1
b72422259173a383be203a607b5617f95953c11f

SHA256
dbe7bd0aa3a44a0114c1d83d36cfeae4790edb1a0c1226beab9b586e9e8e13f0

SHA512
8280f2e9b15b5780b539e0fa62b967505c4a2a5a81c447397e71f2d5f7b401b2d353d0bbe044d1f284095ff54b7d91c3deed838d09546ecc4adc51e22fcac3e3

Download Submit
C:\Windows\SysWOW64\Jafhkiom.exe

Filesize
50KB

MD5
cd56b07388aa5ae37fc1a18112ff9617

SHA1
d7f8cfbe3eac9cfd08d06ce3c0a988e691b3718b

SHA256
f150b803d7b75e58c374511b3f6501aa7a3d819c3dc543d6885d138d5a12763b

SHA512
609129847628b9bbb857e1935b75fdd7f04e0a2e4cceee37b3e5d1d6cded29626b41bd6255fb610c46f455cb841cbf8a86bd729c87f554e898513e89ae325bad

Download Submit
C:\Windows\SysWOW64\Jafhkiom.exe

Filesize
50KB

MD5
cd56b07388aa5ae37fc1a18112ff9617

SHA1
d7f8cfbe3eac9cfd08d06ce3c0a988e691b3718b

SHA256
f150b803d7b75e58c374511b3f6501aa7a3d819c3dc543d6885d138d5a12763b

SHA512
609129847628b9bbb857e1935b75fdd7f04e0a2e4cceee37b3e5d1d6cded29626b41bd6255fb610c46f455cb841cbf8a86bd729c87f554e898513e89ae325bad

Download Submit
C:\Windows\SysWOW64\Jdfamdln.exe

Filesize
50KB

MD5
31d5d2ae31932d505a02c1e4b81a32e4

SHA1
b047dbe345fe5165747d0b76f91220d34941cff8

SHA256
065c426a8362ef6d21f8d09085fe83add6075a58fe9007f462182dfe2da97674

SHA512
efe6d32def65df6b57bda321b100ac70ccd2dc95a27c8d999601e3e6b167b088656e25548c44de30987832bcb585f5b800f92e7b958af2b96660ce93d79b7392

Download Submit
C:\Windows\SysWOW64\Jdfamdln.exe

Filesize
50KB

MD5
31d5d2ae31932d505a02c1e4b81a32e4

SHA1
b047dbe345fe5165747d0b76f91220d34941cff8

SHA256
065c426a8362ef6d21f8d09085fe83add6075a58fe9007f462182dfe2da97674

SHA512
efe6d32def65df6b57bda321b100ac70ccd2dc95a27c8d999601e3e6b167b088656e25548c44de30987832bcb585f5b800f92e7b958af2b96660ce93d79b7392

Download Submit
C:\Windows\SysWOW64\Jdinbd32.exe

Filesize
50KB

MD5
9ec2833ae1cece7d83991310834aa116

SHA1
13649cafc21f12389f77a14aeef7ef9664909f88

SHA256
02d4b26f3a82f90448fbf79513bd104d21bf838ccb9d364846e95167c88d421b

SHA512
67a896f6b58015d894b1dda3072408f1e0154b197520c54a6548889d3efbeff56a2d3f3aaca65619930116601f71c0e2126259d79f5a50e729a83c72554b3c06

Download Submit
C:\Windows\SysWOW64\Jdinbd32.exe

Filesize
50KB

MD5
9ec2833ae1cece7d83991310834aa116

SHA1
13649cafc21f12389f77a14aeef7ef9664909f88

SHA256
02d4b26f3a82f90448fbf79513bd104d21bf838ccb9d364846e95167c88d421b

SHA512
67a896f6b58015d894b1dda3072408f1e0154b197520c54a6548889d3efbeff56a2d3f3aaca65619930116601f71c0e2126259d79f5a50e729a83c72554b3c06

Download Submit
C:\Windows\SysWOW64\Jhpahc32.exe

Filesize
50KB

MD5
3f148d8170e67a9ad13a4052547d6989

SHA1
392e91ff38c074d1fa722ff78a8dbbb29dd5e4ca

SHA256
7a00ee0354f9ab97df372a8949bd9aef8f1a32523f9e7dbc044297637d38f635

SHA512
b405e49c7a027801395da0fe3d0578178aca608fc19518642a814c00f2b75ee229db3a27c4dceac54ef21cd5786167a5b39c4bb7e9acda5cc713132dd3874b13

Download Submit
C:\Windows\SysWOW64\Jhpahc32.exe

Filesize
50KB

MD5
3f148d8170e67a9ad13a4052547d6989

SHA1
392e91ff38c074d1fa722ff78a8dbbb29dd5e4ca

SHA256
7a00ee0354f9ab97df372a8949bd9aef8f1a32523f9e7dbc044297637d38f635

SHA512
b405e49c7a027801395da0fe3d0578178aca608fc19518642a814c00f2b75ee229db3a27c4dceac54ef21cd5786167a5b39c4bb7e9acda5cc713132dd3874b13

Download Submit
C:\Windows\SysWOW64\Jicjekje.exe

Filesize
50KB

MD5
15359b670fb49fad79c8dbc883a412e1

SHA1
b4ac07cdb76e8886c3505f29ad310b4358ad3c4f

SHA256
681c071141dc94d31565d8ee53c8caebfa6605947fe42ecd7470e2814da65760

SHA512
47c28f2e8ae987da95cefe3e02d94db0a39b47b40848d0a57bed9869259e16ad36dc8b5ea3bae92d56ee07d9407d93644c57863354e816a0041b1a46c0b608d3

Download Submit
C:\Windows\SysWOW64\Jicjekje.exe

Filesize
50KB

MD5
15359b670fb49fad79c8dbc883a412e1

SHA1
b4ac07cdb76e8886c3505f29ad310b4358ad3c4f

SHA256
681c071141dc94d31565d8ee53c8caebfa6605947fe42ecd7470e2814da65760

SHA512
47c28f2e8ae987da95cefe3e02d94db0a39b47b40848d0a57bed9869259e16ad36dc8b5ea3bae92d56ee07d9407d93644c57863354e816a0041b1a46c0b608d3

Download Submit
C:\Windows\SysWOW64\Jlipcb32.exe

Filesize
50KB

MD5
25768da39c6237535aa34d72905650ea

SHA1
7c784507434e44b44bfbfff1b4e28904ba7420af

SHA256
75ee7c1c6e2ee5a7b605f7256ea214d1031df39a4051abd7ec8d839345203a0a

SHA512
224f11245a88c75e9a017f598f9096b4ed75db7a8ce0dc4b65d40fe64c210c2e1adc5224097e0e9e5dc04eb8c94ccba04b7c98917d88c3266f48dd9df6c07033

Download Submit
C:\Windows\SysWOW64\Jlipcb32.exe

Filesize
50KB

MD5
25768da39c6237535aa34d72905650ea

SHA1
7c784507434e44b44bfbfff1b4e28904ba7420af

SHA256
75ee7c1c6e2ee5a7b605f7256ea214d1031df39a4051abd7ec8d839345203a0a

SHA512
224f11245a88c75e9a017f598f9096b4ed75db7a8ce0dc4b65d40fe64c210c2e1adc5224097e0e9e5dc04eb8c94ccba04b7c98917d88c3266f48dd9df6c07033

Download Submit
C:\Windows\SysWOW64\Kcnkcqoc.exe

Filesize
50KB

MD5
79f1fb0de7c0b718cc4f79f3e1248fbb

SHA1
3a1f974dc76927d8ad3999df4bb583e5874e28fd

SHA256
37683774efc348331ed1e2c08f75f7f3ba757053f052b23bc21b9b3e91697d17

SHA512
89097f6acac938485e42c0ebf785f3fea2aca20f0a569f840af0ba957f2162c81b37a73e65e04774192cc6efbbc4f05a05a5f1b1021a8d0ebd53df926d2fedd3

Download Submit
C:\Windows\SysWOW64\Kcnkcqoc.exe

Filesize
50KB

MD5
79f1fb0de7c0b718cc4f79f3e1248fbb

SHA1
3a1f974dc76927d8ad3999df4bb583e5874e28fd

SHA256
37683774efc348331ed1e2c08f75f7f3ba757053f052b23bc21b9b3e91697d17

SHA512
89097f6acac938485e42c0ebf785f3fea2aca20f0a569f840af0ba957f2162c81b37a73e65e04774192cc6efbbc4f05a05a5f1b1021a8d0ebd53df926d2fedd3

Download Submit
C:\Windows\SysWOW64\Keaakk32.exe

Filesize
50KB

MD5
b34f0c58f09ae92c0adef8c4843fcc33

SHA1
3ed11a5485259eec706e89dbb35e39f61ffe5af4

SHA256
f26154ce2acb3eeebadbeb03eb93dd9219ab89de212ceaac81e56bacc580e710

SHA512
dd65a90ed8d507bff11535f9cdc04b16823b2e585bd167d94e6b8a8f5372b1343d15f62be60812b77a80eb31fc39402f2a786335100969bf3f974c393146da39

Download Submit
C:\Windows\SysWOW64\Keaakk32.exe

Filesize
50KB

MD5
b34f0c58f09ae92c0adef8c4843fcc33

SHA1
3ed11a5485259eec706e89dbb35e39f61ffe5af4

SHA256
f26154ce2acb3eeebadbeb03eb93dd9219ab89de212ceaac81e56bacc580e710

SHA512
dd65a90ed8d507bff11535f9cdc04b16823b2e585bd167d94e6b8a8f5372b1343d15f62be60812b77a80eb31fc39402f2a786335100969bf3f974c393146da39

Download Submit
C:\Windows\SysWOW64\Kiegkk32.exe

Filesize
50KB

MD5
b3be797b8980ccf2335e5f64349ff0b5

SHA1
adf51ae2b8a67463afdf89cf8f78b7a911e3114e

SHA256
8ac8e128642b1fff81e54e23a4d9924d2f1fb63edbc1bcd043b4a24d1172896c

SHA512
b847a3730035eb5c02cf49d7a53491c82c527366968b081f599890d91cdbddafd7487c63c4665bdc3350ff4743c35048ea92150e6006cab761257d2240f50c62

Download Submit
C:\Windows\SysWOW64\Kiegkk32.exe

Filesize
50KB

MD5
b3be797b8980ccf2335e5f64349ff0b5

SHA1
adf51ae2b8a67463afdf89cf8f78b7a911e3114e

SHA256
8ac8e128642b1fff81e54e23a4d9924d2f1fb63edbc1bcd043b4a24d1172896c

SHA512
b847a3730035eb5c02cf49d7a53491c82c527366968b081f599890d91cdbddafd7487c63c4665bdc3350ff4743c35048ea92150e6006cab761257d2240f50c62

Download Submit
C:\Windows\SysWOW64\Kkpfhbff.exe

Filesize
50KB

MD5
3eb02ad8853f3e206caaafac1407c7dc

SHA1
14cb274701c0c14213a9de1074bc77f3dc4cad94

SHA256
500e3510f7915ee328031ae5945791c4407e3c650c8717cc9520360f68cb69c1

SHA512
258ec834e741f55701ced0554d71c6e0010fcb4b663ebe53c213499776fd14d403eb163a92c6f5cdc22b15398074efb4824b07ab94163c6f97d42c8f1f23911c

Download Submit
C:\Windows\SysWOW64\Kkpfhbff.exe

Filesize
50KB

MD5
3eb02ad8853f3e206caaafac1407c7dc

SHA1
14cb274701c0c14213a9de1074bc77f3dc4cad94

SHA256
500e3510f7915ee328031ae5945791c4407e3c650c8717cc9520360f68cb69c1

SHA512
258ec834e741f55701ced0554d71c6e0010fcb4b663ebe53c213499776fd14d403eb163a92c6f5cdc22b15398074efb4824b07ab94163c6f97d42c8f1f23911c

Download Submit
C:\Windows\SysWOW64\Klilbfca.exe

Filesize
50KB

MD5
db2e8c94ee0bec33d3775700aae8efe0

SHA1
b4422bec8bb3908c946f9cd0f940b8e2b1243e48

SHA256
6d139a1f6361f81243c71dfac4b3ed8486c67404512437edb2eaac78ba681093

SHA512
ed7d670bc66199b087e2e061ae3a8ac96aa2b3b454c73564fd6bbf81da2aceae0f05c27027cbeed3995cb58271d9107bfcf599ac85f127a5cfa5f865122470cc

Download Submit
C:\Windows\SysWOW64\Klilbfca.exe

Filesize
50KB

MD5
db2e8c94ee0bec33d3775700aae8efe0

SHA1
b4422bec8bb3908c946f9cd0f940b8e2b1243e48

SHA256
6d139a1f6361f81243c71dfac4b3ed8486c67404512437edb2eaac78ba681093

SHA512
ed7d670bc66199b087e2e061ae3a8ac96aa2b3b454c73564fd6bbf81da2aceae0f05c27027cbeed3995cb58271d9107bfcf599ac85f127a5cfa5f865122470cc

Download Submit
C:\Windows\SysWOW64\Koiecaqb.exe

Filesize
50KB

MD5
8d670c047a0e978baf3d31058ae35bac

SHA1
1cd83ee5856767dd0488e5849ea81e6656d54f36

SHA256
ff80bf1ad1c7d8c00b28a9f0e5c17e640e1e6b374ef653d154f294b55765ea2a

SHA512
b72ede241f6dab31dcf039f171a94b734586933e8069ebe7384d7d003a9071d8205b6b6b7a7a53a14b0dee484a14eca74a3ec9d481ff1750d7ba052c1778dfe0

Download Submit
C:\Windows\SysWOW64\Koiecaqb.exe

Filesize
50KB

MD5
8d670c047a0e978baf3d31058ae35bac

SHA1
1cd83ee5856767dd0488e5849ea81e6656d54f36

SHA256
ff80bf1ad1c7d8c00b28a9f0e5c17e640e1e6b374ef653d154f294b55765ea2a

SHA512
b72ede241f6dab31dcf039f171a94b734586933e8069ebe7384d7d003a9071d8205b6b6b7a7a53a14b0dee484a14eca74a3ec9d481ff1750d7ba052c1778dfe0

Download Submit
C:\Windows\SysWOW64\Kpblme32.exe

Filesize
50KB

MD5
282210ecfac8e34045ceeb8b1a538eb7

SHA1
9afcd36a6e80f7d4e6ae7153c23f6b261fa89161

SHA256
bd20e4db51b6e18921e09f8662668de7b070b69d6665e9c145a41df261cff690

SHA512
04e5543461bb613688f5de801c91655b17d686486ae9663e932297e0fa1bc92c7f32577aa31650854226916117dfa270844cd1cfc406b53cbf9162f4ad085f9a

Download Submit
C:\Windows\SysWOW64\Kpblme32.exe

Filesize
50KB

MD5
282210ecfac8e34045ceeb8b1a538eb7

SHA1
9afcd36a6e80f7d4e6ae7153c23f6b261fa89161

SHA256
bd20e4db51b6e18921e09f8662668de7b070b69d6665e9c145a41df261cff690

SHA512
04e5543461bb613688f5de801c91655b17d686486ae9663e932297e0fa1bc92c7f32577aa31650854226916117dfa270844cd1cfc406b53cbf9162f4ad085f9a

Download Submit
C:\Windows\SysWOW64\Lkbbnadc.exe

Filesize
50KB

MD5
9fa00b4123f57913b53cea022457bf8d

SHA1
8bf5c64723da1e20208e2701cb5373ab69e8c54f

SHA256
c4c216dcecffff5eb9dfa40baefb523f05036f88973d26c3e6e850e91e3bffa4

SHA512
12f3b1bf6ce3526e7c94aaadc474829cc9c104facccf73c566895526f9ae42e631e1bfbcaa46decbfdbd3191d40f6aa086554b95ee7286273245e66861d87211

Download Submit
C:\Windows\SysWOW64\Lkbbnadc.exe

Filesize
50KB

MD5
9fa00b4123f57913b53cea022457bf8d

SHA1
8bf5c64723da1e20208e2701cb5373ab69e8c54f

SHA256
c4c216dcecffff5eb9dfa40baefb523f05036f88973d26c3e6e850e91e3bffa4

SHA512
12f3b1bf6ce3526e7c94aaadc474829cc9c104facccf73c566895526f9ae42e631e1bfbcaa46decbfdbd3191d40f6aa086554b95ee7286273245e66861d87211

Download Submit
\Windows\SysWOW64\Ildghc32.exe

Filesize
50KB

MD5
c5e3dba346903ad4562d087fc9aa96c2

SHA1
9cc931b517606b98607b21989898966e4f7f2e1e

SHA256
f6e9125902330244692fc99a6ce52885b3a60ffc33ed21937c6c9befa6c3a547

SHA512
b0ff1435e4607031e03f6c0a9991744373a41d794e5bf34eb5a2119201054d5b6e2a2935da6f6a13e3da85e04c9bcb3cc03da7aae152d2be59cefebdda8313bc

Download Submit
\Windows\SysWOW64\Ildghc32.exe

Filesize
50KB

MD5
c5e3dba346903ad4562d087fc9aa96c2

SHA1
9cc931b517606b98607b21989898966e4f7f2e1e

SHA256
f6e9125902330244692fc99a6ce52885b3a60ffc33ed21937c6c9befa6c3a547

SHA512
b0ff1435e4607031e03f6c0a9991744373a41d794e5bf34eb5a2119201054d5b6e2a2935da6f6a13e3da85e04c9bcb3cc03da7aae152d2be59cefebdda8313bc

Download Submit
\Windows\SysWOW64\Jaclej32.exe

Filesize
50KB

MD5
24b92c9feb0853aaa66aa59179ca7bac

SHA1
b72422259173a383be203a607b5617f95953c11f

SHA256
dbe7bd0aa3a44a0114c1d83d36cfeae4790edb1a0c1226beab9b586e9e8e13f0

SHA512
8280f2e9b15b5780b539e0fa62b967505c4a2a5a81c447397e71f2d5f7b401b2d353d0bbe044d1f284095ff54b7d91c3deed838d09546ecc4adc51e22fcac3e3

Download Submit
\Windows\SysWOW64\Jaclej32.exe

Filesize
50KB

MD5
24b92c9feb0853aaa66aa59179ca7bac

SHA1
b72422259173a383be203a607b5617f95953c11f

SHA256
dbe7bd0aa3a44a0114c1d83d36cfeae4790edb1a0c1226beab9b586e9e8e13f0

SHA512
8280f2e9b15b5780b539e0fa62b967505c4a2a5a81c447397e71f2d5f7b401b2d353d0bbe044d1f284095ff54b7d91c3deed838d09546ecc4adc51e22fcac3e3

Download Submit
\Windows\SysWOW64\Jafhkiom.exe

Filesize
50KB

MD5
cd56b07388aa5ae37fc1a18112ff9617

SHA1
d7f8cfbe3eac9cfd08d06ce3c0a988e691b3718b

SHA256
f150b803d7b75e58c374511b3f6501aa7a3d819c3dc543d6885d138d5a12763b

SHA512
609129847628b9bbb857e1935b75fdd7f04e0a2e4cceee37b3e5d1d6cded29626b41bd6255fb610c46f455cb841cbf8a86bd729c87f554e898513e89ae325bad

Download Submit
\Windows\SysWOW64\Jafhkiom.exe

Filesize
50KB

MD5
cd56b07388aa5ae37fc1a18112ff9617

SHA1
d7f8cfbe3eac9cfd08d06ce3c0a988e691b3718b

SHA256
f150b803d7b75e58c374511b3f6501aa7a3d819c3dc543d6885d138d5a12763b

SHA512
609129847628b9bbb857e1935b75fdd7f04e0a2e4cceee37b3e5d1d6cded29626b41bd6255fb610c46f455cb841cbf8a86bd729c87f554e898513e89ae325bad

Download Submit
\Windows\SysWOW64\Jdfamdln.exe

Filesize
50KB

MD5
31d5d2ae31932d505a02c1e4b81a32e4

SHA1
b047dbe345fe5165747d0b76f91220d34941cff8

SHA256
065c426a8362ef6d21f8d09085fe83add6075a58fe9007f462182dfe2da97674

SHA512
efe6d32def65df6b57bda321b100ac70ccd2dc95a27c8d999601e3e6b167b088656e25548c44de30987832bcb585f5b800f92e7b958af2b96660ce93d79b7392

Download Submit
\Windows\SysWOW64\Jdfamdln.exe

Filesize
50KB

MD5
31d5d2ae31932d505a02c1e4b81a32e4

SHA1
b047dbe345fe5165747d0b76f91220d34941cff8

SHA256
065c426a8362ef6d21f8d09085fe83add6075a58fe9007f462182dfe2da97674

SHA512
efe6d32def65df6b57bda321b100ac70ccd2dc95a27c8d999601e3e6b167b088656e25548c44de30987832bcb585f5b800f92e7b958af2b96660ce93d79b7392

Download Submit
\Windows\SysWOW64\Jdinbd32.exe

Filesize
50KB

MD5
9ec2833ae1cece7d83991310834aa116

SHA1
13649cafc21f12389f77a14aeef7ef9664909f88

SHA256
02d4b26f3a82f90448fbf79513bd104d21bf838ccb9d364846e95167c88d421b

SHA512
67a896f6b58015d894b1dda3072408f1e0154b197520c54a6548889d3efbeff56a2d3f3aaca65619930116601f71c0e2126259d79f5a50e729a83c72554b3c06

Download Submit
\Windows\SysWOW64\Jdinbd32.exe

Filesize
50KB

MD5
9ec2833ae1cece7d83991310834aa116

SHA1
13649cafc21f12389f77a14aeef7ef9664909f88

SHA256
02d4b26f3a82f90448fbf79513bd104d21bf838ccb9d364846e95167c88d421b

SHA512
67a896f6b58015d894b1dda3072408f1e0154b197520c54a6548889d3efbeff56a2d3f3aaca65619930116601f71c0e2126259d79f5a50e729a83c72554b3c06

Download Submit
\Windows\SysWOW64\Jhpahc32.exe

Filesize
50KB

MD5
3f148d8170e67a9ad13a4052547d6989

SHA1
392e91ff38c074d1fa722ff78a8dbbb29dd5e4ca

SHA256
7a00ee0354f9ab97df372a8949bd9aef8f1a32523f9e7dbc044297637d38f635

SHA512
b405e49c7a027801395da0fe3d0578178aca608fc19518642a814c00f2b75ee229db3a27c4dceac54ef21cd5786167a5b39c4bb7e9acda5cc713132dd3874b13

Download Submit
\Windows\SysWOW64\Jhpahc32.exe

Filesize
50KB

MD5
3f148d8170e67a9ad13a4052547d6989

SHA1
392e91ff38c074d1fa722ff78a8dbbb29dd5e4ca

SHA256
7a00ee0354f9ab97df372a8949bd9aef8f1a32523f9e7dbc044297637d38f635

SHA512
b405e49c7a027801395da0fe3d0578178aca608fc19518642a814c00f2b75ee229db3a27c4dceac54ef21cd5786167a5b39c4bb7e9acda5cc713132dd3874b13

Download Submit
\Windows\SysWOW64\Jicjekje.exe

Filesize
50KB

MD5
15359b670fb49fad79c8dbc883a412e1

SHA1
b4ac07cdb76e8886c3505f29ad310b4358ad3c4f

SHA256
681c071141dc94d31565d8ee53c8caebfa6605947fe42ecd7470e2814da65760

SHA512
47c28f2e8ae987da95cefe3e02d94db0a39b47b40848d0a57bed9869259e16ad36dc8b5ea3bae92d56ee07d9407d93644c57863354e816a0041b1a46c0b608d3

Download Submit
\Windows\SysWOW64\Jicjekje.exe

Filesize
50KB

MD5
15359b670fb49fad79c8dbc883a412e1

SHA1
b4ac07cdb76e8886c3505f29ad310b4358ad3c4f

SHA256
681c071141dc94d31565d8ee53c8caebfa6605947fe42ecd7470e2814da65760

SHA512
47c28f2e8ae987da95cefe3e02d94db0a39b47b40848d0a57bed9869259e16ad36dc8b5ea3bae92d56ee07d9407d93644c57863354e816a0041b1a46c0b608d3

Download Submit
\Windows\SysWOW64\Jlipcb32.exe

Filesize
50KB

MD5
25768da39c6237535aa34d72905650ea

SHA1
7c784507434e44b44bfbfff1b4e28904ba7420af

SHA256
75ee7c1c6e2ee5a7b605f7256ea214d1031df39a4051abd7ec8d839345203a0a

SHA512
224f11245a88c75e9a017f598f9096b4ed75db7a8ce0dc4b65d40fe64c210c2e1adc5224097e0e9e5dc04eb8c94ccba04b7c98917d88c3266f48dd9df6c07033

Download Submit
\Windows\SysWOW64\Jlipcb32.exe

Filesize
50KB

MD5
25768da39c6237535aa34d72905650ea

SHA1
7c784507434e44b44bfbfff1b4e28904ba7420af

SHA256
75ee7c1c6e2ee5a7b605f7256ea214d1031df39a4051abd7ec8d839345203a0a

SHA512
224f11245a88c75e9a017f598f9096b4ed75db7a8ce0dc4b65d40fe64c210c2e1adc5224097e0e9e5dc04eb8c94ccba04b7c98917d88c3266f48dd9df6c07033

Download Submit
\Windows\SysWOW64\Kcnkcqoc.exe

Filesize
50KB

MD5
79f1fb0de7c0b718cc4f79f3e1248fbb

SHA1
3a1f974dc76927d8ad3999df4bb583e5874e28fd

SHA256
37683774efc348331ed1e2c08f75f7f3ba757053f052b23bc21b9b3e91697d17

SHA512
89097f6acac938485e42c0ebf785f3fea2aca20f0a569f840af0ba957f2162c81b37a73e65e04774192cc6efbbc4f05a05a5f1b1021a8d0ebd53df926d2fedd3

Download Submit
\Windows\SysWOW64\Kcnkcqoc.exe

Filesize
50KB

MD5
79f1fb0de7c0b718cc4f79f3e1248fbb

SHA1
3a1f974dc76927d8ad3999df4bb583e5874e28fd

SHA256
37683774efc348331ed1e2c08f75f7f3ba757053f052b23bc21b9b3e91697d17

SHA512
89097f6acac938485e42c0ebf785f3fea2aca20f0a569f840af0ba957f2162c81b37a73e65e04774192cc6efbbc4f05a05a5f1b1021a8d0ebd53df926d2fedd3

Download Submit
\Windows\SysWOW64\Keaakk32.exe

Filesize
50KB

MD5
b34f0c58f09ae92c0adef8c4843fcc33

SHA1
3ed11a5485259eec706e89dbb35e39f61ffe5af4

SHA256
f26154ce2acb3eeebadbeb03eb93dd9219ab89de212ceaac81e56bacc580e710

SHA512
dd65a90ed8d507bff11535f9cdc04b16823b2e585bd167d94e6b8a8f5372b1343d15f62be60812b77a80eb31fc39402f2a786335100969bf3f974c393146da39

Download Submit
\Windows\SysWOW64\Keaakk32.exe

Filesize
50KB

MD5
b34f0c58f09ae92c0adef8c4843fcc33

SHA1
3ed11a5485259eec706e89dbb35e39f61ffe5af4

SHA256
f26154ce2acb3eeebadbeb03eb93dd9219ab89de212ceaac81e56bacc580e710

SHA512
dd65a90ed8d507bff11535f9cdc04b16823b2e585bd167d94e6b8a8f5372b1343d15f62be60812b77a80eb31fc39402f2a786335100969bf3f974c393146da39

Download Submit
\Windows\SysWOW64\Kiegkk32.exe

Filesize
50KB

MD5
b3be797b8980ccf2335e5f64349ff0b5

SHA1
adf51ae2b8a67463afdf89cf8f78b7a911e3114e

SHA256
8ac8e128642b1fff81e54e23a4d9924d2f1fb63edbc1bcd043b4a24d1172896c

SHA512
b847a3730035eb5c02cf49d7a53491c82c527366968b081f599890d91cdbddafd7487c63c4665bdc3350ff4743c35048ea92150e6006cab761257d2240f50c62

Download Submit
\Windows\SysWOW64\Kiegkk32.exe

Filesize
50KB

MD5
b3be797b8980ccf2335e5f64349ff0b5

SHA1
adf51ae2b8a67463afdf89cf8f78b7a911e3114e

SHA256
8ac8e128642b1fff81e54e23a4d9924d2f1fb63edbc1bcd043b4a24d1172896c

SHA512
b847a3730035eb5c02cf49d7a53491c82c527366968b081f599890d91cdbddafd7487c63c4665bdc3350ff4743c35048ea92150e6006cab761257d2240f50c62

Download Submit
\Windows\SysWOW64\Kkpfhbff.exe

Filesize
50KB

MD5
3eb02ad8853f3e206caaafac1407c7dc

SHA1
14cb274701c0c14213a9de1074bc77f3dc4cad94

SHA256
500e3510f7915ee328031ae5945791c4407e3c650c8717cc9520360f68cb69c1

SHA512
258ec834e741f55701ced0554d71c6e0010fcb4b663ebe53c213499776fd14d403eb163a92c6f5cdc22b15398074efb4824b07ab94163c6f97d42c8f1f23911c

Download Submit
\Windows\SysWOW64\Kkpfhbff.exe

Filesize
50KB

MD5
3eb02ad8853f3e206caaafac1407c7dc

SHA1
14cb274701c0c14213a9de1074bc77f3dc4cad94

SHA256
500e3510f7915ee328031ae5945791c4407e3c650c8717cc9520360f68cb69c1

SHA512
258ec834e741f55701ced0554d71c6e0010fcb4b663ebe53c213499776fd14d403eb163a92c6f5cdc22b15398074efb4824b07ab94163c6f97d42c8f1f23911c

Download Submit
\Windows\SysWOW64\Klilbfca.exe

Filesize
50KB

MD5
db2e8c94ee0bec33d3775700aae8efe0

SHA1
b4422bec8bb3908c946f9cd0f940b8e2b1243e48

SHA256
6d139a1f6361f81243c71dfac4b3ed8486c67404512437edb2eaac78ba681093

SHA512
ed7d670bc66199b087e2e061ae3a8ac96aa2b3b454c73564fd6bbf81da2aceae0f05c27027cbeed3995cb58271d9107bfcf599ac85f127a5cfa5f865122470cc

Download Submit
\Windows\SysWOW64\Klilbfca.exe

Filesize
50KB

MD5
db2e8c94ee0bec33d3775700aae8efe0

SHA1
b4422bec8bb3908c946f9cd0f940b8e2b1243e48

SHA256
6d139a1f6361f81243c71dfac4b3ed8486c67404512437edb2eaac78ba681093

SHA512
ed7d670bc66199b087e2e061ae3a8ac96aa2b3b454c73564fd6bbf81da2aceae0f05c27027cbeed3995cb58271d9107bfcf599ac85f127a5cfa5f865122470cc

Download Submit
\Windows\SysWOW64\Koiecaqb.exe

Filesize
50KB

MD5
8d670c047a0e978baf3d31058ae35bac

SHA1
1cd83ee5856767dd0488e5849ea81e6656d54f36

SHA256
ff80bf1ad1c7d8c00b28a9f0e5c17e640e1e6b374ef653d154f294b55765ea2a

SHA512
b72ede241f6dab31dcf039f171a94b734586933e8069ebe7384d7d003a9071d8205b6b6b7a7a53a14b0dee484a14eca74a3ec9d481ff1750d7ba052c1778dfe0

Download Submit
\Windows\SysWOW64\Koiecaqb.exe

Filesize
50KB

MD5
8d670c047a0e978baf3d31058ae35bac

SHA1
1cd83ee5856767dd0488e5849ea81e6656d54f36

SHA256
ff80bf1ad1c7d8c00b28a9f0e5c17e640e1e6b374ef653d154f294b55765ea2a

SHA512
b72ede241f6dab31dcf039f171a94b734586933e8069ebe7384d7d003a9071d8205b6b6b7a7a53a14b0dee484a14eca74a3ec9d481ff1750d7ba052c1778dfe0

Download Submit
\Windows\SysWOW64\Kpblme32.exe

Filesize
50KB

MD5
282210ecfac8e34045ceeb8b1a538eb7

SHA1
9afcd36a6e80f7d4e6ae7153c23f6b261fa89161

SHA256
bd20e4db51b6e18921e09f8662668de7b070b69d6665e9c145a41df261cff690

SHA512
04e5543461bb613688f5de801c91655b17d686486ae9663e932297e0fa1bc92c7f32577aa31650854226916117dfa270844cd1cfc406b53cbf9162f4ad085f9a

Download Submit
\Windows\SysWOW64\Kpblme32.exe

Filesize
50KB

MD5
282210ecfac8e34045ceeb8b1a538eb7

SHA1
9afcd36a6e80f7d4e6ae7153c23f6b261fa89161

SHA256
bd20e4db51b6e18921e09f8662668de7b070b69d6665e9c145a41df261cff690

SHA512
04e5543461bb613688f5de801c91655b17d686486ae9663e932297e0fa1bc92c7f32577aa31650854226916117dfa270844cd1cfc406b53cbf9162f4ad085f9a

Download Submit
\Windows\SysWOW64\Lkbbnadc.exe

Filesize
50KB

MD5
9fa00b4123f57913b53cea022457bf8d

SHA1
8bf5c64723da1e20208e2701cb5373ab69e8c54f

SHA256
c4c216dcecffff5eb9dfa40baefb523f05036f88973d26c3e6e850e91e3bffa4

SHA512
12f3b1bf6ce3526e7c94aaadc474829cc9c104facccf73c566895526f9ae42e631e1bfbcaa46decbfdbd3191d40f6aa086554b95ee7286273245e66861d87211

Download Submit
\Windows\SysWOW64\Lkbbnadc.exe

Filesize
50KB

MD5
9fa00b4123f57913b53cea022457bf8d

SHA1
8bf5c64723da1e20208e2701cb5373ab69e8c54f

SHA256
c4c216dcecffff5eb9dfa40baefb523f05036f88973d26c3e6e850e91e3bffa4

SHA512
12f3b1bf6ce3526e7c94aaadc474829cc9c104facccf73c566895526f9ae42e631e1bfbcaa46decbfdbd3191d40f6aa086554b95ee7286273245e66861d87211

Download Submit
memory/108-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/108-129-0x0000000000000000-mapping.dmp

Download
memory/240-111-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/240-56-0x0000000000000000-mapping.dmp

Download
memory/240-113-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/268-222-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/268-224-0x0000000001B70000-0x0000000001BA1000-memory.dmp

Filesize
196KB

Download
memory/268-223-0x0000000001B70000-0x0000000001BA1000-memory.dmp

Filesize
196KB

Download
memory/268-164-0x0000000000000000-mapping.dmp

Download
memory/272-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/272-101-0x0000000000000000-mapping.dmp

Download
memory/272-175-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/296-171-0x0000000000000000-mapping.dmp

Download
memory/468-134-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/468-91-0x0000000000000000-mapping.dmp

Download
memory/520-208-0x0000000000000000-mapping.dmp

Download
memory/540-149-0x0000000000000000-mapping.dmp

Download
memory/540-187-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/556-173-0x0000000000000000-mapping.dmp

Download
memory/568-138-0x0000000000000000-mapping.dmp

Download
memory/568-181-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/608-157-0x0000000000000000-mapping.dmp

Download
memory/608-205-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/608-204-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/652-227-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/652-165-0x0000000000000000-mapping.dmp

Download
memory/652-229-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/652-226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/820-177-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/820-107-0x0000000000000000-mapping.dmp

Download
memory/828-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/828-123-0x0000000000000000-mapping.dmp

Download
memory/836-151-0x0000000000000000-mapping.dmp

Download
memory/836-190-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/920-219-0x0000000000000000-mapping.dmp

Download
memory/940-116-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/940-61-0x0000000000000000-mapping.dmp

Download
memory/948-152-0x0000000000000000-mapping.dmp

Download
memory/948-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-150-0x0000000000000000-mapping.dmp

Download
memory/952-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/996-201-0x0000000000000000-mapping.dmp

Download
memory/1012-163-0x0000000000000000-mapping.dmp

Download
memory/1012-221-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1012-220-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1012-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1028-191-0x0000000000000000-mapping.dmp

Download
memory/1072-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1072-96-0x0000000000000000-mapping.dmp

Download
memory/1084-239-0x0000000000000000-mapping.dmp

Download
memory/1120-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1120-144-0x0000000000000000-mapping.dmp

Download
memory/1168-172-0x0000000000000000-mapping.dmp

Download
memory/1172-162-0x0000000000000000-mapping.dmp

Download
memory/1172-217-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1176-242-0x0000000000000000-mapping.dmp

Download
memory/1180-247-0x0000000000000000-mapping.dmp

Download
memory/1232-120-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1232-71-0x0000000000000000-mapping.dmp

Download
memory/1304-207-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1304-158-0x0000000000000000-mapping.dmp

Download
memory/1304-206-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1340-66-0x0000000000000000-mapping.dmp

Download
memory/1340-118-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1356-184-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1356-147-0x0000000000000000-mapping.dmp

Download
memory/1360-202-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1360-156-0x0000000000000000-mapping.dmp

Download
memory/1360-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1360-203-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1412-238-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1412-168-0x0000000000000000-mapping.dmp

Download
memory/1412-240-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/1460-243-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/1460-169-0x0000000000000000-mapping.dmp

Download
memory/1460-241-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1480-225-0x0000000000000000-mapping.dmp

Download
memory/1492-186-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1492-148-0x0000000000000000-mapping.dmp

Download
memory/1504-166-0x0000000000000000-mapping.dmp

Download
memory/1504-230-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1504-233-0x0000000001B60000-0x0000000001B91000-memory.dmp

Filesize
196KB

Download
memory/1504-231-0x0000000001B60000-0x0000000001B91000-memory.dmp

Filesize
196KB

Download
memory/1564-237-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1564-235-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1564-167-0x0000000000000000-mapping.dmp

Download
memory/1564-234-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1584-196-0x0000000000000000-mapping.dmp

Download
memory/1612-228-0x0000000000000000-mapping.dmp

Download
memory/1616-194-0x0000000000000000-mapping.dmp

Download
memory/1636-182-0x0000000000000000-mapping.dmp

Download
memory/1640-185-0x0000000000000000-mapping.dmp

Download
memory/1644-170-0x0000000000000000-mapping.dmp

Download
memory/1676-188-0x0000000000000000-mapping.dmp

Download
memory/1696-197-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1696-154-0x0000000000000000-mapping.dmp

Download
memory/1696-195-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1696-198-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1704-76-0x0000000000000000-mapping.dmp

Download
memory/1704-124-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1716-159-0x0000000000000000-mapping.dmp

Download
memory/1716-210-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/1716-209-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1724-153-0x0000000000000000-mapping.dmp

Download
memory/1724-193-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1744-174-0x0000000000000000-mapping.dmp

Download
memory/1756-86-0x0000000000000000-mapping.dmp

Download
memory/1756-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1780-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1780-115-0x0000000000000000-mapping.dmp

Download
memory/1864-211-0x0000000000000000-mapping.dmp

Download
memory/1892-216-0x0000000000000000-mapping.dmp

Download
memory/1900-105-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1900-108-0x00000000003C0000-0x00000000003F1000-memory.dmp

Filesize
196KB

Download
memory/1912-161-0x0000000000000000-mapping.dmp

Download
memory/1912-214-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1912-215-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1920-81-0x0000000000000000-mapping.dmp

Download
memory/1920-130-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1956-176-0x0000000000000000-mapping.dmp

Download
memory/1988-232-0x0000000000000000-mapping.dmp

Download
memory/1992-155-0x0000000000000000-mapping.dmp

Download
memory/1992-199-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2012-269-0x0000000000000000-mapping.dmp

Download
memory/2028-236-0x0000000000000000-mapping.dmp

Download
memory/2036-160-0x0000000000000000-mapping.dmp

Download
memory/2036-213-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/2036-212-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download