0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870

Analysis

max time kernel
115s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exe
Size

50KB
MD5

b7e77ae5fa2f5b3d0382e16371d580f0
SHA1

5d3c976c7c98ba88583a9310b79b1ce29c2b7cc0
SHA256

0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870
SHA512

fb1cfa2d18d71fa8d9ea1a81d1b718bc7b7fa64bfc87be24bc09ba5781937741a7f6f92d37e1af5109953eccce17ac3ece30dfc89a000f4b31374d70a82c9383
SSDEEP

768:ZWXMcRYoLZmdnSPteXXPQvgVWxgPDD4px5LR3VfeTo1UC48Aw4ul0V/1H5:afNtePQuHCx5bf9U3w4R

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Mekgjg32.exeJpmeeo32.exeNiobod32.exePnhjhjhb.exeGdplojhg.exe0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exeLhghig32.exeHdammb32.exeNiaodd32.exeGjdjgp32.exeIcqcoc32.exeLpdbhc32.exePkkhhe32.exeLfjccf32.exeGklqqc32.exeGclope32.exeCcijkg32.exeHqohdp32.exeImkcpd32.exeLabkpeng.exeMmlhkfai.exeGcheefjm.exeObkbcilk.exeAbicfi32.exeDgodnlnl.exeLbfhnj32.exeLobhllci.exeNmjkkf32.exeLeikml32.exeHenmaeho.exeQqmjlk32.exeKkpilk32.exeLehidckm.exeJcdpeg32.exeKpmnphfj.exeBmibcheh.exeFphedm32.exeCaqejkgp.exeGghbkjbl.exeHibjok32.exeJppeak32.exeKicecn32.exeLmbcln32.exeBkoddi32.exeQdlleikp.exeQaoijp32.exeJhcfqb32.exeEdplki32.exeEefick32.exeEnanhm32.exeOmippc32.exeAhnmkbgf.exeCojjkb32.exeEdcgqidi.exeKalnne32.exeMngemh32.exeNlpkpo32.exeNppdbf32.exeBdbhgi32.exeKmpmpd32.exeAibcoefn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mekgjg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpmeeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niobod32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnhjhjhb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdplojhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhghig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdammb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mekgjg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niaodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjdjgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpdbhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkkhhe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfjccf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gklqqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gclope32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccijkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqohdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imkcpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Labkpeng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlhkfai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcheefjm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkbcilk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abicfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgodnlnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbfhnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lobhllci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjkkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leikml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henmaeho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqmjlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpilk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lehidckm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcdpeg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmnphfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmibcheh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fphedm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqejkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gghbkjbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibjok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jppeak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kicecn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbcln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkoddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdlleikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaoijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhcfqb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edplki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eefick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enanhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omippc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahnmkbgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojjkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edcgqidi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kalnne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mngemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlpkpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nppdbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmpmpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpmeeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aibcoefn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkoddi32.exe

Executes dropped EXE 64 IoCs

Processes:

Ihkkna32.exeNjckjp32.exeNppdbf32.exeNeoipm32.exeOhbogh32.exePolcceal.exePiagpnqb.exePcjlicgb.exeQaoijp32.exeAnkcjpni.exeBnjoicpe.exeCpgkmj32.exeCidiqona.exeDfaphg32.exeDdgmgkbe.exeEidepbal.exeEkmhhj32.exeFgjomj32.exeFlidkplc.exeFfbidf32.exeGhbafqpe.exeGomjbk32.exeGlqjlo32.exeHiekjd32.exeIgoafp32.exeIegkkc32.exeImbppe32.exeJdodao32.exeJhcfqb32.exeKdldkc32.exeKdcjlbmp.exeMjgeckhk.exeNmjkkf32.exeNieekf32.exeNelepg32.exeNmgjdi32.exeOieajigd.exePdheqfkh.exeQijgdl32.exeQcbkmalj.exeAkbilcep.exeAdjnei32.exeAhhfkg32.exeBjlphofc.exeBqfhei32.exeBnledmjf.exeBhffek32.exeBqmnfh32.exeCkillebc.exeCnghhaag.exeCioikiok.exeCcijkg32.exeDamjek32.exeDbbphc32.exeDiabpl32.exeEdplki32.exeFbibge32.exeFobpbf32.exeGojfbefi.exeGfoacc32.exeHhmnoo32.exeHbhonc32.exeHqohdp32.exeHboenbap.exe

pid	process
280	Ihkkna32.exe
1748	Njckjp32.exe
2000	Nppdbf32.exe
1940	Neoipm32.exe
924	Ohbogh32.exe
1540	Polcceal.exe
384	Piagpnqb.exe
1260	Pcjlicgb.exe
984	Qaoijp32.exe
1284	Ankcjpni.exe
1924	Bnjoicpe.exe
1732	Cpgkmj32.exe
580	Cidiqona.exe
1456	Dfaphg32.exe
1880	Ddgmgkbe.exe
2040	Eidepbal.exe
240	Ekmhhj32.exe
660	Fgjomj32.exe
1616	Flidkplc.exe
1564	Ffbidf32.exe
1728	Ghbafqpe.exe
760	Gomjbk32.exe
1632	Glqjlo32.exe
2016	Hiekjd32.exe
1952	Igoafp32.exe
1996	Iegkkc32.exe
1716	Imbppe32.exe
1944	Jdodao32.exe
1300	Jhcfqb32.exe
944	Kdldkc32.exe
564	Kdcjlbmp.exe
1668	Mjgeckhk.exe
1064	Nmjkkf32.exe
1660	Nieekf32.exe
1596	Nelepg32.exe
1648	Nmgjdi32.exe
1164	Oieajigd.exe
1712	Pdheqfkh.exe
1808	Qijgdl32.exe
1076	Qcbkmalj.exe
1552	Akbilcep.exe
1072	Adjnei32.exe
664	Ahhfkg32.exe
1696	Bjlphofc.exe
1556	Bqfhei32.exe
1652	Bnledmjf.exe
1508	Bhffek32.exe
1520	Bqmnfh32.exe
2020	Ckillebc.exe
1704	Cnghhaag.exe
996	Cioikiok.exe
956	Ccijkg32.exe
1132	Damjek32.exe
432	Dbbphc32.exe
1772	Diabpl32.exe
788	Edplki32.exe
1524	Fbibge32.exe
1948	Fobpbf32.exe
1252	Gojfbefi.exe
1608	Gfoacc32.exe
1708	Hhmnoo32.exe
1720	Hbhonc32.exe
1868	Hqohdp32.exe
552	Hboenbap.exe

Loads dropped DLL 64 IoCs

Processes:

0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exeIhkkna32.exeNjckjp32.exeNppdbf32.exeNeoipm32.exeOhbogh32.exePolcceal.exePiagpnqb.exePcjlicgb.exeQaoijp32.exeAnkcjpni.exeBnjoicpe.exeCpgkmj32.exeCidiqona.exeDfaphg32.exeDdgmgkbe.exeEidepbal.exeEkmhhj32.exeFgjomj32.exeFlidkplc.exeFfbidf32.exeGhbafqpe.exeGomjbk32.exeGlqjlo32.exeHiekjd32.exeIgoafp32.exeIegkkc32.exeImbppe32.exeJdodao32.exeJhcfqb32.exeKdldkc32.exeKdcjlbmp.exe

pid	process
1816	0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exe
1816	0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exe
280	Ihkkna32.exe
280	Ihkkna32.exe
1748	Njckjp32.exe
1748	Njckjp32.exe
2000	Nppdbf32.exe
2000	Nppdbf32.exe
1940	Neoipm32.exe
1940	Neoipm32.exe
924	Ohbogh32.exe
924	Ohbogh32.exe
1540	Polcceal.exe
1540	Polcceal.exe
384	Piagpnqb.exe
384	Piagpnqb.exe
1260	Pcjlicgb.exe
1260	Pcjlicgb.exe
984	Qaoijp32.exe
984	Qaoijp32.exe
1284	Ankcjpni.exe
1284	Ankcjpni.exe
1924	Bnjoicpe.exe
1924	Bnjoicpe.exe
1732	Cpgkmj32.exe
1732	Cpgkmj32.exe
580	Cidiqona.exe
580	Cidiqona.exe
1456	Dfaphg32.exe
1456	Dfaphg32.exe
1880	Ddgmgkbe.exe
1880	Ddgmgkbe.exe
2040	Eidepbal.exe
2040	Eidepbal.exe
240	Ekmhhj32.exe
240	Ekmhhj32.exe
660	Fgjomj32.exe
660	Fgjomj32.exe
1616	Flidkplc.exe
1616	Flidkplc.exe
1564	Ffbidf32.exe
1564	Ffbidf32.exe
1728	Ghbafqpe.exe
1728	Ghbafqpe.exe
760	Gomjbk32.exe
760	Gomjbk32.exe
1632	Glqjlo32.exe
1632	Glqjlo32.exe
2016	Hiekjd32.exe
2016	Hiekjd32.exe
1952	Igoafp32.exe
1952	Igoafp32.exe
1996	Iegkkc32.exe
1996	Iegkkc32.exe
1716	Imbppe32.exe
1716	Imbppe32.exe
1944	Jdodao32.exe
1944	Jdodao32.exe
1300	Jhcfqb32.exe
1300	Jhcfqb32.exe
944	Kdldkc32.exe
944	Kdldkc32.exe
564	Kdcjlbmp.exe
564	Kdcjlbmp.exe

Drops file in System32 directory 64 IoCs

Processes:

Dgodnlnl.exeDqgigbdl.exeHdammb32.exeOjaijnad.exeLojhhn32.exeAkhqgb32.exeCiiminfm.exeMjgeckhk.exeMgpifn32.exeIpmclfbd.exeKjllmfml.exeHlafkf32.exeHkihdmhi.exeKjdmih32.exeAjbgcnqm.exeAhnmkbgf.exeLmmeoajm.exeDbojaq32.exeHlakldho.exeOdgfkflj.exeEknomc32.exeGjdjgp32.exeCkillebc.exeHfobog32.exeLobhllci.exeApimmg32.exeMakjdcco.exeAbhiibgm.exeAmljdj32.exeHpledjid.exePbccpphg.exeDcqdnhdj.exeKgcdhm32.exeMmilef32.exeDlalkhmf.exeGklqqc32.exeEfijjh32.exeAlhnojhf.exeBeehab32.exeHhoecqep.exeIkjknief.exeDpenjknc.exePahochlf.exeFlidkplc.exeMeamib32.exeMekgjg32.exeEjeidp32.exeOmjjnfcd.exeFeknbi32.exeMeijdhma.exeBpikec32.exeFboqdfcb.exeBqfhei32.exeHbhbbqeg.exeGomjbk32.exeKfmkdi32.exeLcaglqmk.exeBdbhgi32.exeJdmpbjkc.exeCmppombl.exeNelepg32.exeFgmnlb32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Djnpjhmp.exe	Dgodnlnl.exe
File opened for modification	C:\Windows\SysWOW64\Efijjh32.exe	Dqgigbdl.exe
File created	C:\Windows\SysWOW64\Hgpiin32.exe	Hdammb32.exe
File created	C:\Windows\SysWOW64\Loijemmo.dll	Ojaijnad.exe
File opened for modification	C:\Windows\SysWOW64\Lbiedi32.exe	Lojhhn32.exe
File opened for modification	C:\Windows\SysWOW64\Abbidmgg.exe	Akhqgb32.exe
File created	C:\Windows\SysWOW64\Kigqbpkg.dll	Ciiminfm.exe
File created	C:\Windows\SysWOW64\Nmjkkf32.exe	Mjgeckhk.exe
File opened for modification	C:\Windows\SysWOW64\Mjnebi32.exe	Mgpifn32.exe
File created	C:\Windows\SysWOW64\Ihckmccf.exe	Ipmclfbd.exe
File created	C:\Windows\SysWOW64\Kgbgjn32.dll	Kjllmfml.exe
File created	C:\Windows\SysWOW64\Accgfafi.dll	Hlafkf32.exe
File created	C:\Windows\SysWOW64\Egqccm32.dll	Hkihdmhi.exe
File created	C:\Windows\SysWOW64\Fjboniaj.dll	Kjdmih32.exe
File created	C:\Windows\SysWOW64\Iaipofma.dll	Ajbgcnqm.exe
File created	C:\Windows\SysWOW64\Akmignfj.exe	Ahnmkbgf.exe
File created	C:\Windows\SysWOW64\Mmihma32.dll	Lmmeoajm.exe
File created	C:\Windows\SysWOW64\Okjmbg32.dll	Dbojaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ioijonoh.exe	Hlakldho.exe
File created	C:\Windows\SysWOW64\Gaonfe32.dll	Dgodnlnl.exe
File created	C:\Windows\SysWOW64\Fhpggfop.dll	Odgfkflj.exe
File opened for modification	C:\Windows\SysWOW64\Enlkio32.exe	Eknomc32.exe
File opened for modification	C:\Windows\SysWOW64\Gqnbdj32.exe	Gjdjgp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnghhaag.exe	Ckillebc.exe
File created	C:\Windows\SysWOW64\Himokc32.exe	Hfobog32.exe
File opened for modification	C:\Windows\SysWOW64\Lbqdhgbl.exe	Lobhllci.exe
File opened for modification	C:\Windows\SysWOW64\Abhiibgm.exe	Apimmg32.exe
File created	C:\Windows\SysWOW64\Mgdbamjl.exe	Makjdcco.exe
File created	C:\Windows\SysWOW64\Fjliga32.dll	Abhiibgm.exe
File opened for modification	C:\Windows\SysWOW64\Ajbgcnqm.exe	Amljdj32.exe
File created	C:\Windows\SysWOW64\Hhgiilfp.exe	Hpledjid.exe
File created	C:\Windows\SysWOW64\Phmllj32.exe	Pbccpphg.exe
File created	C:\Windows\SysWOW64\Deoajccm.exe	Dcqdnhdj.exe
File opened for modification	C:\Windows\SysWOW64\Kmpmpd32.exe	Kgcdhm32.exe
File created	C:\Windows\SysWOW64\Ligopn32.dll	Mmilef32.exe
File opened for modification	C:\Windows\SysWOW64\Dophgclj.exe	Dlalkhmf.exe
File opened for modification	C:\Windows\SysWOW64\Gnkmmole.exe	Gklqqc32.exe
File opened for modification	C:\Windows\SysWOW64\Eiggfc32.exe	Efijjh32.exe
File created	C:\Windows\SysWOW64\Anfkkehj.exe	Alhnojhf.exe
File created	C:\Windows\SysWOW64\Bhcenn32.exe	Beehab32.exe
File opened for modification	C:\Windows\SysWOW64\Hgbfom32.exe	Hhoecqep.exe
File created	C:\Windows\SysWOW64\Oaeaidio.dll	Ikjknief.exe
File opened for modification	C:\Windows\SysWOW64\Dgpfge32.exe	Dpenjknc.exe
File created	C:\Windows\SysWOW64\Qcilkp32.exe	Pahochlf.exe
File opened for modification	C:\Windows\SysWOW64\Ffbidf32.exe	Flidkplc.exe
File created	C:\Windows\SysWOW64\Mgpifn32.exe	Meamib32.exe
File created	C:\Windows\SysWOW64\Jldclq32.dll	Mekgjg32.exe
File created	C:\Windows\SysWOW64\Dildlldl.dll	Ejeidp32.exe
File created	C:\Windows\SysWOW64\Emimldlg.dll	Omjjnfcd.exe
File created	C:\Windows\SysWOW64\Ackaagdp.dll	Feknbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mhgfacle.exe	Meijdhma.exe
File created	C:\Windows\SysWOW64\Hdbmembj.dll	Bpikec32.exe
File created	C:\Windows\SysWOW64\Fglilmaj.exe	Fboqdfcb.exe
File created	C:\Windows\SysWOW64\Cchpfm32.dll	Bqfhei32.exe
File created	C:\Windows\SysWOW64\Hibjok32.exe	Hbhbbqeg.exe
File created	C:\Windows\SysWOW64\Glqjlo32.exe	Gomjbk32.exe
File opened for modification	C:\Windows\SysWOW64\Kilgpd32.exe	Kfmkdi32.exe
File created	C:\Windows\SysWOW64\Efiknkcd.dll	Lcaglqmk.exe
File created	C:\Windows\SysWOW64\Inobga32.exe	Hlafkf32.exe
File created	C:\Windows\SysWOW64\Omgijojj.dll	Bdbhgi32.exe
File opened for modification	C:\Windows\SysWOW64\Jgllnejg.exe	Jdmpbjkc.exe
File opened for modification	C:\Windows\SysWOW64\Cnplipjo.exe	Cmppombl.exe
File opened for modification	C:\Windows\SysWOW64\Nmgjdi32.exe	Nelepg32.exe
File created	C:\Windows\SysWOW64\Gebkmnjh.exe	Fgmnlb32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1008 1576 WerFault.exe Inobga32.exe

pid	pid_target	process	target process
1008	1576	WerFault.exe	Inobga32.exe

Modifies registry class 64 IoCs

Processes:

Hhmkfj32.exeLmmeoajm.exeDkcjnllm.exeDknfhj32.exeKdapok32.exeGppnne32.exeOkllib32.exeHikbeckh.exeGaoiop32.exeFobpbf32.exeHnnhhniq.exeMfdmck32.exeEhjfelcc.exeBnledmjf.exeMhegbk32.exeIialokne.exeHkihdmhi.exeHmgephgm.exeMekgjg32.exeIfcgmebm.exeFeekckfj.exeLeikml32.exeAlbjhg32.exeBpgmgk32.exeIpbjka32.exeJpfhkm32.exeGnkmmole.exeAkmignfj.exeGmjlakfj.exeJdmpbjkc.exeKkpilk32.exeNqimdcdp.exeIkoikfmh.exeNjklhn32.exeLmdlpqde.exeEppjdh32.exeFbibge32.exeIgfipgbm.exeCbdngckk.exeLgbjlj32.exeOcjolm32.exeHgpiin32.exeDeoajccm.exeHogajk32.exeAjnnho32.exeMahnocea.exeCcijkg32.exeOhnfhm32.exeEidepbal.exeOibnjc32.exeMhgfacle.exeFphedm32.exeCeodkpqb.exeLegape32.exeGkonfcko.exeCmgechfi.exeAmfgflmk.exeAhdabiee.exeBaocpojb.exeBobaaj32.exeCbbabc32.exeAdjnei32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhmkfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihma32.dll"	Lmmeoajm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkcjnllm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknfhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcoff32.dll"	Kdapok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiliebpq.dll"	Okllib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hikbeckh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaoiop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fobpbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnnhhniq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfdmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehjfelcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnledmjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njigamfc.dll"	Mhegbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcnjko32.dll"	Iialokne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkihdmhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidfc32.dll"	Hmgephgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mekgjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifcgmebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feekckfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leikml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Albjhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpgmgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipbjka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpfhkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnkmmole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akmignfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmjlakfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfblhimd.dll"	Jdmpbjkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimdkd32.dll"	Kkpilk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqimdcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikoikfmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njklhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghepg32.dll"	Lmdlpqde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eppjdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inojpj32.dll"	Fbibge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igfipgbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdngckk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikoibnj.dll"	Lgbjlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocjolm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgpiin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deoajccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajnnho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpfhkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahnocea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baaocfmo.dll"	Ccijkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnhnddgc.dll"	Ohnfhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eidepbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgmgmqn.dll"	Oibnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhgfacle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fphedm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceodkpqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhgfnkm.dll"	Legape32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkonfcko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlhobni.dll"	Cmgechfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amfgflmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgkei32.dll"	Ahdabiee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceifem32.dll"	Baocpojb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdcij32.dll"	Gnkmmole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobaaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apofob32.dll"	Cbbabc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adjnei32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1816 wrote to memory of 280	1816	0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exe	Ihkkna32.exe
PID 1816 wrote to memory of 280	1816	0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exe	Ihkkna32.exe
PID 1816 wrote to memory of 280	1816	0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exe	Ihkkna32.exe
PID 1816 wrote to memory of 280	1816	0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exe	Ihkkna32.exe
PID 280 wrote to memory of 1748	280	Ihkkna32.exe	Njckjp32.exe
PID 280 wrote to memory of 1748	280	Ihkkna32.exe	Njckjp32.exe
PID 280 wrote to memory of 1748	280	Ihkkna32.exe	Njckjp32.exe
PID 280 wrote to memory of 1748	280	Ihkkna32.exe	Njckjp32.exe
PID 1748 wrote to memory of 2000	1748	Njckjp32.exe	Nppdbf32.exe
PID 1748 wrote to memory of 2000	1748	Njckjp32.exe	Nppdbf32.exe
PID 1748 wrote to memory of 2000	1748	Njckjp32.exe	Nppdbf32.exe
PID 1748 wrote to memory of 2000	1748	Njckjp32.exe	Nppdbf32.exe
PID 2000 wrote to memory of 1940	2000	Nppdbf32.exe	Neoipm32.exe
PID 2000 wrote to memory of 1940	2000	Nppdbf32.exe	Neoipm32.exe
PID 2000 wrote to memory of 1940	2000	Nppdbf32.exe	Neoipm32.exe
PID 2000 wrote to memory of 1940	2000	Nppdbf32.exe	Neoipm32.exe
PID 1940 wrote to memory of 924	1940	Neoipm32.exe	Ohbogh32.exe
PID 1940 wrote to memory of 924	1940	Neoipm32.exe	Ohbogh32.exe
PID 1940 wrote to memory of 924	1940	Neoipm32.exe	Ohbogh32.exe
PID 1940 wrote to memory of 924	1940	Neoipm32.exe	Ohbogh32.exe
PID 924 wrote to memory of 1540	924	Ohbogh32.exe	Polcceal.exe
PID 924 wrote to memory of 1540	924	Ohbogh32.exe	Polcceal.exe
PID 924 wrote to memory of 1540	924	Ohbogh32.exe	Polcceal.exe
PID 924 wrote to memory of 1540	924	Ohbogh32.exe	Polcceal.exe
PID 1540 wrote to memory of 384	1540	Polcceal.exe	Piagpnqb.exe
PID 1540 wrote to memory of 384	1540	Polcceal.exe	Piagpnqb.exe
PID 1540 wrote to memory of 384	1540	Polcceal.exe	Piagpnqb.exe
PID 1540 wrote to memory of 384	1540	Polcceal.exe	Piagpnqb.exe
PID 384 wrote to memory of 1260	384	Piagpnqb.exe	Pcjlicgb.exe
PID 384 wrote to memory of 1260	384	Piagpnqb.exe	Pcjlicgb.exe
PID 384 wrote to memory of 1260	384	Piagpnqb.exe	Pcjlicgb.exe
PID 384 wrote to memory of 1260	384	Piagpnqb.exe	Pcjlicgb.exe
PID 1260 wrote to memory of 984	1260	Pcjlicgb.exe	Qaoijp32.exe
PID 1260 wrote to memory of 984	1260	Pcjlicgb.exe	Qaoijp32.exe
PID 1260 wrote to memory of 984	1260	Pcjlicgb.exe	Qaoijp32.exe
PID 1260 wrote to memory of 984	1260	Pcjlicgb.exe	Qaoijp32.exe
PID 984 wrote to memory of 1284	984	Qaoijp32.exe	Ankcjpni.exe
PID 984 wrote to memory of 1284	984	Qaoijp32.exe	Ankcjpni.exe
PID 984 wrote to memory of 1284	984	Qaoijp32.exe	Ankcjpni.exe
PID 984 wrote to memory of 1284	984	Qaoijp32.exe	Ankcjpni.exe
PID 1284 wrote to memory of 1924	1284	Ankcjpni.exe	Bnjoicpe.exe
PID 1284 wrote to memory of 1924	1284	Ankcjpni.exe	Bnjoicpe.exe
PID 1284 wrote to memory of 1924	1284	Ankcjpni.exe	Bnjoicpe.exe
PID 1284 wrote to memory of 1924	1284	Ankcjpni.exe	Bnjoicpe.exe
PID 1924 wrote to memory of 1732	1924	Bnjoicpe.exe	Cpgkmj32.exe
PID 1924 wrote to memory of 1732	1924	Bnjoicpe.exe	Cpgkmj32.exe
PID 1924 wrote to memory of 1732	1924	Bnjoicpe.exe	Cpgkmj32.exe
PID 1924 wrote to memory of 1732	1924	Bnjoicpe.exe	Cpgkmj32.exe
PID 1732 wrote to memory of 580	1732	Cpgkmj32.exe	Cidiqona.exe
PID 1732 wrote to memory of 580	1732	Cpgkmj32.exe	Cidiqona.exe
PID 1732 wrote to memory of 580	1732	Cpgkmj32.exe	Cidiqona.exe
PID 1732 wrote to memory of 580	1732	Cpgkmj32.exe	Cidiqona.exe
PID 580 wrote to memory of 1456	580	Cidiqona.exe	Dfaphg32.exe
PID 580 wrote to memory of 1456	580	Cidiqona.exe	Dfaphg32.exe
PID 580 wrote to memory of 1456	580	Cidiqona.exe	Dfaphg32.exe
PID 580 wrote to memory of 1456	580	Cidiqona.exe	Dfaphg32.exe
PID 1456 wrote to memory of 1880	1456	Dfaphg32.exe	Ddgmgkbe.exe
PID 1456 wrote to memory of 1880	1456	Dfaphg32.exe	Ddgmgkbe.exe
PID 1456 wrote to memory of 1880	1456	Dfaphg32.exe	Ddgmgkbe.exe
PID 1456 wrote to memory of 1880	1456	Dfaphg32.exe	Ddgmgkbe.exe
PID 1880 wrote to memory of 2040	1880	Ddgmgkbe.exe	Eidepbal.exe
PID 1880 wrote to memory of 2040	1880	Ddgmgkbe.exe	Eidepbal.exe
PID 1880 wrote to memory of 2040	1880	Ddgmgkbe.exe	Eidepbal.exe
PID 1880 wrote to memory of 2040	1880	Ddgmgkbe.exe	Eidepbal.exe

C:\Users\Admin\AppData\Local\Temp\0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exe
"C:\Users\Admin\AppData\Local\Temp\0a90e93ed7c70847d2ff8dbc4251c029899186454c1e5581657767e49dde6870.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\Ihkkna32.exe
  C:\Windows\system32\Ihkkna32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Windows\SysWOW64\Njckjp32.exe
    C:\Windows\system32\Njckjp32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SysWOW64\Nppdbf32.exe
      C:\Windows\system32\Nppdbf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\Neoipm32.exe
        
        C:\Windows\system32\Neoipm32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\Ohbogh32.exe
        
        C:\Windows\system32\Ohbogh32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Polcceal.exe
        
        C:\Windows\system32\Polcceal.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Piagpnqb.exe
        
        C:\Windows\system32\Piagpnqb.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Pcjlicgb.exe
        
        C:\Windows\system32\Pcjlicgb.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Qaoijp32.exe
        
        C:\Windows\system32\Qaoijp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Ankcjpni.exe
        
        C:\Windows\system32\Ankcjpni.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Bnjoicpe.exe
        
        C:\Windows\system32\Bnjoicpe.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Cpgkmj32.exe
        
        C:\Windows\system32\Cpgkmj32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Cidiqona.exe
        
        C:\Windows\system32\Cidiqona.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Dfaphg32.exe
        
        C:\Windows\system32\Dfaphg32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Ddgmgkbe.exe
        
        C:\Windows\system32\Ddgmgkbe.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Eidepbal.exe
        
        C:\Windows\system32\Eidepbal.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Ekmhhj32.exe
        
        C:\Windows\system32\Ekmhhj32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:240
        
        C:\Windows\SysWOW64\Fgjomj32.exe
        
        C:\Windows\system32\Fgjomj32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:660
        
        C:\Windows\SysWOW64\Flidkplc.exe
        
        C:\Windows\system32\Flidkplc.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Ffbidf32.exe
        
        C:\Windows\system32\Ffbidf32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1564
        
        C:\Windows\SysWOW64\Ghbafqpe.exe
        
        C:\Windows\system32\Ghbafqpe.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1728
        
        C:\Windows\SysWOW64\Gomjbk32.exe
        
        C:\Windows\system32\Gomjbk32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Glqjlo32.exe
        
        C:\Windows\system32\Glqjlo32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1632
        
        C:\Windows\SysWOW64\Hiekjd32.exe
        
        C:\Windows\system32\Hiekjd32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2016
        
        C:\Windows\SysWOW64\Igoafp32.exe
        
        C:\Windows\system32\Igoafp32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1952
        
        C:\Windows\SysWOW64\Iegkkc32.exe
        
        C:\Windows\system32\Iegkkc32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1996
        
        C:\Windows\SysWOW64\Imbppe32.exe
        
        C:\Windows\system32\Imbppe32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1716
        
        C:\Windows\SysWOW64\Jdodao32.exe
        
        C:\Windows\system32\Jdodao32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1944
        
        C:\Windows\SysWOW64\Jhcfqb32.exe
        
        C:\Windows\system32\Jhcfqb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1300
        
        C:\Windows\SysWOW64\Kdldkc32.exe
        
        C:\Windows\system32\Kdldkc32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:944
        
        C:\Windows\SysWOW64\Kdcjlbmp.exe
        
        C:\Windows\system32\Kdcjlbmp.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:564
        
        C:\Windows\SysWOW64\Mjgeckhk.exe
        
        C:\Windows\system32\Mjgeckhk.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\Nmjkkf32.exe
        
        C:\Windows\system32\Nmjkkf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Nieekf32.exe
        
        C:\Windows\system32\Nieekf32.exe
        35⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Nelepg32.exe
        
        C:\Windows\system32\Nelepg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Nmgjdi32.exe
        
        C:\Windows\system32\Nmgjdi32.exe
        37⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Oieajigd.exe
        
        C:\Windows\system32\Oieajigd.exe
        38⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Pdheqfkh.exe
        
        C:\Windows\system32\Pdheqfkh.exe
        39⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Qijgdl32.exe
        
        C:\Windows\system32\Qijgdl32.exe
        40⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Qcbkmalj.exe
        
        C:\Windows\system32\Qcbkmalj.exe
        41⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Akbilcep.exe
        
        C:\Windows\system32\Akbilcep.exe
        42⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Adjnei32.exe
        
        C:\Windows\system32\Adjnei32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Ahhfkg32.exe
        
        C:\Windows\system32\Ahhfkg32.exe
        44⤵
        Executes dropped EXE
        
        PID:664
        
        C:\Windows\SysWOW64\Bjlphofc.exe
        
        C:\Windows\system32\Bjlphofc.exe
        45⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Bqfhei32.exe
        
        C:\Windows\system32\Bqfhei32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Bnledmjf.exe
        
        C:\Windows\system32\Bnledmjf.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bcinmdin.exe
        
        C:\Windows\system32\Bcinmdin.exe
        48⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\Bhffek32.exe
        
        C:\Windows\system32\Bhffek32.exe
        49⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Bqmnfh32.exe
        
        C:\Windows\system32\Bqmnfh32.exe
        50⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Ckillebc.exe
        
        C:\Windows\system32\Ckillebc.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Cnghhaag.exe
        
        C:\Windows\system32\Cnghhaag.exe
        52⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Cioikiok.exe
        
        C:\Windows\system32\Cioikiok.exe
        53⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\SysWOW64\Ccijkg32.exe
        
        C:\Windows\system32\Ccijkg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Damjek32.exe
        
        C:\Windows\system32\Damjek32.exe
        55⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\Dbbphc32.exe
        
        C:\Windows\system32\Dbbphc32.exe
        56⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Diabpl32.exe
        
        C:\Windows\system32\Diabpl32.exe
        57⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Edplki32.exe
        
        C:\Windows\system32\Edplki32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\SysWOW64\Fbibge32.exe
        
        C:\Windows\system32\Fbibge32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Fobpbf32.exe
        
        C:\Windows\system32\Fobpbf32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Gojfbefi.exe
        
        C:\Windows\system32\Gojfbefi.exe
        61⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Gfoacc32.exe
        
        C:\Windows\system32\Gfoacc32.exe
        62⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\Hhmnoo32.exe
        
        C:\Windows\system32\Hhmnoo32.exe
        63⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Hbhonc32.exe
        
        C:\Windows\system32\Hbhonc32.exe
        64⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Hqohdp32.exe
        
        C:\Windows\system32\Hqohdp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Hboenbap.exe
        
        C:\Windows\system32\Hboenbap.exe
        66⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Idpnpn32.exe
        
        C:\Windows\system32\Idpnpn32.exe
        67⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\Inhbicea.exe
        
        C:\Windows\system32\Inhbicea.exe
        68⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Ifcgmebm.exe
        
        C:\Windows\system32\Ifcgmebm.exe
        69⤵
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Icidli32.exe
        
        C:\Windows\system32\Icidli32.exe
        70⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Jmbieo32.exe
        
        C:\Windows\system32\Jmbieo32.exe
        71⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\Jppeak32.exe
        
        C:\Windows\system32\Jppeak32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:916
        
        C:\Windows\SysWOW64\Jhkjem32.exe
        
        C:\Windows\system32\Jhkjem32.exe
        73⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\Jpbagj32.exe
        
        C:\Windows\system32\Jpbagj32.exe
        74⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Jhpcqlnn.exe
        
        C:\Windows\system32\Jhpcqlnn.exe
        75⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Kdiqkmao.exe
        
        C:\Windows\system32\Kdiqkmao.exe
        76⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Kbqjbidd.exe
        
        C:\Windows\system32\Kbqjbidd.exe
        77⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Keofndch.exe
        
        C:\Windows\system32\Keofndch.exe
        78⤵
        
        PID:364
        
        C:\Windows\SysWOW64\Kimodc32.exe
        
        C:\Windows\system32\Kimodc32.exe
        79⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Klkkpn32.exe
        
        C:\Windows\system32\Klkkpn32.exe
        80⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\Kpggqm32.exe
        
        C:\Windows\system32\Kpggqm32.exe
        81⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Lehidckm.exe
        
        C:\Windows\system32\Lehidckm.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1492
        
        C:\Windows\SysWOW64\Lkhnbjhb.exe
        
        C:\Windows\system32\Lkhnbjhb.exe
        83⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Lnfknegf.exe
        
        C:\Windows\system32\Lnfknegf.exe
        84⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Lgalljkd.exe
        
        C:\Windows\system32\Lgalljkd.exe
        85⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Mjaene32.exe
        
        C:\Windows\system32\Mjaene32.exe
        86⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Monmfl32.exe
        
        C:\Windows\system32\Monmfl32.exe
        87⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Mamibh32.exe
        
        C:\Windows\system32\Mamibh32.exe
        88⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Mhinea32.exe
        
        C:\Windows\system32\Mhinea32.exe
        89⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Mdpojbqn.exe
        
        C:\Windows\system32\Mdpojbqn.exe
        90⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Nqfpoc32.exe
        
        C:\Windows\system32\Nqfpoc32.exe
        91⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Nqimdcdp.exe
        
        C:\Windows\system32\Nqimdcdp.exe
        92⤵
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Nnojcg32.exe
        
        C:\Windows\system32\Nnojcg32.exe
        93⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Omgcjc32.exe
        
        C:\Windows\system32\Omgcjc32.exe
        94⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Oebhne32.exe
        
        C:\Windows\system32\Oebhne32.exe
        95⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Omippc32.exe
        
        C:\Windows\system32\Omippc32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2292
        
        C:\Windows\SysWOW64\Onjmgkhg.exe
        
        C:\Windows\system32\Onjmgkhg.exe
        97⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Obheminn.exe
        
        C:\Windows\system32\Obheminn.exe
        98⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Oibnjc32.exe
        
        C:\Windows\system32\Oibnjc32.exe
        99⤵
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Ogeneple.exe
        
        C:\Windows\system32\Ogeneple.exe
        100⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\Ojcjalki.exe
        
        C:\Windows\system32\Ojcjalki.exe
        101⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Obkbcilk.exe
        
        C:\Windows\system32\Obkbcilk.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2340
        
        C:\Windows\SysWOW64\Omdccg32.exe
        
        C:\Windows\system32\Omdccg32.exe
        103⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Ahnmkbgf.exe
        
        C:\Windows\system32\Ahnmkbgf.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Akmignfj.exe
        
        C:\Windows\system32\Akmignfj.exe
        105⤵
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Aainigkd.exe
        
        C:\Windows\system32\Aainigkd.exe
        106⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\Blghed32.exe
        
        C:\Windows\system32\Blghed32.exe
        107⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Bofdapca.exe
        
        C:\Windows\system32\Bofdapca.exe
        108⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\Badamkbe.exe
        
        C:\Windows\system32\Badamkbe.exe
        109⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\Bohafpqo.exe
        
        C:\Windows\system32\Bohafpqo.exe
        110⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Bafnbkpb.exe
        
        C:\Windows\system32\Bafnbkpb.exe
        111⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\Bdejofof.exe
        
        C:\Windows\system32\Bdejofof.exe
        112⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Bheojdcj.exe
        
        C:\Windows\system32\Bheojdcj.exe
        113⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Cmgechfi.exe
        
        C:\Windows\system32\Cmgechfi.exe
        114⤵
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Ccampb32.exe
        
        C:\Windows\system32\Ccampb32.exe
        115⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Cfpimm32.exe
        
        C:\Windows\system32\Cfpimm32.exe
        116⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Cnfank32.exe
        
        C:\Windows\system32\Cnfank32.exe
        117⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\Cohnec32.exe
        
        C:\Windows\system32\Cohnec32.exe
        118⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Cojjkb32.exe
        
        C:\Windows\system32\Cojjkb32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2740
        
        C:\Windows\SysWOW64\Cibodhhh.exe
        
        C:\Windows\system32\Cibodhhh.exe
        120⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Dighog32.exe
        
        C:\Windows\system32\Dighog32.exe
        121⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Dbbimm32.exe
        
        C:\Windows\system32\Dbbimm32.exe
        122⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Djmnao32.exe
        
        C:\Windows\system32\Djmnao32.exe
        123⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\Feekckfj.exe
        
        C:\Windows\system32\Feekckfj.exe
        124⤵
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Fomplplk.exe
        
        C:\Windows\system32\Fomplplk.exe
        125⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\Ffhdqbjf.exe
        
        C:\Windows\system32\Ffhdqbjf.exe
        126⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Fgmnlb32.exe
        
        C:\Windows\system32\Fgmnlb32.exe
        127⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\Gebkmnjh.exe
        
        C:\Windows\system32\Gebkmnjh.exe
        128⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Gmicnl32.exe
        
        C:\Windows\system32\Gmicnl32.exe
        129⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Gchhlb32.exe
        
        C:\Windows\system32\Gchhlb32.exe
        130⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Hjnclpem.exe
        
        C:\Windows\system32\Hjnclpem.exe
        131⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Hnnhhniq.exe
        
        C:\Windows\system32\Hnnhhniq.exe
        132⤵
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Hpledjid.exe
        
        C:\Windows\system32\Hpledjid.exe
        133⤵
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Hhgiilfp.exe
        
        C:\Windows\system32\Hhgiilfp.exe
        134⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Hqoaji32.exe
        
        C:\Windows\system32\Hqoaji32.exe
        135⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Iodokfkj.exe
        
        C:\Windows\system32\Iodokfkj.exe
        136⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Iialokne.exe
        
        C:\Windows\system32\Iialokne.exe
        137⤵
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Ikoikfmh.exe
        
        C:\Windows\system32\Ikoikfmh.exe
        138⤵
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Igfipgbm.exe
        
        C:\Windows\system32\Igfipgbm.exe
        139⤵
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Ijdelbap.exe
        
        C:\Windows\system32\Ijdelbap.exe
        140⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Jacgdleh.exe
        
        C:\Windows\system32\Jacgdleh.exe
        141⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Jcacpgdl.exe
        
        C:\Windows\system32\Jcacpgdl.exe
        142⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Jjklma32.exe
        
        C:\Windows\system32\Jjklma32.exe
        143⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Jmjhim32.exe
        
        C:\Windows\system32\Jmjhim32.exe
        144⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Jphdeh32.exe
        
        C:\Windows\system32\Jphdeh32.exe
        145⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Jcdpeg32.exe
        
        C:\Windows\system32\Jcdpeg32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2184
        
        C:\Windows\SysWOW64\Jfblab32.exe
        
        C:\Windows\system32\Jfblab32.exe
        147⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Jegicofd.exe
        
        C:\Windows\system32\Jegicofd.exe
        148⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Kicecn32.exe
        
        C:\Windows\system32\Kicecn32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2208
        
        C:\Windows\SysWOW64\Kpmnphfj.exe
        
        C:\Windows\system32\Kpmnphfj.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2220
        
        C:\Windows\SysWOW64\Kdapok32.exe
        
        C:\Windows\system32\Kdapok32.exe
        151⤵
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Kngdlc32.exe
        
        C:\Windows\system32\Kngdlc32.exe
        152⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Kphqdllk.exe
        
        C:\Windows\system32\Kphqdllk.exe
        153⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Kjndadla.exe
        
        C:\Windows\system32\Kjndadla.exe
        154⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Ldhfpjqo.exe
        
        C:\Windows\system32\Ldhfpjqo.exe
        155⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Lodcfg32.exe
        
        C:\Windows\system32\Lodcfg32.exe
        156⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Mcbhki32.exe
        
        C:\Windows\system32\Mcbhki32.exe
        157⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Oqfecqeb.exe
        
        C:\Windows\system32\Oqfecqeb.exe
        158⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\Abbnejco.exe
        
        C:\Windows\system32\Abbnejco.exe
        159⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Amhbcccd.exe
        
        C:\Windows\system32\Amhbcccd.exe
        160⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\Abicfi32.exe
        
        C:\Windows\system32\Abicfi32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2724
        
        C:\Windows\SysWOW64\Aehpbe32.exe
        
        C:\Windows\system32\Aehpbe32.exe
        162⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Bobaaj32.exe
        
        C:\Windows\system32\Bobaaj32.exe
        163⤵
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Baamme32.exe
        
        C:\Windows\system32\Baamme32.exe
        164⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Ccildpbn.exe
        
        C:\Windows\system32\Ccildpbn.exe
        165⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Ecbkibmn.exe
        
        C:\Windows\system32\Ecbkibmn.exe
        166⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Fmkpbgco.exe
        
        C:\Windows\system32\Fmkpbgco.exe
        167⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Fcdhoa32.exe
        
        C:\Windows\system32\Fcdhoa32.exe
        168⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Fbghknbf.exe
        
        C:\Windows\system32\Fbghknbf.exe
        169⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Fjopllbh.exe
        
        C:\Windows\system32\Fjopllbh.exe
        170⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Fmmlhgal.exe
        
        C:\Windows\system32\Fmmlhgal.exe
        171⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Fpkidbqp.exe
        
        C:\Windows\system32\Fpkidbqp.exe
        172⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Fnqfeoeh.exe
        
        C:\Windows\system32\Fnqfeoeh.exe
        173⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Fblafn32.exe
        
        C:\Windows\system32\Fblafn32.exe
        174⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\Feknbi32.exe
        
        C:\Windows\system32\Feknbi32.exe
        175⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Fhijnd32.exe
        
        C:\Windows\system32\Fhijnd32.exe
        176⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Fdbghe32.exe
        
        C:\Windows\system32\Fdbghe32.exe
        177⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Gmjlakfj.exe
        
        C:\Windows\system32\Gmjlakfj.exe
        178⤵
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Ghppocfp.exe
        
        C:\Windows\system32\Ghppocfp.exe
        179⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Gojhkn32.exe
        
        C:\Windows\system32\Gojhkn32.exe
        180⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Gdinidib.exe
        
        C:\Windows\system32\Gdinidib.exe
        181⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Gblnda32.exe
        
        C:\Windows\system32\Gblnda32.exe
        182⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Gkcffn32.exe
        
        C:\Windows\system32\Gkcffn32.exe
        183⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Gmabbj32.exe
        
        C:\Windows\system32\Gmabbj32.exe
        184⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\Gppnne32.exe
        
        C:\Windows\system32\Gppnne32.exe
        185⤵
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Gpbkcemc.exe
        
        C:\Windows\system32\Gpbkcemc.exe
        186⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Himlbjaa.exe
        
        C:\Windows\system32\Himlbjaa.exe
        187⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Inckfmqk.exe
        
        C:\Windows\system32\Inckfmqk.exe
        188⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Ipbgbhpo.exe
        
        C:\Windows\system32\Ipbgbhpo.exe
        189⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Icqcoc32.exe
        
        C:\Windows\system32\Icqcoc32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2820
        
        C:\Windows\SysWOW64\Ikglpa32.exe
        
        C:\Windows\system32\Ikglpa32.exe
        191⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Infhll32.exe
        
        C:\Windows\system32\Infhll32.exe
        192⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Ipddhh32.exe
        
        C:\Windows\system32\Ipddhh32.exe
        193⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Ibjjko32.exe
        
        C:\Windows\system32\Ibjjko32.exe
        194⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\Jdmpbjkc.exe
        
        C:\Windows\system32\Jdmpbjkc.exe
        195⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Jgllnejg.exe
        
        C:\Windows\system32\Jgllnejg.exe
        196⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\Jocdpcji.exe
        
        C:\Windows\system32\Jocdpcji.exe
        197⤵
        
        PID:780
        
        C:\Windows\SysWOW64\Kfmhkpda.exe
        
        C:\Windows\system32\Kfmhkpda.exe
        198⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\Lmbcln32.exe
        
        C:\Windows\system32\Lmbcln32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:676
        
        C:\Windows\SysWOW64\Leikml32.exe
        
        C:\Windows\system32\Leikml32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Lhghig32.exe
        
        C:\Windows\system32\Lhghig32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2436
        
        C:\Windows\SysWOW64\Ljjmpbmc.exe
        
        C:\Windows\system32\Ljjmpbmc.exe
        202⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Mhegbk32.exe
        
        C:\Windows\system32\Mhegbk32.exe
        203⤵
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Moopoenp.exe
        
        C:\Windows\system32\Moopoenp.exe
        204⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Ngajdfec.exe
        
        C:\Windows\system32\Ngajdfec.exe
        205⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\Njofpadg.exe
        
        C:\Windows\system32\Njofpadg.exe
        206⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\Nafoaoei.exe
        
        C:\Windows\system32\Nafoaoei.exe
        207⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Nplkbk32.exe
        
        C:\Windows\system32\Nplkbk32.exe
        208⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\Obaaeclj.exe
        
        C:\Windows\system32\Obaaeclj.exe
        209⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Ojiifqll.exe
        
        C:\Windows\system32\Ojiifqll.exe
        210⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Olgeblkp.exe
        
        C:\Windows\system32\Olgeblkp.exe
        211⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Ooebogjc.exe
        
        C:\Windows\system32\Ooebogjc.exe
        212⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Obdnkbjg.exe
        
        C:\Windows\system32\Obdnkbjg.exe
        213⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\Ohnfhm32.exe
        
        C:\Windows\system32\Ohnfhm32.exe
        214⤵
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Oklbdh32.exe
        
        C:\Windows\system32\Oklbdh32.exe
        215⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Obfkqbge.exe
        
        C:\Windows\system32\Obfkqbge.exe
        216⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\Odegmn32.exe
        
        C:\Windows\system32\Odegmn32.exe
        217⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Ogccii32.exe
        
        C:\Windows\system32\Ogccii32.exe
        218⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\Oojkjf32.exe
        
        C:\Windows\system32\Oojkjf32.exe
        219⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Okaloglb.exe
        
        C:\Windows\system32\Okaloglb.exe
        220⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Pqekhndb.exe
        
        C:\Windows\system32\Pqekhndb.exe
        221⤵
        
        PID:988
        
        C:\Windows\SysWOW64\Pccgdice.exe
        
        C:\Windows\system32\Pccgdice.exe
        222⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Ppjgij32.exe
        
        C:\Windows\system32\Ppjgij32.exe
        223⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\Qpoadied.exe
        
        C:\Windows\system32\Qpoadied.exe
        224⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Qnaapf32.exe
        
        C:\Windows\system32\Qnaapf32.exe
        225⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Qjhbdg32.exe
        
        C:\Windows\system32\Qjhbdg32.exe
        226⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Alhnojhf.exe
        
        C:\Windows\system32\Alhnojhf.exe
        227⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Anfkkehj.exe
        
        C:\Windows\system32\Anfkkehj.exe
        228⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\Affijg32.exe
        
        C:\Windows\system32\Affijg32.exe
        229⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Aidefbpc.exe
        
        C:\Windows\system32\Aidefbpc.exe
        230⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Ampaga32.exe
        
        C:\Windows\system32\Ampaga32.exe
        231⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\Apomcm32.exe
        
        C:\Windows\system32\Apomcm32.exe
        232⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Abmioh32.exe
        
        C:\Windows\system32\Abmioh32.exe
        233⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\Blhknm32.exe
        
        C:\Windows\system32\Blhknm32.exe
        234⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Bbacjgbn.exe
        
        C:\Windows\system32\Bbacjgbn.exe
        235⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Bkoddi32.exe
        
        C:\Windows\system32\Bkoddi32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:944
        
        C:\Windows\SysWOW64\Beehab32.exe
        
        C:\Windows\system32\Beehab32.exe
        237⤵
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\Bhcenn32.exe
        
        C:\Windows\system32\Bhcenn32.exe
        238⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Bommjhdm.exe
        
        C:\Windows\system32\Bommjhdm.exe
        239⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Bdjebobd.exe
        
        C:\Windows\system32\Bdjebobd.exe
        240⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Cmbjkdie.exe
        
        C:\Windows\system32\Cmbjkdie.exe
        241⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\Cpccmoff.exe
        
        C:\Windows\system32\Cpccmoff.exe
        242⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Ccaoikej.exe
        
        C:\Windows\system32\Ccaoikej.exe
        243⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Cepkefdn.exe
        
        C:\Windows\system32\Cepkefdn.exe
        244⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Dkcjnllm.exe
        
        C:\Windows\system32\Dkcjnllm.exe
        245⤵
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Dgodnlnl.exe
        
        C:\Windows\system32\Dgodnlnl.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Djnpjhmp.exe
        
        C:\Windows\system32\Djnpjhmp.exe
        247⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\Dbehlena.exe
        
        C:\Windows\system32\Dbehlena.exe
        248⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Dqgigbdl.exe
        
        C:\Windows\system32\Dqgigbdl.exe
        249⤵
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Efijjh32.exe
        
        C:\Windows\system32\Efijjh32.exe
        250⤵
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Eiggfc32.exe
        
        C:\Windows\system32\Eiggfc32.exe
        251⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Fphedm32.exe
        
        C:\Windows\system32\Fphedm32.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Fnnbei32.exe
        
        C:\Windows\system32\Fnnbei32.exe
        253⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\Fjgppj32.exe
        
        C:\Windows\system32\Fjgppj32.exe
        254⤵
        
        PID:768
        
        C:\Windows\SysWOW64\Fmelle32.exe
        
        C:\Windows\system32\Fmelle32.exe
        255⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Ghhpba32.exe
        
        C:\Windows\system32\Ghhpba32.exe
        256⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Glclcpca.exe
        
        C:\Windows\system32\Glclcpca.exe
        257⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\Gbndpj32.exe
        
        C:\Windows\system32\Gbndpj32.exe
        258⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Gelplf32.exe
        
        C:\Windows\system32\Gelplf32.exe
        259⤵
        
        PID:996
        
        C:\Windows\SysWOW64\Hhjlha32.exe
        
        C:\Windows\system32\Hhjlha32.exe
        260⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Hkihdmhi.exe
        
        C:\Windows\system32\Hkihdmhi.exe
        261⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Hmgephgm.exe
        
        C:\Windows\system32\Hmgephgm.exe
        262⤵
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Henmaeho.exe
        
        C:\Windows\system32\Henmaeho.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1604
        
        C:\Windows\SysWOW64\Hdammb32.exe
        
        C:\Windows\system32\Hdammb32.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Hgpiin32.exe
        
        C:\Windows\system32\Hgpiin32.exe
        265⤵
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Hogajk32.exe
        
        C:\Windows\system32\Hogajk32.exe
        266⤵
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Haemff32.exe
        
        C:\Windows\system32\Haemff32.exe
        267⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Hhoecqep.exe
        
        C:\Windows\system32\Hhoecqep.exe
        268⤵
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Hgbfom32.exe
        
        C:\Windows\system32\Hgbfom32.exe
        269⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Hiqbkikn.exe
        
        C:\Windows\system32\Hiqbkikn.exe
        270⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Hmlnkg32.exe
        
        C:\Windows\system32\Hmlnkg32.exe
        271⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Hpjjgc32.exe
        
        C:\Windows\system32\Hpjjgc32.exe
        272⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Hcifcn32.exe
        
        C:\Windows\system32\Hcifcn32.exe
        273⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Hicophil.exe
        
        C:\Windows\system32\Hicophil.exe
        274⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Hlakldho.exe
        
        C:\Windows\system32\Hlakldho.exe
        275⤵
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Ioijonoh.exe
        
        C:\Windows\system32\Ioijonoh.exe
        276⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Iagfkinl.exe
        
        C:\Windows\system32\Iagfkinl.exe
        277⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Idfbgemp.exe
        
        C:\Windows\system32\Idfbgemp.exe
        278⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Igdocplc.exe
        
        C:\Windows\system32\Igdocplc.exe
        279⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Ikpkdo32.exe
        
        C:\Windows\system32\Ikpkdo32.exe
        280⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\Iajcqi32.exe
        
        C:\Windows\system32\Iajcqi32.exe
        281⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\Ipmclfbd.exe
        
        C:\Windows\system32\Ipmclfbd.exe
        282⤵
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Ihckmccf.exe
        
        C:\Windows\system32\Ihckmccf.exe
        283⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Jkbgiobj.exe
        
        C:\Windows\system32\Jkbgiobj.exe
        284⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Jnqdejan.exe
        
        C:\Windows\system32\Jnqdejan.exe
        285⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Jgkedofk.exe
        
        C:\Windows\system32\Jgkedofk.exe
        286⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Jmhnlfdc.exe
        
        C:\Windows\system32\Jmhnlfdc.exe
        287⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Jjlnejcl.exe
        
        C:\Windows\system32\Jjlnejcl.exe
        288⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\Joifna32.exe
        
        C:\Windows\system32\Joifna32.exe
        289⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Jbgbjm32.exe
        
        C:\Windows\system32\Jbgbjm32.exe
        290⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Jjnkkj32.exe
        
        C:\Windows\system32\Jjnkkj32.exe
        291⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Jmmgge32.exe
        
        C:\Windows\system32\Jmmgge32.exe
        292⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Kbllellb.exe
        
        C:\Windows\system32\Kbllellb.exe
        293⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\Kkdqna32.exe
        
        C:\Windows\system32\Kkdqna32.exe
        294⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Knbmjm32.exe
        
        C:\Windows\system32\Knbmjm32.exe
        295⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Kqaifh32.exe
        
        C:\Windows\system32\Kqaifh32.exe
        296⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Lmoplhqf.exe
        
        C:\Windows\system32\Lmoplhqf.exe
        297⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Lldmme32.exe
        
        C:\Windows\system32\Lldmme32.exe
        298⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Lpdbhc32.exe
        
        C:\Windows\system32\Lpdbhc32.exe
        299⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3464
        
        C:\Windows\SysWOW64\Lbbodn32.exe
        
        C:\Windows\system32\Lbbodn32.exe
        300⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Mbekjngc.exe
        
        C:\Windows\system32\Mbekjngc.exe
        301⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Mhbcbeej.exe
        
        C:\Windows\system32\Mhbcbeej.exe
        302⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Mbpnnb32.exe
        
        C:\Windows\system32\Mbpnnb32.exe
        303⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Mkgfoonf.exe
        
        C:\Windows\system32\Mkgfoonf.exe
        304⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\Najdjnnf.exe
        
        C:\Windows\system32\Najdjnnf.exe
        305⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Nhdmgh32.exe
        
        C:\Windows\system32\Nhdmgh32.exe
        306⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Nopaia32.exe
        
        C:\Windows\system32\Nopaia32.exe
        307⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Opfgli32.exe
        
        C:\Windows\system32\Opfgli32.exe
        308⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Ocddhd32.exe
        
        C:\Windows\system32\Ocddhd32.exe
        309⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Okllib32.exe
        
        C:\Windows\system32\Okllib32.exe
        310⤵
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Onjhem32.exe
        
        C:\Windows\system32\Onjhem32.exe
        311⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Ojaijnad.exe
        
        C:\Windows\system32\Ojaijnad.exe
        312⤵
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Onldkmjm.exe
        
        C:\Windows\system32\Onldkmjm.exe
        313⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\Opkaghia.exe
        
        C:\Windows\system32\Opkaghia.exe
        314⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Plfkgijp.exe
        
        C:\Windows\system32\Plfkgijp.exe
        315⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Poegcdic.exe
        
        C:\Windows\system32\Poegcdic.exe
        316⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Pbccpphg.exe
        
        C:\Windows\system32\Pbccpphg.exe
        317⤵
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Phmllj32.exe
        
        C:\Windows\system32\Phmllj32.exe
        318⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Pkkhhe32.exe
        
        C:\Windows\system32\Pkkhhe32.exe
        319⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3736
        
        C:\Windows\SysWOW64\Pnjddqnk.exe
        
        C:\Windows\system32\Pnjddqnk.exe
        320⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\Pqhqqlmo.exe
        
        C:\Windows\system32\Pqhqqlmo.exe
        321⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Qnonppjf.exe
        
        C:\Windows\system32\Qnonppjf.exe
        322⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Qqmjlk32.exe
        
        C:\Windows\system32\Qqmjlk32.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3908
        
        C:\Windows\SysWOW64\Qckfhg32.exe
        
        C:\Windows\system32\Qckfhg32.exe
        324⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Qfloib32.exe
        
        C:\Windows\system32\Qfloib32.exe
        325⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Amfgflmk.exe
        
        C:\Windows\system32\Amfgflmk.exe
        326⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Afoloacl.exe
        
        C:\Windows\system32\Afoloacl.exe
        327⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Aimhkmbp.exe
        
        C:\Windows\system32\Aimhkmbp.exe
        328⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Alkdgiac.exe
        
        C:\Windows\system32\Alkdgiac.exe
        329⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Abeldb32.exe
        
        C:\Windows\system32\Abeldb32.exe
        330⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Aecipn32.exe
        
        C:\Windows\system32\Aecipn32.exe
        331⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Amkqak32.exe
        
        C:\Windows\system32\Amkqak32.exe
        332⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Apimmg32.exe
        
        C:\Windows\system32\Apimmg32.exe
        333⤵
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Abhiibgm.exe
        
        C:\Windows\system32\Abhiibgm.exe
        334⤵
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Aefefnfa.exe
        
        C:\Windows\system32\Aefefnfa.exe
        335⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Ahdabiee.exe
        
        C:\Windows\system32\Ahdabiee.exe
        336⤵
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Apljcffg.exe
        
        C:\Windows\system32\Apljcffg.exe
        337⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Abjfobek.exe
        
        C:\Windows\system32\Abjfobek.exe
        338⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Aamfko32.exe
        
        C:\Windows\system32\Aamfko32.exe
        339⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Ahgngicb.exe
        
        C:\Windows\system32\Ahgngicb.exe
        340⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Albjhg32.exe
        
        C:\Windows\system32\Albjhg32.exe
        341⤵
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Anqfdc32.exe
        
        C:\Windows\system32\Anqfdc32.exe
        342⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Baocpojb.exe
        
        C:\Windows\system32\Baocpojb.exe
        343⤵
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Bdnoljif.exe
        
        C:\Windows\system32\Bdnoljif.exe
        344⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\Bldgngih.exe
        
        C:\Windows\system32\Bldgngih.exe
        345⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\Bnccjbil.exe
        
        C:\Windows\system32\Bnccjbil.exe
        346⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Baapfnhp.exe
        
        C:\Windows\system32\Baapfnhp.exe
        347⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Bdplbjgc.exe
        
        C:\Windows\system32\Bdplbjgc.exe
        348⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\Bhkhbh32.exe
        
        C:\Windows\system32\Bhkhbh32.exe
        349⤵
        
        PID:788
        
        C:\Windows\SysWOW64\Bjjdoc32.exe
        
        C:\Windows\system32\Bjjdoc32.exe
        350⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\Bmhpko32.exe
        
        C:\Windows\system32\Bmhpko32.exe
        351⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Bpgmgk32.exe
        
        C:\Windows\system32\Bpgmgk32.exe
        352⤵
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Bdbhgi32.exe
        
        C:\Windows\system32\Bdbhgi32.exe
        353⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Bjlqdcln.exe
        
        C:\Windows\system32\Bjlqdcln.exe
        354⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Bmkmpoka.exe
        
        C:\Windows\system32\Bmkmpoka.exe
        355⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Bafian32.exe
        
        C:\Windows\system32\Bafian32.exe
        356⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Bfcaid32.exe
        
        C:\Windows\system32\Bfcaid32.exe
        357⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Cihdfo32.exe
        
        C:\Windows\system32\Cihdfo32.exe
        358⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\Clgpbj32.exe
        
        C:\Windows\system32\Clgpbj32.exe
        359⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Cbahodan.exe
        
        C:\Windows\system32\Cbahodan.exe
        360⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\Ceodkpqb.exe
        
        C:\Windows\system32\Ceodkpqb.exe
        361⤵
        Modifies registry class
        
        PID:284
        
        C:\Windows\SysWOW64\Climgj32.exe
        
        C:\Windows\system32\Climgj32.exe
        362⤵
        
        PID:360
        
        C:\Windows\SysWOW64\Cogice32.exe
        
        C:\Windows\system32\Cogice32.exe
        363⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Ceaaqpoo.exe
        
        C:\Windows\system32\Ceaaqpoo.exe
        364⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\Cahbeqdc.exe
        
        C:\Windows\system32\Cahbeqdc.exe
        365⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Dcqdnhdj.exe
        
        C:\Windows\system32\Dcqdnhdj.exe
        366⤵
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Deoajccm.exe
        
        C:\Windows\system32\Deoajccm.exe
        367⤵
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Dfanoc32.exe
        
        C:\Windows\system32\Dfanoc32.exe
        368⤵
        
        PID:516
        
        C:\Windows\SysWOW64\Dhpjkn32.exe
        
        C:\Windows\system32\Dhpjkn32.exe
        369⤵
        
        PID:952
        
        C:\Windows\SysWOW64\Dknfhj32.exe
        
        C:\Windows\system32\Dknfhj32.exe
        370⤵
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Ecenig32.exe
        
        C:\Windows\system32\Ecenig32.exe
        371⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\Efcjeb32.exe
        
        C:\Windows\system32\Efcjeb32.exe
        372⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Ehbfannl.exe
        
        C:\Windows\system32\Ehbfannl.exe
        373⤵
        
        PID:856
        
        C:\Windows\SysWOW64\Elnbam32.exe
        
        C:\Windows\system32\Elnbam32.exe
        374⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Eolonh32.exe
        
        C:\Windows\system32\Eolonh32.exe
        375⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Ebjkjc32.exe
        
        C:\Windows\system32\Ebjkjc32.exe
        376⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Edigfo32.exe
        
        C:\Windows\system32\Edigfo32.exe
        377⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Egniciml.exe
        
        C:\Windows\system32\Egniciml.exe
        378⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Fjmfoelo.exe
        
        C:\Windows\system32\Fjmfoelo.exe
        379⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Fmkbkp32.exe
        
        C:\Windows\system32\Fmkbkp32.exe
        380⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Fmmoqp32.exe
        
        C:\Windows\system32\Fmmoqp32.exe
        381⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Folkmk32.exe
        
        C:\Windows\system32\Folkmk32.exe
        382⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\Fbjgig32.exe
        
        C:\Windows\system32\Fbjgig32.exe
        383⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\Fmbhloek.exe
        
        C:\Windows\system32\Fmbhloek.exe
        384⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Fkehgl32.exe
        
        C:\Windows\system32\Fkehgl32.exe
        385⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\Fboqdfcb.exe
        
        C:\Windows\system32\Fboqdfcb.exe
        386⤵
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\Fglilmaj.exe
        
        C:\Windows\system32\Fglilmaj.exe
        387⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Fnfaigif.exe
        
        C:\Windows\system32\Fnfaigif.exe
        388⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Gadnebhj.exe
        
        C:\Windows\system32\Gadnebhj.exe
        389⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Hpbmln32.exe
        
        C:\Windows\system32\Hpbmln32.exe
        390⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Hdnimlmq.exe
        
        C:\Windows\system32\Hdnimlmq.exe
        391⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Hepfdd32.exe
        
        C:\Windows\system32\Hepfdd32.exe
        392⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Hikbeckh.exe
        
        C:\Windows\system32\Hikbeckh.exe
        393⤵
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Hlinaojl.exe
        
        C:\Windows\system32\Hlinaojl.exe
        394⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Hohjnj32.exe
        
        C:\Windows\system32\Hohjnj32.exe
        395⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Hfobog32.exe
        
        C:\Windows\system32\Hfobog32.exe
        396⤵
        Drops file in System32 directory
        
        PID:3340
        
        C:\Windows\SysWOW64\Himokc32.exe
        
        C:\Windows\system32\Himokc32.exe
        397⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Hhpofppp.exe
        
        C:\Windows\system32\Hhpofppp.exe
        398⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\Hpgggmqb.exe
        
        C:\Windows\system32\Hpgggmqb.exe
        399⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\Hbfcchpf.exe
        
        C:\Windows\system32\Hbfcchpf.exe
        400⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Hedopdoi.exe
        
        C:\Windows\system32\Hedopdoi.exe
        401⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Hhbklonm.exe
        
        C:\Windows\system32\Hhbklonm.exe
        402⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Hlngln32.exe
        
        C:\Windows\system32\Hlngln32.exe
        403⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Heiikc32.exe
        
        C:\Windows\system32\Heiikc32.exe
        404⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Ihgego32.exe
        
        C:\Windows\system32\Ihgego32.exe
        405⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Ikfacj32.exe
        
        C:\Windows\system32\Ikfacj32.exe
        406⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\Imdmoe32.exe
        
        C:\Windows\system32\Imdmoe32.exe
        407⤵
        
        PID:916
        
        C:\Windows\SysWOW64\Ipbjka32.exe
        
        C:\Windows\system32\Ipbjka32.exe
        408⤵
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Imfjeefm.exe
        
        C:\Windows\system32\Imfjeefm.exe
        409⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Idpbao32.exe
        
        C:\Windows\system32\Idpbao32.exe
        410⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Ikjknief.exe
        
        C:\Windows\system32\Ikjknief.exe
        411⤵
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Imkcpd32.exe
        
        C:\Windows\system32\Imkcpd32.exe
        412⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3524
        
        C:\Windows\SysWOW64\Ipiplp32.exe
        
        C:\Windows\system32\Ipiplp32.exe
        413⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\Jjodnili.exe
        
        C:\Windows\system32\Jjodnili.exe
        414⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Jaflpfml.exe
        
        C:\Windows\system32\Jaflpfml.exe
        415⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Jdehlblp.exe
        
        C:\Windows\system32\Jdehlblp.exe
        416⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Kgcdhm32.exe
        
        C:\Windows\system32\Kgcdhm32.exe
        417⤵
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Kmpmpd32.exe
        
        C:\Windows\system32\Kmpmpd32.exe
        418⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2628
        
        C:\Windows\SysWOW64\Kdgeaa32.exe
        
        C:\Windows\system32\Kdgeaa32.exe
        419⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Kgeamm32.exe
        
        C:\Windows\system32\Kgeamm32.exe
        420⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\Kjdmih32.exe
        
        C:\Windows\system32\Kjdmih32.exe
        421⤵
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\Kjfjohfa.exe
        
        C:\Windows\system32\Kjfjohfa.exe
        422⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\Khijje32.exe
        
        C:\Windows\system32\Khijje32.exe
        423⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\Kocbgodi.exe
        
        C:\Windows\system32\Kocbgodi.exe
        424⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\Kbaocjcm.exe
        
        C:\Windows\system32\Kbaocjcm.exe
        425⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Kfmkdi32.exe
        
        C:\Windows\system32\Kfmkdi32.exe
        426⤵
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\Kilgpd32.exe
        
        C:\Windows\system32\Kilgpd32.exe
        427⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Lbfhnj32.exe
        
        C:\Windows\system32\Lbfhnj32.exe
        428⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3820
        
        C:\Windows\SysWOW64\Leddke32.exe
        
        C:\Windows\system32\Leddke32.exe
        429⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Lkomgofh.exe
        
        C:\Windows\system32\Lkomgofh.exe
        430⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\Lojhhn32.exe
        
        C:\Windows\system32\Lojhhn32.exe
        431⤵
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\Lbiedi32.exe
        
        C:\Windows\system32\Lbiedi32.exe
        432⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Legape32.exe
        
        C:\Windows\system32\Legape32.exe
        433⤵
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Lgemlp32.exe
        
        C:\Windows\system32\Lgemlp32.exe
        434⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Lnoeij32.exe
        
        C:\Windows\system32\Lnoeij32.exe
        435⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Lcokga32.exe
        
        C:\Windows\system32\Lcokga32.exe
        436⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Lfmgcl32.exe
        
        C:\Windows\system32\Lfmgcl32.exe
        437⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Lndodjoc.exe
        
        C:\Windows\system32\Lndodjoc.exe
        438⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Labkpeng.exe
        
        C:\Windows\system32\Labkpeng.exe
        439⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1724
        
        C:\Windows\SysWOW64\Lcaglqmk.exe
        
        C:\Windows\system32\Lcaglqmk.exe
        440⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Lfochllo.exe
        
        C:\Windows\system32\Lfochllo.exe
        441⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Minpdgkb.exe
        
        C:\Windows\system32\Minpdgkb.exe
        442⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Mmilef32.exe
        
        C:\Windows\system32\Mmilef32.exe
        443⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Mphhaa32.exe
        
        C:\Windows\system32\Mphhaa32.exe
        444⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Mbfdmm32.exe
        
        C:\Windows\system32\Mbfdmm32.exe
        445⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Mjmloj32.exe
        
        C:\Windows\system32\Mjmloj32.exe
        446⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Mmlhkfai.exe
        
        C:\Windows\system32\Mmlhkfai.exe
        447⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2748
        
        C:\Windows\SysWOW64\Mceagp32.exe
        
        C:\Windows\system32\Mceagp32.exe
        448⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Mfdmck32.exe
        
        C:\Windows\system32\Mfdmck32.exe
        449⤵
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Mibipg32.exe
        
        C:\Windows\system32\Mibipg32.exe
        450⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\Mlaelb32.exe
        
        C:\Windows\system32\Mlaelb32.exe
        451⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\Mnoahn32.exe
        
        C:\Windows\system32\Mnoahn32.exe
        452⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Meijdhma.exe
        
        C:\Windows\system32\Meijdhma.exe
        453⤵
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Mhgfacle.exe
        
        C:\Windows\system32\Mhgfacle.exe
        454⤵
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Mnaonmca.exe
        
        C:\Windows\system32\Mnaonmca.exe
        455⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Mekgjg32.exe
        
        C:\Windows\system32\Mekgjg32.exe
        456⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Mhjcfc32.exe
        
        C:\Windows\system32\Mhjcfc32.exe
        457⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Mjhobn32.exe
        
        C:\Windows\system32\Mjhobn32.exe
        458⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Mbpgcl32.exe
        
        C:\Windows\system32\Mbpgcl32.exe
        459⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Njklhn32.exe
        
        C:\Windows\system32\Njklhn32.exe
        460⤵
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Nmihdifg.exe
        
        C:\Windows\system32\Nmihdifg.exe
        461⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Neppeggi.exe
        
        C:\Windows\system32\Neppeggi.exe
        462⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Nfammo32.exe
        
        C:\Windows\system32\Nfammo32.exe
        463⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Nohdnl32.exe
        
        C:\Windows\system32\Nohdnl32.exe
        464⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Nkabim32.exe
        
        C:\Windows\system32\Nkabim32.exe
        465⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Nmpneh32.exe
        
        C:\Windows\system32\Nmpneh32.exe
        466⤵
        
        PID:976
        
        C:\Windows\SysWOW64\Npojad32.exe
        
        C:\Windows\system32\Npojad32.exe
        467⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Oenpojkg.exe
        
        C:\Windows\system32\Oenpojkg.exe
        468⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Olghkd32.exe
        
        C:\Windows\system32\Olghkd32.exe
        469⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\Ocaphoja.exe
        
        C:\Windows\system32\Ocaphoja.exe
        470⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Odeiefnm.exe
        
        C:\Windows\system32\Odeiefnm.exe
        471⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Ollafdoo.exe
        
        C:\Windows\system32\Ollafdoo.exe
        472⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\Ooknbonb.exe
        
        C:\Windows\system32\Ooknbonb.exe
        473⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Odgfkflj.exe
        
        C:\Windows\system32\Odgfkflj.exe
        474⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Ogfbgakn.exe
        
        C:\Windows\system32\Ogfbgakn.exe
        475⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Pnbgikqh.exe
        
        C:\Windows\system32\Pnbgikqh.exe
        476⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\Pgmhhqee.exe
        
        C:\Windows\system32\Pgmhhqee.exe
        477⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Pjkddldi.exe
        
        C:\Windows\system32\Pjkddldi.exe
        478⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\Pljapgcm.exe
        
        C:\Windows\system32\Pljapgcm.exe
        479⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Qoocmb32.exe
        
        C:\Windows\system32\Qoocmb32.exe
        480⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Qbnpim32.exe
        
        C:\Windows\system32\Qbnpim32.exe
        481⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Qdlleikp.exe
        
        C:\Windows\system32\Qdlleikp.exe
        482⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2184
        
        C:\Windows\SysWOW64\Akhqgb32.exe
        
        C:\Windows\system32\Akhqgb32.exe
        483⤵
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Abbidmgg.exe
        
        C:\Windows\system32\Abbidmgg.exe
        484⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Accele32.exe
        
        C:\Windows\system32\Accele32.exe
        485⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Ajnnho32.exe
        
        C:\Windows\system32\Ajnnho32.exe
        486⤵
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Amljdj32.exe
        
        C:\Windows\system32\Amljdj32.exe
        487⤵
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Ajbgcnqm.exe
        
        C:\Windows\system32\Ajbgcnqm.exe
        488⤵
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Bilmpjao.exe
        
        C:\Windows\system32\Bilmpjao.exe
        489⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Bpfeld32.exe
        
        C:\Windows\system32\Bpfeld32.exe
        490⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\Bhajaf32.exe
        
        C:\Windows\system32\Bhajaf32.exe
        491⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Bjbcbach.exe
        
        C:\Windows\system32\Bjbcbach.exe
        492⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Cmppombl.exe
        
        C:\Windows\system32\Cmppombl.exe
        493⤵
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Cnplipjo.exe
        
        C:\Windows\system32\Cnplipjo.exe
        494⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Canhekib.exe
        
        C:\Windows\system32\Canhekib.exe
        495⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Cdmdaghf.exe
        
        C:\Windows\system32\Cdmdaghf.exe
        496⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Cfkqmbgj.exe
        
        C:\Windows\system32\Cfkqmbgj.exe
        497⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\Ciiminfm.exe
        
        C:\Windows\system32\Ciiminfm.exe
        498⤵
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Caqejkgp.exe
        
        C:\Windows\system32\Caqejkgp.exe
        499⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4144
        
        C:\Windows\SysWOW64\Cbbabc32.exe
        
        C:\Windows\system32\Cbbabc32.exe
        500⤵
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Ciljomdk.exe
        
        C:\Windows\system32\Ciljomdk.exe
        501⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\Cpfbkgkg.exe
        
        C:\Windows\system32\Cpfbkgkg.exe
        502⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\Cbdngckk.exe
        
        C:\Windows\system32\Cbdngckk.exe
        503⤵
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Cphoagie.exe
        
        C:\Windows\system32\Cphoagie.exe
        504⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\Cbfkmbhh.exe
        
        C:\Windows\system32\Cbfkmbhh.exe
        505⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Ciqcjm32.exe
        
        C:\Windows\system32\Ciqcjm32.exe
        506⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Dloofh32.exe
        
        C:\Windows\system32\Dloofh32.exe
        507⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Dlalkhmf.exe
        
        C:\Windows\system32\Dlalkhmf.exe
        508⤵
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Dophgclj.exe
        
        C:\Windows\system32\Dophgclj.exe
        509⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Dejqdm32.exe
        
        C:\Windows\system32\Dejqdm32.exe
        510⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Dhhmqi32.exe
        
        C:\Windows\system32\Dhhmqi32.exe
        511⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Dobemc32.exe
        
        C:\Windows\system32\Dobemc32.exe
        512⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Daqaio32.exe
        
        C:\Windows\system32\Daqaio32.exe
        513⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Ddomej32.exe
        
        C:\Windows\system32\Ddomej32.exe
        514⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Dgmjae32.exe
        
        C:\Windows\system32\Dgmjae32.exe
        515⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\Dodabb32.exe
        
        C:\Windows\system32\Dodabb32.exe
        516⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Dpenjknc.exe
        
        C:\Windows\system32\Dpenjknc.exe
        517⤵
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Dgpfge32.exe
        
        C:\Windows\system32\Dgpfge32.exe
        518⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Dkkbhcni.exe
        
        C:\Windows\system32\Dkkbhcni.exe
        519⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Daekdnef.exe
        
        C:\Windows\system32\Daekdnef.exe
        520⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Edcgqidi.exe
        
        C:\Windows\system32\Edcgqidi.exe
        521⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4324
        
        C:\Windows\SysWOW64\Eknomc32.exe
        
        C:\Windows\system32\Eknomc32.exe
        522⤵
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Enlkio32.exe
        
        C:\Windows\system32\Enlkio32.exe
        523⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Edfcfibg.exe
        
        C:\Windows\system32\Edfcfibg.exe
        524⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Egdpbdaj.exe
        
        C:\Windows\system32\Egdpbdaj.exe
        525⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Ennhoo32.exe
        
        C:\Windows\system32\Ennhoo32.exe
        526⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Eopdfg32.exe
        
        C:\Windows\system32\Eopdfg32.exe
        527⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Eckqgego.exe
        
        C:\Windows\system32\Eckqgego.exe
        528⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Ejeidp32.exe
        
        C:\Windows\system32\Ejeidp32.exe
        529⤵
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Elcepk32.exe
        
        C:\Windows\system32\Elcepk32.exe
        530⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Eapnhb32.exe
        
        C:\Windows\system32\Eapnhb32.exe
        531⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Ehjfelcc.exe
        
        C:\Windows\system32\Ehjfelcc.exe
        532⤵
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ekibagbg.exe
        
        C:\Windows\system32\Ekibagbg.exe
        533⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Eodnaf32.exe
        
        C:\Windows\system32\Eodnaf32.exe
        534⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Efnfnp32.exe
        
        C:\Windows\system32\Efnfnp32.exe
        535⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Ehmbjl32.exe
        
        C:\Windows\system32\Ehmbjl32.exe
        536⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Fkkofg32.exe
        
        C:\Windows\system32\Fkkofg32.exe
        537⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Fofkgfin.exe
        
        C:\Windows\system32\Fofkgfin.exe
        538⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Ffqcdp32.exe
        
        C:\Windows\system32\Ffqcdp32.exe
        539⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Gicejn32.exe
        
        C:\Windows\system32\Gicejn32.exe
        540⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Ggfefkdo.exe
        
        C:\Windows\system32\Ggfefkdo.exe
        541⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Gnpmbe32.exe
        
        C:\Windows\system32\Gnpmbe32.exe
        542⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Gaoiop32.exe
        
        C:\Windows\system32\Gaoiop32.exe
        543⤵
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Gifapn32.exe
        
        C:\Windows\system32\Gifapn32.exe
        544⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Gghbkjbl.exe
        
        C:\Windows\system32\Gghbkjbl.exe
        545⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4516
        
        C:\Windows\SysWOW64\Gjgngfap.exe
        
        C:\Windows\system32\Gjgngfap.exe
        546⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Hbnfhcbb.exe
        
        C:\Windows\system32\Hbnfhcbb.exe
        547⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Hhmkfj32.exe
        
        C:\Windows\system32\Hhmkfj32.exe
        548⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Hjlgbe32.exe
        
        C:\Windows\system32\Hjlgbe32.exe
        549⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Hmjcoq32.exe
        
        C:\Windows\system32\Hmjcoq32.exe
        550⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Hcdlkkdk.exe
        
        C:\Windows\system32\Hcdlkkdk.exe
        551⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Hfbhgf32.exe
        
        C:\Windows\system32\Hfbhgf32.exe
        552⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Hmlpdpjl.exe
        
        C:\Windows\system32\Hmlpdpjl.exe
        553⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Imoiic32.exe
        
        C:\Windows\system32\Imoiic32.exe
        554⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Jpmeeo32.exe
        
        C:\Windows\system32\Jpmeeo32.exe
        555⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4600
        
        C:\Windows\SysWOW64\Jhdnfl32.exe
        
        C:\Windows\system32\Jhdnfl32.exe
        556⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Jkbjbg32.exe
        
        C:\Windows\system32\Jkbjbg32.exe
        557⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Jalboaak.exe
        
        C:\Windows\system32\Jalboaak.exe
        558⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Jdknkmqo.exe
        
        C:\Windows\system32\Jdknkmqo.exe
        559⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Jihgcdof.exe
        
        C:\Windows\system32\Jihgcdof.exe
        560⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Jlfcoo32.exe
        
        C:\Windows\system32\Jlfcoo32.exe
        561⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Jcbhaicd.exe
        
        C:\Windows\system32\Jcbhaicd.exe
        562⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Jgndbh32.exe
        
        C:\Windows\system32\Jgndbh32.exe
        563⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Jilpnc32.exe
        
        C:\Windows\system32\Jilpnc32.exe
        564⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Jpfhkm32.exe
        
        C:\Windows\system32\Jpfhkm32.exe
        565⤵
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Jcedgi32.exe
        
        C:\Windows\system32\Jcedgi32.exe
        566⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Jecacd32.exe
        
        C:\Windows\system32\Jecacd32.exe
        567⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Kkpilk32.exe
        
        C:\Windows\system32\Kkpilk32.exe
        568⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Kajahefi.exe
        
        C:\Windows\system32\Kajahefi.exe
        569⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Khdjeo32.exe
        
        C:\Windows\system32\Khdjeo32.exe
        570⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Konbai32.exe
        
        C:\Windows\system32\Konbai32.exe
        571⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Kalnne32.exe
        
        C:\Windows\system32\Kalnne32.exe
        572⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4736
        
        C:\Windows\SysWOW64\Khffjokc.exe
        
        C:\Windows\system32\Khffjokc.exe
        573⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\Knelhegh.exe
        
        C:\Windows\system32\Knelhegh.exe
        574⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Kqdhda32.exe
        
        C:\Windows\system32\Kqdhda32.exe
        575⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Kgnpaknh.exe
        
        C:\Windows\system32\Kgnpaknh.exe
        576⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Kjllmfml.exe
        
        C:\Windows\system32\Kjllmfml.exe
        577⤵
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Kqfejq32.exe
        
        C:\Windows\system32\Kqfejq32.exe
        578⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Kcdafl32.exe
        
        C:\Windows\system32\Kcdafl32.exe
        579⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Lmmeoajm.exe
        
        C:\Windows\system32\Lmmeoajm.exe
        580⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Lgbjlj32.exe
        
        C:\Windows\system32\Lgbjlj32.exe
        581⤵
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Lmaoja32.exe
        
        C:\Windows\system32\Lmaoja32.exe
        582⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Lopkfl32.exe
        
        C:\Windows\system32\Lopkfl32.exe
        583⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Lfjccf32.exe
        
        C:\Windows\system32\Lfjccf32.exe
        584⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4836
        
        C:\Windows\SysWOW64\Lmdlpqde.exe
        
        C:\Windows\system32\Lmdlpqde.exe
        585⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Lobhllci.exe
        
        C:\Windows\system32\Lobhllci.exe
        586⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Lbqdhgbl.exe
        
        C:\Windows\system32\Lbqdhgbl.exe
        587⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Mngemh32.exe
        
        C:\Windows\system32\Mngemh32.exe
        588⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4868
        
        C:\Windows\SysWOW64\Meamib32.exe
        
        C:\Windows\system32\Meamib32.exe
        589⤵
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Mgpifn32.exe
        
        C:\Windows\system32\Mgpifn32.exe
        590⤵
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Mjnebi32.exe
        
        C:\Windows\system32\Mjnebi32.exe
        591⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Mahnocea.exe
        
        C:\Windows\system32\Mahnocea.exe
        592⤵
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Mcgjkode.exe
        
        C:\Windows\system32\Mcgjkode.exe
        593⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Mjqbgi32.exe
        
        C:\Windows\system32\Mjqbgi32.exe
        594⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Makjdcco.exe
        
        C:\Windows\system32\Makjdcco.exe
        595⤵
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Mgdbamjl.exe
        
        C:\Windows\system32\Mgdbamjl.exe
        596⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Mnokng32.exe
        
        C:\Windows\system32\Mnokng32.exe
        597⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Mppgephg.exe
        
        C:\Windows\system32\Mppgephg.exe
        598⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Mfjpbj32.exe
        
        C:\Windows\system32\Mfjpbj32.exe
        599⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Mihlne32.exe
        
        C:\Windows\system32\Mihlne32.exe
        600⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Maodob32.exe
        
        C:\Windows\system32\Maodob32.exe
        601⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Mbqpgk32.exe
        
        C:\Windows\system32\Mbqpgk32.exe
        602⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Njhhhh32.exe
        
        C:\Windows\system32\Njhhhh32.exe
        603⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Nfqfbi32.exe
        
        C:\Windows\system32\Nfqfbi32.exe
        604⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Niobod32.exe
        
        C:\Windows\system32\Niobod32.exe
        605⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5004
        
        C:\Windows\SysWOW64\Nlnnkp32.exe
        
        C:\Windows\system32\Nlnnkp32.exe
        606⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\Noljgk32.exe
        
        C:\Windows\system32\Noljgk32.exe
        607⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Najgcf32.exe
        
        C:\Windows\system32\Najgcf32.exe
        608⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Niaodd32.exe
        
        C:\Windows\system32\Niaodd32.exe
        609⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Nlpkpo32.exe
        
        C:\Windows\system32\Nlpkpo32.exe
        610⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5044
        
        C:\Windows\SysWOW64\Nonglk32.exe
        
        C:\Windows\system32\Nonglk32.exe
        611⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Nehoiela.exe
        
        C:\Windows\system32\Nehoiela.exe
        612⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Nhglep32.exe
        
        C:\Windows\system32\Nhglep32.exe
        613⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Ogqbal32.exe
        
        C:\Windows\system32\Ogqbal32.exe
        614⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Omjjnfcd.exe
        
        C:\Windows\system32\Omjjnfcd.exe
        615⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Opifjabh.exe
        
        C:\Windows\system32\Opifjabh.exe
        616⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Obgbfmak.exe
        
        C:\Windows\system32\Obgbfmak.exe
        617⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Oefobhqo.exe
        
        C:\Windows\system32\Oefobhqo.exe
        618⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Ommgdf32.exe
        
        C:\Windows\system32\Ommgdf32.exe
        619⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\Opkcpa32.exe
        
        C:\Windows\system32\Opkcpa32.exe
        620⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Ocjolm32.exe
        
        C:\Windows\system32\Ocjolm32.exe
        621⤵
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Oehlhh32.exe
        
        C:\Windows\system32\Oehlhh32.exe
        622⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Pkjnlnin.exe
        
        C:\Windows\system32\Pkjnlnin.exe
        623⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\Pnhjhjhb.exe
        
        C:\Windows\system32\Pnhjhjhb.exe
        624⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2724
        
        C:\Windows\SysWOW64\Peobighd.exe
        
        C:\Windows\system32\Peobighd.exe
        625⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Pkljan32.exe
        
        C:\Windows\system32\Pkljan32.exe
        626⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Pnjfmi32.exe
        
        C:\Windows\system32\Pnjfmi32.exe
        627⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Pafbnhni.exe
        
        C:\Windows\system32\Pafbnhni.exe
        628⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Phpkjb32.exe
        
        C:\Windows\system32\Phpkjb32.exe
        629⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Pjagbjkc.exe
        
        C:\Windows\system32\Pjagbjkc.exe
        630⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Pahochlf.exe
        
        C:\Windows\system32\Pahochlf.exe
        631⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Qcilkp32.exe
        
        C:\Windows\system32\Qcilkp32.exe
        632⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Abfomkqd.exe
        
        C:\Windows\system32\Abfomkqd.exe
        633⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Addkigph.exe
        
        C:\Windows\system32\Addkigph.exe
        634⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Amkcjdpj.exe
        
        C:\Windows\system32\Amkcjdpj.exe
        635⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\Aojofp32.exe
        
        C:\Windows\system32\Aojofp32.exe
        636⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Aibcoefn.exe
        
        C:\Windows\system32\Aibcoefn.exe
        637⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3040
        
        C:\Windows\SysWOW64\Akqpkqeb.exe
        
        C:\Windows\system32\Akqpkqeb.exe
        638⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\Anolglde.exe
        
        C:\Windows\system32\Anolglde.exe
        639⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Bjjfglfd.exe
        
        C:\Windows\system32\Bjjfglfd.exe
        640⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\Bmibcheh.exe
        
        C:\Windows\system32\Bmibcheh.exe
        641⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2072
        
        C:\Windows\SysWOW64\Bpgopc32.exe
        
        C:\Windows\system32\Bpgopc32.exe
        642⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Bgngaq32.exe
        
        C:\Windows\system32\Bgngaq32.exe
        643⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Bipchijl.exe
        
        C:\Windows\system32\Bipchijl.exe
        644⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Bpikec32.exe
        
        C:\Windows\system32\Bpikec32.exe
        645⤵
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\Chlfjd32.exe
        
        C:\Windows\system32\Chlfjd32.exe
        646⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Cjjbfp32.exe
        
        C:\Windows\system32\Cjjbfp32.exe
        647⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\Cbakgm32.exe
        
        C:\Windows\system32\Cbakgm32.exe
        648⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Cepgch32.exe
        
        C:\Windows\system32\Cepgch32.exe
        649⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\Chncpd32.exe
        
        C:\Windows\system32\Chncpd32.exe
        650⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\Cjlolo32.exe
        
        C:\Windows\system32\Cjlolo32.exe
        651⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Dlebdffc.exe
        
        C:\Windows\system32\Dlebdffc.exe
        652⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Dbojaq32.exe
        
        C:\Windows\system32\Dbojaq32.exe
        653⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Demfml32.exe
        
        C:\Windows\system32\Demfml32.exe
        654⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Dmdnni32.exe
        
        C:\Windows\system32\Dmdnni32.exe
        655⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Doekfacd.exe
        
        C:\Windows\system32\Doekfacd.exe
        656⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Deocblka.exe
        
        C:\Windows\system32\Deocblka.exe
        657⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Dpegpdjg.exe
        
        C:\Windows\system32\Dpegpdjg.exe
        658⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\Eolafqmm.exe
        
        C:\Windows\system32\Eolafqmm.exe
        659⤵
        
        PID:460
        
        C:\Windows\SysWOW64\Eefick32.exe
        
        C:\Windows\system32\Eefick32.exe
        660⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1504
        
        C:\Windows\SysWOW64\Eghfkcjh.exe
        
        C:\Windows\system32\Eghfkcjh.exe
        661⤵
        
        PID:580
        
        C:\Windows\SysWOW64\Enanhm32.exe
        
        C:\Windows\system32\Enanhm32.exe
        662⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:384
        
        C:\Windows\SysWOW64\Eppjdh32.exe
        
        C:\Windows\system32\Eppjdh32.exe
        663⤵
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Fnidhl32.exe
        
        C:\Windows\system32\Fnidhl32.exe
        664⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Goccfcip.exe
        
        C:\Windows\system32\Goccfcip.exe
        665⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Gbapbnid.exe
        
        C:\Windows\system32\Gbapbnid.exe
        666⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\Gdplojhg.exe
        
        C:\Windows\system32\Gdplojhg.exe
        667⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2456
        
        C:\Windows\SysWOW64\Gkjdkd32.exe
        
        C:\Windows\system32\Gkjdkd32.exe
        668⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Gnhpgp32.exe
        
        C:\Windows\system32\Gnhpgp32.exe
        669⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\Gdbhdife.exe
        
        C:\Windows\system32\Gdbhdife.exe
        670⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Ghnddh32.exe
        
        C:\Windows\system32\Ghnddh32.exe
        671⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Gklqqc32.exe
        
        C:\Windows\system32\Gklqqc32.exe
        672⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\Gnkmmole.exe
        
        C:\Windows\system32\Gnkmmole.exe
        673⤵
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Gcheefjm.exe
        
        C:\Windows\system32\Gcheefjm.exe
        674⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1360
        
        C:\Windows\SysWOW64\Gkonfcko.exe
        
        C:\Windows\system32\Gkonfcko.exe
        675⤵
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Gmpjnl32.exe
        
        C:\Windows\system32\Gmpjnl32.exe
        676⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Gjdjgp32.exe
        
        C:\Windows\system32\Gjdjgp32.exe
        677⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Gqnbdj32.exe
        
        C:\Windows\system32\Gqnbdj32.exe
        678⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\Gclope32.exe
        
        C:\Windows\system32\Gclope32.exe
        679⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2868
        
        C:\Windows\SysWOW64\Hiighl32.exe
        
        C:\Windows\system32\Hiighl32.exe
        680⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\Hbhbbqeg.exe
        
        C:\Windows\system32\Hbhbbqeg.exe
        681⤵
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Hibjok32.exe
        
        C:\Windows\system32\Hibjok32.exe
        682⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1548
        
        C:\Windows\SysWOW64\Hlafkf32.exe
        
        C:\Windows\system32\Hlafkf32.exe
        683⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\Inobga32.exe
        
        C:\Windows\system32\Inobga32.exe
        684⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 140
        685⤵
        Program crash
        
        PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ankcjpni.exe

Filesize
50KB

MD5
425e56610b9319b7026ed142c800d7b1

SHA1
fb0cc0a982ae827c296d2ca2160fc3365c5faf9f

SHA256
c15490d949b659f064c72ea30f253204636eadfc1803da71bb22efddbabf107e

SHA512
ee118ea2d79d760969ad2613aff1dbacc931a4331002ed38466c8312ccc2c8d7f79a3eb4ea5209b4d757b6c2c55345fb462c446e2a3647fbccbbf6d1332879a1

Download Submit
C:\Windows\SysWOW64\Ankcjpni.exe

Filesize
50KB

MD5
425e56610b9319b7026ed142c800d7b1

SHA1
fb0cc0a982ae827c296d2ca2160fc3365c5faf9f

SHA256
c15490d949b659f064c72ea30f253204636eadfc1803da71bb22efddbabf107e

SHA512
ee118ea2d79d760969ad2613aff1dbacc931a4331002ed38466c8312ccc2c8d7f79a3eb4ea5209b4d757b6c2c55345fb462c446e2a3647fbccbbf6d1332879a1

Download Submit
C:\Windows\SysWOW64\Bnjoicpe.exe

Filesize
50KB

MD5
340bc4e8d3e95e8419e5032fcf5da05a

SHA1
5879b5825bbaf03fe227ac3cc2c2a1efc98379bf

SHA256
66a05632eb14f719f195afae86605c4bf0387cc3f0aa252a9303226af624462e

SHA512
847ee5c849c5bf337cb98f4500290a0378edf2c673cb7cd6d730e7f0ab1ad79db3004634fae3deca538ac7e1fb2656465bdf48e473e02c2e57600bc1fb3be294

Download Submit
C:\Windows\SysWOW64\Bnjoicpe.exe

Filesize
50KB

MD5
340bc4e8d3e95e8419e5032fcf5da05a

SHA1
5879b5825bbaf03fe227ac3cc2c2a1efc98379bf

SHA256
66a05632eb14f719f195afae86605c4bf0387cc3f0aa252a9303226af624462e

SHA512
847ee5c849c5bf337cb98f4500290a0378edf2c673cb7cd6d730e7f0ab1ad79db3004634fae3deca538ac7e1fb2656465bdf48e473e02c2e57600bc1fb3be294

Download Submit
C:\Windows\SysWOW64\Cidiqona.exe

Filesize
50KB

MD5
0a7dc40b55d2d89673154dd6b72787f2

SHA1
2ba8ae9e137f68ad28d6c85bd66285886d1393f5

SHA256
fcb8e10e36bec2396bdaab818d22a67f54383d104d6f84ebce8f7715a7707ef6

SHA512
fe02b949e202102158864d2235a05d9bdfe799124b0f555fd3c4386fcea59cc0a41aec65cb726663fe96b9525c9961e65bf62a020040c06115da687faebfd0a1

Download Submit
C:\Windows\SysWOW64\Cidiqona.exe

Filesize
50KB

MD5
0a7dc40b55d2d89673154dd6b72787f2

SHA1
2ba8ae9e137f68ad28d6c85bd66285886d1393f5

SHA256
fcb8e10e36bec2396bdaab818d22a67f54383d104d6f84ebce8f7715a7707ef6

SHA512
fe02b949e202102158864d2235a05d9bdfe799124b0f555fd3c4386fcea59cc0a41aec65cb726663fe96b9525c9961e65bf62a020040c06115da687faebfd0a1

Download Submit
C:\Windows\SysWOW64\Cpgkmj32.exe

Filesize
50KB

MD5
9877f3f5c5982738bec4a65173e507d7

SHA1
0e836cc54e8dee4576c46f5e515ac623be222d89

SHA256
50f7c4450dda8d73dae5e9b84dc5862b5b3ecd83c14e3774d8560f7030018b4e

SHA512
e360dbc18e69413047eb305e3720fdf07512ec97ff8d7649a5273051433291acd4749de75fd8a537c2e42b1d8a1e3f4eddaa6dea00faeb53f1f2fbad1f16495e

Download Submit
C:\Windows\SysWOW64\Cpgkmj32.exe

Filesize
50KB

MD5
9877f3f5c5982738bec4a65173e507d7

SHA1
0e836cc54e8dee4576c46f5e515ac623be222d89

SHA256
50f7c4450dda8d73dae5e9b84dc5862b5b3ecd83c14e3774d8560f7030018b4e

SHA512
e360dbc18e69413047eb305e3720fdf07512ec97ff8d7649a5273051433291acd4749de75fd8a537c2e42b1d8a1e3f4eddaa6dea00faeb53f1f2fbad1f16495e

Download Submit
C:\Windows\SysWOW64\Ddgmgkbe.exe

Filesize
50KB

MD5
1c3da6693608894b0fc0779cf76d9dcf

SHA1
3ce17be5d09c4815c88f4196fb9bbe698e1c25c5

SHA256
7afbda03a9cc67c8453567a25ca35c98faf90991f7cdcc575b41f088dd33e46f

SHA512
eff952d7c668a5825938eae0f1c60e8bf034a388087d42fc047be944c0fc3ee992da45398bf4a8e961f3ff9a15a792356615e3d58ec6bc1af7696725fe8eeb4a

Download Submit
C:\Windows\SysWOW64\Ddgmgkbe.exe

Filesize
50KB

MD5
1c3da6693608894b0fc0779cf76d9dcf

SHA1
3ce17be5d09c4815c88f4196fb9bbe698e1c25c5

SHA256
7afbda03a9cc67c8453567a25ca35c98faf90991f7cdcc575b41f088dd33e46f

SHA512
eff952d7c668a5825938eae0f1c60e8bf034a388087d42fc047be944c0fc3ee992da45398bf4a8e961f3ff9a15a792356615e3d58ec6bc1af7696725fe8eeb4a

Download Submit
C:\Windows\SysWOW64\Dfaphg32.exe

Filesize
50KB

MD5
4f65b6f50351a2908ec8c4e33ccf183e

SHA1
b9b4796c4b26afd3eee4337008763b700ff85592

SHA256
8f4fcae5e494f49a30e118e5aca48f2069fc79a51adb6b7be8b10c30ff351488

SHA512
6a81cc70585547dcdcfdd53d8136702155a49de57a42266a28d135cf181c57a9d5fa7690162227ea0e58fb5fc626c889bd619b2443a54d2df799d941c166ac99

Download Submit
C:\Windows\SysWOW64\Dfaphg32.exe

Filesize
50KB

MD5
4f65b6f50351a2908ec8c4e33ccf183e

SHA1
b9b4796c4b26afd3eee4337008763b700ff85592

SHA256
8f4fcae5e494f49a30e118e5aca48f2069fc79a51adb6b7be8b10c30ff351488

SHA512
6a81cc70585547dcdcfdd53d8136702155a49de57a42266a28d135cf181c57a9d5fa7690162227ea0e58fb5fc626c889bd619b2443a54d2df799d941c166ac99

Download Submit
C:\Windows\SysWOW64\Eidepbal.exe

Filesize
50KB

MD5
dc0f2dd7fe6e2483b19769c8bf40fe58

SHA1
030729cde7ad23dd331ee2e8ad6e496baf4c5e32

SHA256
d788000c7146c370bc98868d814d4ea1d9a583001e2afcb7d4f09f6eddb7cccf

SHA512
a2708a05991cb8fffc23b0b7e0794eb00df725f76a4057a7f4b9c90507d5f19eef25b6313b73741b09d186880d09b8f7f53c0acf0721f42abce73de00669b0d5

Download Submit
C:\Windows\SysWOW64\Eidepbal.exe

Filesize
50KB

MD5
dc0f2dd7fe6e2483b19769c8bf40fe58

SHA1
030729cde7ad23dd331ee2e8ad6e496baf4c5e32

SHA256
d788000c7146c370bc98868d814d4ea1d9a583001e2afcb7d4f09f6eddb7cccf

SHA512
a2708a05991cb8fffc23b0b7e0794eb00df725f76a4057a7f4b9c90507d5f19eef25b6313b73741b09d186880d09b8f7f53c0acf0721f42abce73de00669b0d5

Download Submit
C:\Windows\SysWOW64\Ihkkna32.exe

Filesize
50KB

MD5
0db53137771fd9b8ac57da0339098f31

SHA1
adcc50ed67039c720d787189470f4607cb5ec586

SHA256
be6bdeaf97dae9ceb6931d449825a0804d72ded5c2a864e623c79c94029f37b0

SHA512
cdf9bd4e49f9739a543425af2c61aec42c6af57ff6ead3fdf6a22a7ba9784078e7ddca5e99ab2ad6978f318620338cd071cd0a6417774a115847514251b219bf

Download Submit
C:\Windows\SysWOW64\Ihkkna32.exe

Filesize
50KB

MD5
0db53137771fd9b8ac57da0339098f31

SHA1
adcc50ed67039c720d787189470f4607cb5ec586

SHA256
be6bdeaf97dae9ceb6931d449825a0804d72ded5c2a864e623c79c94029f37b0

SHA512
cdf9bd4e49f9739a543425af2c61aec42c6af57ff6ead3fdf6a22a7ba9784078e7ddca5e99ab2ad6978f318620338cd071cd0a6417774a115847514251b219bf

Download Submit
C:\Windows\SysWOW64\Neoipm32.exe

Filesize
50KB

MD5
62e15cbe79f21251747a46bb7414fbd9

SHA1
3c789345c2c7a061f22f27a396dacbdbb6e0214b

SHA256
c844fa6cbeb59b2a5718ea04b61fc854ab8f5a80dbae2abdee66db1b19d2fceb

SHA512
0eee8f060c11b8786aca32598901583d293b01b353c547c2700d949be8e4a8118ea7e9b726ce5f052972977ce6a998192bbbf461c80a19f80765ea44332005d9

Download Submit
C:\Windows\SysWOW64\Neoipm32.exe

Filesize
50KB

MD5
62e15cbe79f21251747a46bb7414fbd9

SHA1
3c789345c2c7a061f22f27a396dacbdbb6e0214b

SHA256
c844fa6cbeb59b2a5718ea04b61fc854ab8f5a80dbae2abdee66db1b19d2fceb

SHA512
0eee8f060c11b8786aca32598901583d293b01b353c547c2700d949be8e4a8118ea7e9b726ce5f052972977ce6a998192bbbf461c80a19f80765ea44332005d9

Download Submit
C:\Windows\SysWOW64\Njckjp32.exe

Filesize
50KB

MD5
6593824d72fc35ee8ab43bf5f684bc9c

SHA1
6bdc03b0f4604cf651c61f1d44c4a7853c50888a

SHA256
6340894b03cf34474f7821aca53476dac474de8b33ad67f349fb5fcdbaa65f16

SHA512
1283481bef9dd6cba28203a1d2074460c26b9be2b9819fe00860fc6dab638635107e0922f40d270a98148c9b4b61d995e340e7e92b6dfc7f3fdf01989b17b8ba

Download Submit
C:\Windows\SysWOW64\Njckjp32.exe

Filesize
50KB

MD5
6593824d72fc35ee8ab43bf5f684bc9c

SHA1
6bdc03b0f4604cf651c61f1d44c4a7853c50888a

SHA256
6340894b03cf34474f7821aca53476dac474de8b33ad67f349fb5fcdbaa65f16

SHA512
1283481bef9dd6cba28203a1d2074460c26b9be2b9819fe00860fc6dab638635107e0922f40d270a98148c9b4b61d995e340e7e92b6dfc7f3fdf01989b17b8ba

Download Submit
C:\Windows\SysWOW64\Nppdbf32.exe

Filesize
50KB

MD5
dd290a9d2ce9a9f62c0178d1d0cdc8fe

SHA1
d902f057bd43a9d59ea08a808a7f418233d2f7ac

SHA256
544d1ce22fef87e4988be49ef7e996624554d0fb821595dde38599460aeee55b

SHA512
1bf3f4e068e2bdfbde8effd32b1d339cf0da2bde77869d81e39e2fa475fb6582321dcd6d34df2ac3eacfa09a9809cbe0593fd84479cbf34952cd31bfc8d0ae8d

Download Submit
C:\Windows\SysWOW64\Nppdbf32.exe

Filesize
50KB

MD5
dd290a9d2ce9a9f62c0178d1d0cdc8fe

SHA1
d902f057bd43a9d59ea08a808a7f418233d2f7ac

SHA256
544d1ce22fef87e4988be49ef7e996624554d0fb821595dde38599460aeee55b

SHA512
1bf3f4e068e2bdfbde8effd32b1d339cf0da2bde77869d81e39e2fa475fb6582321dcd6d34df2ac3eacfa09a9809cbe0593fd84479cbf34952cd31bfc8d0ae8d

Download Submit
C:\Windows\SysWOW64\Ohbogh32.exe

Filesize
50KB

MD5
e51d70d889b96aed90459132dc8c652b

SHA1
7e7c02efbb1ddc95cf4c91d404efc6cf67404d8b

SHA256
50b35e1775151e58dfb6803190d38b85cc0e5293c1666ede64a205c69cd08de2

SHA512
3f10c12d7e0d9b0ebf1b2d7d1832203e0aaa175a259851316eb8f518944b525ec1cc17c57ff464532bc3ade70f05f438c8607a3f9f97d1784016e89a835be12f

Download Submit
C:\Windows\SysWOW64\Ohbogh32.exe

Filesize
50KB

MD5
e51d70d889b96aed90459132dc8c652b

SHA1
7e7c02efbb1ddc95cf4c91d404efc6cf67404d8b

SHA256
50b35e1775151e58dfb6803190d38b85cc0e5293c1666ede64a205c69cd08de2

SHA512
3f10c12d7e0d9b0ebf1b2d7d1832203e0aaa175a259851316eb8f518944b525ec1cc17c57ff464532bc3ade70f05f438c8607a3f9f97d1784016e89a835be12f

Download Submit
C:\Windows\SysWOW64\Pcjlicgb.exe

Filesize
50KB

MD5
8bcc1e7d05b51422612d571b64768064

SHA1
daa05c1d9cf8dc294ce907f5f17fd022758f786b

SHA256
a0f7a2a8744737fb00a140c696d70ed098f3c3b7522fbdc6ca7046bed3cf7fa5

SHA512
77026c57d910ebad862f4526836aa79646e244f1e147ebaebd435a856c63153cdb63cb9fbd5da8925afab7e3146d8c4453a294fccf7c034fc468a173cdf344ff

Download Submit
C:\Windows\SysWOW64\Pcjlicgb.exe

Filesize
50KB

MD5
8bcc1e7d05b51422612d571b64768064

SHA1
daa05c1d9cf8dc294ce907f5f17fd022758f786b

SHA256
a0f7a2a8744737fb00a140c696d70ed098f3c3b7522fbdc6ca7046bed3cf7fa5

SHA512
77026c57d910ebad862f4526836aa79646e244f1e147ebaebd435a856c63153cdb63cb9fbd5da8925afab7e3146d8c4453a294fccf7c034fc468a173cdf344ff

Download Submit
C:\Windows\SysWOW64\Piagpnqb.exe

Filesize
50KB

MD5
050c2cd6fef86aae38fe954a55e7f5fc

SHA1
eab8d745201fbde822079f63c70b9948b3b192f1

SHA256
a996fa992a5e92f3f884ce82bd5836c8c09f084dbbfcc4272d1506ba6eba72e8

SHA512
abcb789234679c8c7baee5b68051fc66121587f2f881a563f3b686d8a6320bd6ea4a38c93a8e5327ed9bafec180c8cff3d9a3b9373c8a1f1dbb87b650c838d76

Download Submit
C:\Windows\SysWOW64\Piagpnqb.exe

Filesize
50KB

MD5
050c2cd6fef86aae38fe954a55e7f5fc

SHA1
eab8d745201fbde822079f63c70b9948b3b192f1

SHA256
a996fa992a5e92f3f884ce82bd5836c8c09f084dbbfcc4272d1506ba6eba72e8

SHA512
abcb789234679c8c7baee5b68051fc66121587f2f881a563f3b686d8a6320bd6ea4a38c93a8e5327ed9bafec180c8cff3d9a3b9373c8a1f1dbb87b650c838d76

Download Submit
C:\Windows\SysWOW64\Polcceal.exe

Filesize
50KB

MD5
238a6ab1f5b2cc35bc784b0b694b264c

SHA1
f06d24f1f773feba3ebbfcc13b447b0a84b6c180

SHA256
8765ba84cc5cdc7d8970fc2d8d474ad9472c740697eb146c25b9d6081e4876d2

SHA512
96a4d2a3b1b8e70bcbcfa18e5204e13885311656575a511afd126fba90cc288c14f05d1d5a02f5f838801f529ee11701f6d54d749538d4285e0a093d4d0ab304

Download Submit
C:\Windows\SysWOW64\Polcceal.exe

Filesize
50KB

MD5
238a6ab1f5b2cc35bc784b0b694b264c

SHA1
f06d24f1f773feba3ebbfcc13b447b0a84b6c180

SHA256
8765ba84cc5cdc7d8970fc2d8d474ad9472c740697eb146c25b9d6081e4876d2

SHA512
96a4d2a3b1b8e70bcbcfa18e5204e13885311656575a511afd126fba90cc288c14f05d1d5a02f5f838801f529ee11701f6d54d749538d4285e0a093d4d0ab304

Download Submit
C:\Windows\SysWOW64\Qaoijp32.exe

Filesize
50KB

MD5
3abecccb775c0ae7e34a188d24523250

SHA1
ecf6e81f8de7c14365c1cda3528c66c85e866a28

SHA256
31725418f78b09265f7b824e6aa8b60f0df62642e0530f2100ba469f2b0d356f

SHA512
490bc74611fa0fe93a1d890f4e57c4ad32c14429cf973d5cfc8c6ee2cf49171207013ad6c8f38a509ed321f6e8c21cb04499097bfa1327ff135822b90408c1d8

Download Submit
C:\Windows\SysWOW64\Qaoijp32.exe

Filesize
50KB

MD5
3abecccb775c0ae7e34a188d24523250

SHA1
ecf6e81f8de7c14365c1cda3528c66c85e866a28

SHA256
31725418f78b09265f7b824e6aa8b60f0df62642e0530f2100ba469f2b0d356f

SHA512
490bc74611fa0fe93a1d890f4e57c4ad32c14429cf973d5cfc8c6ee2cf49171207013ad6c8f38a509ed321f6e8c21cb04499097bfa1327ff135822b90408c1d8

Download Submit
\Windows\SysWOW64\Ankcjpni.exe

Filesize
50KB

MD5
425e56610b9319b7026ed142c800d7b1

SHA1
fb0cc0a982ae827c296d2ca2160fc3365c5faf9f

SHA256
c15490d949b659f064c72ea30f253204636eadfc1803da71bb22efddbabf107e

SHA512
ee118ea2d79d760969ad2613aff1dbacc931a4331002ed38466c8312ccc2c8d7f79a3eb4ea5209b4d757b6c2c55345fb462c446e2a3647fbccbbf6d1332879a1

Download Submit
\Windows\SysWOW64\Ankcjpni.exe

Filesize
50KB

MD5
425e56610b9319b7026ed142c800d7b1

SHA1
fb0cc0a982ae827c296d2ca2160fc3365c5faf9f

SHA256
c15490d949b659f064c72ea30f253204636eadfc1803da71bb22efddbabf107e

SHA512
ee118ea2d79d760969ad2613aff1dbacc931a4331002ed38466c8312ccc2c8d7f79a3eb4ea5209b4d757b6c2c55345fb462c446e2a3647fbccbbf6d1332879a1

Download Submit
\Windows\SysWOW64\Bnjoicpe.exe

Filesize
50KB

MD5
340bc4e8d3e95e8419e5032fcf5da05a

SHA1
5879b5825bbaf03fe227ac3cc2c2a1efc98379bf

SHA256
66a05632eb14f719f195afae86605c4bf0387cc3f0aa252a9303226af624462e

SHA512
847ee5c849c5bf337cb98f4500290a0378edf2c673cb7cd6d730e7f0ab1ad79db3004634fae3deca538ac7e1fb2656465bdf48e473e02c2e57600bc1fb3be294

Download Submit
\Windows\SysWOW64\Bnjoicpe.exe

Filesize
50KB

MD5
340bc4e8d3e95e8419e5032fcf5da05a

SHA1
5879b5825bbaf03fe227ac3cc2c2a1efc98379bf

SHA256
66a05632eb14f719f195afae86605c4bf0387cc3f0aa252a9303226af624462e

SHA512
847ee5c849c5bf337cb98f4500290a0378edf2c673cb7cd6d730e7f0ab1ad79db3004634fae3deca538ac7e1fb2656465bdf48e473e02c2e57600bc1fb3be294

Download Submit
\Windows\SysWOW64\Cidiqona.exe

Filesize
50KB

MD5
0a7dc40b55d2d89673154dd6b72787f2

SHA1
2ba8ae9e137f68ad28d6c85bd66285886d1393f5

SHA256
fcb8e10e36bec2396bdaab818d22a67f54383d104d6f84ebce8f7715a7707ef6

SHA512
fe02b949e202102158864d2235a05d9bdfe799124b0f555fd3c4386fcea59cc0a41aec65cb726663fe96b9525c9961e65bf62a020040c06115da687faebfd0a1

Download Submit
\Windows\SysWOW64\Cidiqona.exe

Filesize
50KB

MD5
0a7dc40b55d2d89673154dd6b72787f2

SHA1
2ba8ae9e137f68ad28d6c85bd66285886d1393f5

SHA256
fcb8e10e36bec2396bdaab818d22a67f54383d104d6f84ebce8f7715a7707ef6

SHA512
fe02b949e202102158864d2235a05d9bdfe799124b0f555fd3c4386fcea59cc0a41aec65cb726663fe96b9525c9961e65bf62a020040c06115da687faebfd0a1

Download Submit
\Windows\SysWOW64\Cpgkmj32.exe

Filesize
50KB

MD5
9877f3f5c5982738bec4a65173e507d7

SHA1
0e836cc54e8dee4576c46f5e515ac623be222d89

SHA256
50f7c4450dda8d73dae5e9b84dc5862b5b3ecd83c14e3774d8560f7030018b4e

SHA512
e360dbc18e69413047eb305e3720fdf07512ec97ff8d7649a5273051433291acd4749de75fd8a537c2e42b1d8a1e3f4eddaa6dea00faeb53f1f2fbad1f16495e

Download Submit
\Windows\SysWOW64\Cpgkmj32.exe

Filesize
50KB

MD5
9877f3f5c5982738bec4a65173e507d7

SHA1
0e836cc54e8dee4576c46f5e515ac623be222d89

SHA256
50f7c4450dda8d73dae5e9b84dc5862b5b3ecd83c14e3774d8560f7030018b4e

SHA512
e360dbc18e69413047eb305e3720fdf07512ec97ff8d7649a5273051433291acd4749de75fd8a537c2e42b1d8a1e3f4eddaa6dea00faeb53f1f2fbad1f16495e

Download Submit
\Windows\SysWOW64\Ddgmgkbe.exe

Filesize
50KB

MD5
1c3da6693608894b0fc0779cf76d9dcf

SHA1
3ce17be5d09c4815c88f4196fb9bbe698e1c25c5

SHA256
7afbda03a9cc67c8453567a25ca35c98faf90991f7cdcc575b41f088dd33e46f

SHA512
eff952d7c668a5825938eae0f1c60e8bf034a388087d42fc047be944c0fc3ee992da45398bf4a8e961f3ff9a15a792356615e3d58ec6bc1af7696725fe8eeb4a

Download Submit
\Windows\SysWOW64\Ddgmgkbe.exe

Filesize
50KB

MD5
1c3da6693608894b0fc0779cf76d9dcf

SHA1
3ce17be5d09c4815c88f4196fb9bbe698e1c25c5

SHA256
7afbda03a9cc67c8453567a25ca35c98faf90991f7cdcc575b41f088dd33e46f

SHA512
eff952d7c668a5825938eae0f1c60e8bf034a388087d42fc047be944c0fc3ee992da45398bf4a8e961f3ff9a15a792356615e3d58ec6bc1af7696725fe8eeb4a

Download Submit
\Windows\SysWOW64\Dfaphg32.exe

Filesize
50KB

MD5
4f65b6f50351a2908ec8c4e33ccf183e

SHA1
b9b4796c4b26afd3eee4337008763b700ff85592

SHA256
8f4fcae5e494f49a30e118e5aca48f2069fc79a51adb6b7be8b10c30ff351488

SHA512
6a81cc70585547dcdcfdd53d8136702155a49de57a42266a28d135cf181c57a9d5fa7690162227ea0e58fb5fc626c889bd619b2443a54d2df799d941c166ac99

Download Submit
\Windows\SysWOW64\Dfaphg32.exe

Filesize
50KB

MD5
4f65b6f50351a2908ec8c4e33ccf183e

SHA1
b9b4796c4b26afd3eee4337008763b700ff85592

SHA256
8f4fcae5e494f49a30e118e5aca48f2069fc79a51adb6b7be8b10c30ff351488

SHA512
6a81cc70585547dcdcfdd53d8136702155a49de57a42266a28d135cf181c57a9d5fa7690162227ea0e58fb5fc626c889bd619b2443a54d2df799d941c166ac99

Download Submit
\Windows\SysWOW64\Eidepbal.exe

Filesize
50KB

MD5
dc0f2dd7fe6e2483b19769c8bf40fe58

SHA1
030729cde7ad23dd331ee2e8ad6e496baf4c5e32

SHA256
d788000c7146c370bc98868d814d4ea1d9a583001e2afcb7d4f09f6eddb7cccf

SHA512
a2708a05991cb8fffc23b0b7e0794eb00df725f76a4057a7f4b9c90507d5f19eef25b6313b73741b09d186880d09b8f7f53c0acf0721f42abce73de00669b0d5

Download Submit
\Windows\SysWOW64\Eidepbal.exe

Filesize
50KB

MD5
dc0f2dd7fe6e2483b19769c8bf40fe58

SHA1
030729cde7ad23dd331ee2e8ad6e496baf4c5e32

SHA256
d788000c7146c370bc98868d814d4ea1d9a583001e2afcb7d4f09f6eddb7cccf

SHA512
a2708a05991cb8fffc23b0b7e0794eb00df725f76a4057a7f4b9c90507d5f19eef25b6313b73741b09d186880d09b8f7f53c0acf0721f42abce73de00669b0d5

Download Submit
\Windows\SysWOW64\Ihkkna32.exe

Filesize
50KB

MD5
0db53137771fd9b8ac57da0339098f31

SHA1
adcc50ed67039c720d787189470f4607cb5ec586

SHA256
be6bdeaf97dae9ceb6931d449825a0804d72ded5c2a864e623c79c94029f37b0

SHA512
cdf9bd4e49f9739a543425af2c61aec42c6af57ff6ead3fdf6a22a7ba9784078e7ddca5e99ab2ad6978f318620338cd071cd0a6417774a115847514251b219bf

Download Submit
\Windows\SysWOW64\Ihkkna32.exe

Filesize
50KB

MD5
0db53137771fd9b8ac57da0339098f31

SHA1
adcc50ed67039c720d787189470f4607cb5ec586

SHA256
be6bdeaf97dae9ceb6931d449825a0804d72ded5c2a864e623c79c94029f37b0

SHA512
cdf9bd4e49f9739a543425af2c61aec42c6af57ff6ead3fdf6a22a7ba9784078e7ddca5e99ab2ad6978f318620338cd071cd0a6417774a115847514251b219bf

Download Submit
\Windows\SysWOW64\Neoipm32.exe

Filesize
50KB

MD5
62e15cbe79f21251747a46bb7414fbd9

SHA1
3c789345c2c7a061f22f27a396dacbdbb6e0214b

SHA256
c844fa6cbeb59b2a5718ea04b61fc854ab8f5a80dbae2abdee66db1b19d2fceb

SHA512
0eee8f060c11b8786aca32598901583d293b01b353c547c2700d949be8e4a8118ea7e9b726ce5f052972977ce6a998192bbbf461c80a19f80765ea44332005d9

Download Submit
\Windows\SysWOW64\Neoipm32.exe

Filesize
50KB

MD5
62e15cbe79f21251747a46bb7414fbd9

SHA1
3c789345c2c7a061f22f27a396dacbdbb6e0214b

SHA256
c844fa6cbeb59b2a5718ea04b61fc854ab8f5a80dbae2abdee66db1b19d2fceb

SHA512
0eee8f060c11b8786aca32598901583d293b01b353c547c2700d949be8e4a8118ea7e9b726ce5f052972977ce6a998192bbbf461c80a19f80765ea44332005d9

Download Submit
\Windows\SysWOW64\Njckjp32.exe

Filesize
50KB

MD5
6593824d72fc35ee8ab43bf5f684bc9c

SHA1
6bdc03b0f4604cf651c61f1d44c4a7853c50888a

SHA256
6340894b03cf34474f7821aca53476dac474de8b33ad67f349fb5fcdbaa65f16

SHA512
1283481bef9dd6cba28203a1d2074460c26b9be2b9819fe00860fc6dab638635107e0922f40d270a98148c9b4b61d995e340e7e92b6dfc7f3fdf01989b17b8ba

Download Submit
\Windows\SysWOW64\Njckjp32.exe

Filesize
50KB

MD5
6593824d72fc35ee8ab43bf5f684bc9c

SHA1
6bdc03b0f4604cf651c61f1d44c4a7853c50888a

SHA256
6340894b03cf34474f7821aca53476dac474de8b33ad67f349fb5fcdbaa65f16

SHA512
1283481bef9dd6cba28203a1d2074460c26b9be2b9819fe00860fc6dab638635107e0922f40d270a98148c9b4b61d995e340e7e92b6dfc7f3fdf01989b17b8ba

Download Submit
\Windows\SysWOW64\Nppdbf32.exe

Filesize
50KB

MD5
dd290a9d2ce9a9f62c0178d1d0cdc8fe

SHA1
d902f057bd43a9d59ea08a808a7f418233d2f7ac

SHA256
544d1ce22fef87e4988be49ef7e996624554d0fb821595dde38599460aeee55b

SHA512
1bf3f4e068e2bdfbde8effd32b1d339cf0da2bde77869d81e39e2fa475fb6582321dcd6d34df2ac3eacfa09a9809cbe0593fd84479cbf34952cd31bfc8d0ae8d

Download Submit
\Windows\SysWOW64\Nppdbf32.exe

Filesize
50KB

MD5
dd290a9d2ce9a9f62c0178d1d0cdc8fe

SHA1
d902f057bd43a9d59ea08a808a7f418233d2f7ac

SHA256
544d1ce22fef87e4988be49ef7e996624554d0fb821595dde38599460aeee55b

SHA512
1bf3f4e068e2bdfbde8effd32b1d339cf0da2bde77869d81e39e2fa475fb6582321dcd6d34df2ac3eacfa09a9809cbe0593fd84479cbf34952cd31bfc8d0ae8d

Download Submit
\Windows\SysWOW64\Ohbogh32.exe

Filesize
50KB

MD5
e51d70d889b96aed90459132dc8c652b

SHA1
7e7c02efbb1ddc95cf4c91d404efc6cf67404d8b

SHA256
50b35e1775151e58dfb6803190d38b85cc0e5293c1666ede64a205c69cd08de2

SHA512
3f10c12d7e0d9b0ebf1b2d7d1832203e0aaa175a259851316eb8f518944b525ec1cc17c57ff464532bc3ade70f05f438c8607a3f9f97d1784016e89a835be12f

Download Submit
\Windows\SysWOW64\Ohbogh32.exe

Filesize
50KB

MD5
e51d70d889b96aed90459132dc8c652b

SHA1
7e7c02efbb1ddc95cf4c91d404efc6cf67404d8b

SHA256
50b35e1775151e58dfb6803190d38b85cc0e5293c1666ede64a205c69cd08de2

SHA512
3f10c12d7e0d9b0ebf1b2d7d1832203e0aaa175a259851316eb8f518944b525ec1cc17c57ff464532bc3ade70f05f438c8607a3f9f97d1784016e89a835be12f

Download Submit
\Windows\SysWOW64\Pcjlicgb.exe

Filesize
50KB

MD5
8bcc1e7d05b51422612d571b64768064

SHA1
daa05c1d9cf8dc294ce907f5f17fd022758f786b

SHA256
a0f7a2a8744737fb00a140c696d70ed098f3c3b7522fbdc6ca7046bed3cf7fa5

SHA512
77026c57d910ebad862f4526836aa79646e244f1e147ebaebd435a856c63153cdb63cb9fbd5da8925afab7e3146d8c4453a294fccf7c034fc468a173cdf344ff

Download Submit
\Windows\SysWOW64\Pcjlicgb.exe

Filesize
50KB

MD5
8bcc1e7d05b51422612d571b64768064

SHA1
daa05c1d9cf8dc294ce907f5f17fd022758f786b

SHA256
a0f7a2a8744737fb00a140c696d70ed098f3c3b7522fbdc6ca7046bed3cf7fa5

SHA512
77026c57d910ebad862f4526836aa79646e244f1e147ebaebd435a856c63153cdb63cb9fbd5da8925afab7e3146d8c4453a294fccf7c034fc468a173cdf344ff

Download Submit
\Windows\SysWOW64\Piagpnqb.exe

Filesize
50KB

MD5
050c2cd6fef86aae38fe954a55e7f5fc

SHA1
eab8d745201fbde822079f63c70b9948b3b192f1

SHA256
a996fa992a5e92f3f884ce82bd5836c8c09f084dbbfcc4272d1506ba6eba72e8

SHA512
abcb789234679c8c7baee5b68051fc66121587f2f881a563f3b686d8a6320bd6ea4a38c93a8e5327ed9bafec180c8cff3d9a3b9373c8a1f1dbb87b650c838d76

Download Submit
\Windows\SysWOW64\Piagpnqb.exe

Filesize
50KB

MD5
050c2cd6fef86aae38fe954a55e7f5fc

SHA1
eab8d745201fbde822079f63c70b9948b3b192f1

SHA256
a996fa992a5e92f3f884ce82bd5836c8c09f084dbbfcc4272d1506ba6eba72e8

SHA512
abcb789234679c8c7baee5b68051fc66121587f2f881a563f3b686d8a6320bd6ea4a38c93a8e5327ed9bafec180c8cff3d9a3b9373c8a1f1dbb87b650c838d76

Download Submit
\Windows\SysWOW64\Polcceal.exe

Filesize
50KB

MD5
238a6ab1f5b2cc35bc784b0b694b264c

SHA1
f06d24f1f773feba3ebbfcc13b447b0a84b6c180

SHA256
8765ba84cc5cdc7d8970fc2d8d474ad9472c740697eb146c25b9d6081e4876d2

SHA512
96a4d2a3b1b8e70bcbcfa18e5204e13885311656575a511afd126fba90cc288c14f05d1d5a02f5f838801f529ee11701f6d54d749538d4285e0a093d4d0ab304

Download Submit
\Windows\SysWOW64\Polcceal.exe

Filesize
50KB

MD5
238a6ab1f5b2cc35bc784b0b694b264c

SHA1
f06d24f1f773feba3ebbfcc13b447b0a84b6c180

SHA256
8765ba84cc5cdc7d8970fc2d8d474ad9472c740697eb146c25b9d6081e4876d2

SHA512
96a4d2a3b1b8e70bcbcfa18e5204e13885311656575a511afd126fba90cc288c14f05d1d5a02f5f838801f529ee11701f6d54d749538d4285e0a093d4d0ab304

Download Submit
\Windows\SysWOW64\Qaoijp32.exe

Filesize
50KB

MD5
3abecccb775c0ae7e34a188d24523250

SHA1
ecf6e81f8de7c14365c1cda3528c66c85e866a28

SHA256
31725418f78b09265f7b824e6aa8b60f0df62642e0530f2100ba469f2b0d356f

SHA512
490bc74611fa0fe93a1d890f4e57c4ad32c14429cf973d5cfc8c6ee2cf49171207013ad6c8f38a509ed321f6e8c21cb04499097bfa1327ff135822b90408c1d8

Download Submit
\Windows\SysWOW64\Qaoijp32.exe

Filesize
50KB

MD5
3abecccb775c0ae7e34a188d24523250

SHA1
ecf6e81f8de7c14365c1cda3528c66c85e866a28

SHA256
31725418f78b09265f7b824e6aa8b60f0df62642e0530f2100ba469f2b0d356f

SHA512
490bc74611fa0fe93a1d890f4e57c4ad32c14429cf973d5cfc8c6ee2cf49171207013ad6c8f38a509ed321f6e8c21cb04499097bfa1327ff135822b90408c1d8

Download Submit
memory/240-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/240-154-0x0000000000000000-mapping.dmp

Download
memory/280-58-0x0000000000000000-mapping.dmp

Download
memory/280-72-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/280-73-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/384-93-0x0000000000000000-mapping.dmp

Download
memory/384-111-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/432-276-0x0000000000000000-mapping.dmp

Download
memory/552-299-0x0000000000000000-mapping.dmp

Download
memory/564-190-0x0000000000000000-mapping.dmp

Download
memory/564-201-0x00000000003C0000-0x00000000003F1000-memory.dmp

Filesize
196KB

Download
memory/564-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/580-131-0x0000000000000000-mapping.dmp

Download
memory/580-160-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/580-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/660-165-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/660-155-0x0000000000000000-mapping.dmp

Download
memory/664-228-0x0000000000000000-mapping.dmp

Download
memory/760-169-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/760-159-0x0000000000000000-mapping.dmp

Download
memory/788-278-0x0000000000000000-mapping.dmp

Download
memory/924-83-0x0000000000000000-mapping.dmp

Download
memory/924-109-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/944-198-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/944-189-0x0000000000000000-mapping.dmp

Download
memory/944-197-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/944-199-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/956-237-0x0000000000000000-mapping.dmp

Download
memory/984-113-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/984-134-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/984-103-0x0000000000000000-mapping.dmp

Download
memory/996-236-0x0000000000000000-mapping.dmp

Download
memory/1064-211-0x0000000001B60000-0x0000000001B91000-memory.dmp

Filesize
196KB

Download
memory/1064-203-0x0000000000000000-mapping.dmp

Download
memory/1064-210-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1072-227-0x0000000000000000-mapping.dmp

Download
memory/1076-225-0x0000000000000000-mapping.dmp

Download
memory/1132-275-0x0000000000000000-mapping.dmp

Download
memory/1164-207-0x0000000000000000-mapping.dmp

Download
memory/1252-294-0x0000000000000000-mapping.dmp

Download
memory/1260-112-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1260-98-0x0000000000000000-mapping.dmp

Download
memory/1284-116-0x0000000000000000-mapping.dmp

Download
memory/1284-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1300-194-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1300-186-0x0000000000000000-mapping.dmp

Download
memory/1300-195-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/1300-196-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/1456-141-0x0000000000000000-mapping.dmp

Download
memory/1456-161-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1508-232-0x0000000000000000-mapping.dmp

Download
memory/1520-233-0x0000000000000000-mapping.dmp

Download
memory/1524-279-0x0000000000000000-mapping.dmp

Download
memory/1540-110-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1540-88-0x0000000000000000-mapping.dmp

Download
memory/1552-226-0x0000000000000000-mapping.dmp

Download
memory/1556-230-0x0000000000000000-mapping.dmp

Download
memory/1564-157-0x0000000000000000-mapping.dmp

Download
memory/1564-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1596-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1596-205-0x0000000000000000-mapping.dmp

Download
memory/1596-218-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1596-217-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1608-295-0x0000000000000000-mapping.dmp

Download
memory/1616-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-156-0x0000000000000000-mapping.dmp

Download
memory/1632-170-0x0000000000000000-mapping.dmp

Download
memory/1632-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1648-206-0x0000000000000000-mapping.dmp

Download
memory/1648-219-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1648-220-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1652-231-0x0000000000000000-mapping.dmp

Download
memory/1660-215-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1660-214-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1660-213-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1660-204-0x0000000000000000-mapping.dmp

Download
memory/1668-191-0x0000000000000000-mapping.dmp

Download
memory/1668-202-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1668-209-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1696-229-0x0000000000000000-mapping.dmp

Download
memory/1704-235-0x0000000000000000-mapping.dmp

Download
memory/1708-296-0x0000000000000000-mapping.dmp

Download
memory/1712-208-0x0000000000000000-mapping.dmp

Download
memory/1716-185-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1716-187-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1716-184-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1716-174-0x0000000000000000-mapping.dmp

Download
memory/1720-297-0x0000000000000000-mapping.dmp

Download
memory/1728-158-0x0000000000000000-mapping.dmp

Download
memory/1728-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1732-126-0x0000000000000000-mapping.dmp

Download
memory/1732-137-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1748-63-0x0000000000000000-mapping.dmp

Download
memory/1748-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1772-277-0x0000000000000000-mapping.dmp

Download
memory/1808-212-0x0000000000000000-mapping.dmp

Download
memory/1816-71-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1816-56-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1816-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1868-298-0x0000000000000000-mapping.dmp

Download
memory/1880-162-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1880-146-0x0000000000000000-mapping.dmp

Download
memory/1924-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1924-121-0x0000000000000000-mapping.dmp

Download
memory/1940-108-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1940-78-0x0000000000000000-mapping.dmp

Download
memory/1944-175-0x0000000000000000-mapping.dmp

Download
memory/1944-192-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1944-193-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1944-188-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1948-280-0x0000000000000000-mapping.dmp

Download
memory/1952-172-0x0000000000000000-mapping.dmp

Download
memory/1952-180-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1952-179-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1952-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1996-182-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/1996-183-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/1996-181-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1996-173-0x0000000000000000-mapping.dmp

Download
memory/2000-107-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2000-68-0x0000000000000000-mapping.dmp

Download
memory/2000-75-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2000-106-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2016-171-0x0000000000000000-mapping.dmp

Download
memory/2016-177-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-234-0x0000000000000000-mapping.dmp

Download
memory/2040-151-0x0000000000000000-mapping.dmp

Download
memory/2040-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download